Applicability guideAustraliaSmart device scope

Australia Cyber Security Act Smart device applicability and product scope

Use this page to decide whether a product is in the smart-device security regime: it must be a relevant connectable product, fall within the consumer-grade class, avoid the listed exclusions, and be expected to be acquired in Australia by a consumer.

The output should be a product-scope record that product, legal, security, and supply-chain teams can connect to the statement of compliance and launch evidence.

Back to main artifact Review sources

Author

Sorena AI

Published

May 9, 2026

Updated

May 9, 2026

Sections

Structured answer sets in this page tree.

Primary sources

Cited legal and guidance references.

Publication metadata

Sorena AI

Published May 9, 2026

Updated May 9, 2026

Overview

Australia's Cyber Security Act 2024 does not make every connected device subject to the smart-device security standard. The scope test starts with the Act's definition of a relevant connectable product, then applies the Cyber Security (Security Standards for Smart Devices) Rules 2025 to consumer-grade products acquired in Australia by a consumer, with specific exclusions for certain product classes.

Section 1

Start with the Act's relevant connectable product test

A product can only move into the Smart Devices Rules if it is a relevant connectable product under Part 2 of the Cyber Security Act 2024. That means the product must be an internet-connectable product or a network-connectable product, and it must not be exempted under the rules.

For product reviews, treat direct internet connectivity, indirect network connectivity, companion-device connectivity, and bundled device sets as evidence questions. The Act covers internet-connectable products, network-connectable products, and certain connected input products designed to be used together with a computer, while excluding a product that is merely a wire or cable used to connect another product.

Record whether the product can send and receive data over the internet using an internet-protocol communication protocol.
If it is not directly internet-connectable, test whether it can send and receive data by electrical or electromagnetic transmission and connect directly to an internet-connectable product.
For multi-product kits or peripherals, identify the linking product and whether other wireless input products connect to it as described in the Act.
Do not treat a plain cable or wire as in scope merely because it connects other products.

Sources for this answer

Cyber Security Act 2024

Section 13 defines relevant connectable products, internet-connectable products, network-connectable products, and the wire-or-cable exclusion.

Cyber Security (Security Standards for Smart Devices) Rules 2025

Section 5 of the Rules explains that the smart-device standards apply to products that can directly or indirectly connect to the internet.

Section 2

Apply the consumer-grade class and listed product exclusions

The Smart Devices Rules prescribe a security standard for consumer-grade relevant connectable products. The class is limited to relevant connectable products that the manufacturer intends for personal, domestic or household use or consumption, or that are of a kind likely to be used that way.

The Rules then remove specific product classes even if they otherwise look consumer-grade: desktop computers and laptops, tablet computers, smartphones, therapeutic goods, road vehicles, and road vehicle components. These exclusions should be recorded as product-scope findings, not as informal assumptions.

Use labels, instructions, promotional material, intended-use statements, sales channels, and product documentation to support the personal, domestic or household use finding.
Check the explicit exclusion list before assigning smart-device controls to complex consumer electronics, medical or therapeutic goods, vehicles, or vehicle components.
For products with companion applications, include the hardware, internal software, pre-installed software, and device external software in the scope evidence.
For consumer energy resources such as rooftop solar inverters or small-scale batteries, do not assume exclusion only because the product connects to energy infrastructure; the explanatory material says consumer energy resources are within the reform scope.

Sources for this answer

Cyber Security (Security Standards for Smart Devices) Rules 2025

Section 8 identifies the consumer-grade product class and the six excluded product categories.

Explanatory Statement to the Smart Devices Rules 2025

The explanatory statement clarifies that a smart-device product is typically the device, internal software, and device external software such as a companion app.

Section 3

Check the Australian consumer acquisition circumstance

A consumer-grade relevant connectable product is subject to the Schedule 1 security standard only in the specified circumstance set by the Rules: the product will be acquired in Australia by a consumer. The Rules define consumer by reference to section 3 of the Australian Consumer Law.

This is where sales, import, distribution, and channel evidence matters. The Act's manufacturer and supplier duties turn on whether the entity is aware, or could reasonably be expected to be aware, that the product will be acquired in Australia in the specified circumstances.

Keep Australian SKU, listing, distributor, import, reseller, direct-to-consumer, and marketplace evidence with the scope record.
For business-facing products, check whether the goods are still acquired as a consumer under the Australian Consumer Law criteria referenced in the explanatory statement.
Use the explanatory statement's examples carefully: smart meters are described as outside scope because they are supplied, installed, and used by electricity retailers, while point-of-sale or contactless payment products can be in scope if the consumer-acquisition criteria are met.
Do not rely on a global launch classification if the Australian channel, product bundle, price point, or acquisition route is different.

Sources for this answer

Cyber Security (Security Standards for Smart Devices) Rules 2025

Sections 6 and 8 tie the specified circumstance to acquisition in Australia by a consumer.

Explanatory Statement to the Smart Devices Rules 2025

The explanatory statement gives smart-meter and contactless-payment examples for applying the consumer acquisition test.

Cyber Security Act 2024

Sections 15 and 16 use the awareness or reasonable-expectation test for products acquired in Australia in specified circumstances.

Section 4

Connect the scope decision to compliance evidence

A yes answer is not just a label. If the product is in scope, the manufacturer-side record should connect the product to the Schedule 1 security standard: password requirements, a published security-issue reporting mechanism, and a published defined support period for security updates.

The statement-of-compliance evidence should also be prepared early enough for supply decisions. The Rules require the statement to include the product type and batch identifier, manufacturer and authorised representative details, declarations about compliance, the defined support period at the date of issue, signatory details, and the place and date of issue. The Rules set a five-year retention period for statements of compliance.

Store the scope conclusion with the source section used, product identifiers, batch or model identifiers, and the Australian acquisition evidence.
For in-scope products, attach the password design evidence, vulnerability-reporting publication, and defined support-period publication to the same product file.
For out-of-scope products, record the exact reason: not relevant connectable, not consumer-grade, listed exclusion, not acquired in Australia by a consumer, or second-hand supply outside the Act's application rule.
Review the scope record when the manufacturer changes intended use, firmware or companion-app architecture, Australian channels, bundles, product claims, or the defined support period.

Sources for this answer

Cyber Security (Security Standards for Smart Devices) Rules 2025

Schedule 1 sets the password, security-issue reporting, and defined-support-period requirements for in-scope consumer-grade relevant connectable products.

Cyber Security (Security Standards for Smart Devices) Rules 2025

Sections 9 and 10 specify statement-of-compliance content and the five-year retention period.

Cyber Security Act 2024

Section 13 applies Part 2 to relevant connectable products manufactured after commencement or supplied, other than as second-hand goods, after commencement.

Recommended next step

Turn the Australian smart-device scope test into product evidence

Use this applicability guide to connect product classification, Australian acquisition evidence, exclusions, security-standard controls, and statement-of-compliance records inside Sorena.

Assessment workflow

Open Assessment Autopilot for Australia Cyber Security Act

Create a product-scope intake for relevant connectable products, consumer-grade use, exclusions, and Australian acquisition evidence.

Explore next step

Research workflow

Review source evidence

Use Research Copilot to trace a smart-device scope answer back to the Act, Rules, and explanatory statement.

Explore next step

Talk to Sorena

Discuss smart-device readiness

Review product scope, statement records, and security-standard evidence for Australian supply.

Explore next step

Primary sources

References and citations

Cyber Security (Security Standards for Smart Devices) Rules 2025

legislation.gov.au

Referenced sections

Sections 9 and 10 specify statement-of-compliance content and the five-year retention period.

"the period is 5 years"

Cyber Security Act 2024

legislation.gov.au

Referenced sections

Section 13 applies Part 2 to relevant connectable products manufactured after commencement or supplied, other than as second-hand goods, after commencement.