--- title: "CSA 2024 Smart Device Applicability Test" canonical_url: "https://www.sorena.io/artifacts/apac/australia-cyber-security-act/smart-device-applicability-and-product-scope" source_url: "https://www.sorena.io/artifacts/apac/australia-cyber-security-act/smart-device-applicability-and-product-scope" author: "Sorena AI" description: "Check whether a smart device is a consumer-grade relevant connectable product under Australia's Cyber Security Act and Smart Devices Rules." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "Australia Cyber Security Act smart device scope" - "relevant connectable product" - "consumer grade smart device" - "Smart Devices Rules 2025" - "Australia Cyber Security Act" - "Smart device scope" - "Relevant connectable products" - "Product compliance" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # CSA 2024 Smart Device Applicability Test Check whether a smart device is a consumer-grade relevant connectable product under Australia's Cyber Security Act and Smart Devices Rules. *Applicability guide* *Australia* *Smart device scope* ## Australia Cyber Security Act Smart device applicability and product scope Use this page to decide whether a product is in the smart-device security regime: it must be a relevant connectable product, fall within the consumer-grade class, avoid the listed exclusions, and be expected to be acquired in Australia by a consumer. The output should be a product-scope record that product, legal, security, and supply-chain teams can connect to the statement of compliance and launch evidence. Australia's Cyber Security Act 2024 does not make every connected device subject to the smart-device security standard. The scope test starts with the Act's definition of a relevant connectable product, then applies the Cyber Security (Security Standards for Smart Devices) Rules 2025 to consumer-grade products acquired in Australia by a consumer, with specific exclusions for certain product classes. ## Start with the Act's relevant connectable product test A product can only move into the Smart Devices Rules if it is a relevant connectable product under Part 2 of the Cyber Security Act 2024. That means the product must be an internet-connectable product or a network-connectable product, and it must not be exempted under the rules. For product reviews, treat direct internet connectivity, indirect network connectivity, companion-device connectivity, and bundled device sets as evidence questions. The Act covers internet-connectable products, network-connectable products, and certain connected input products designed to be used together with a computer, while excluding a product that is merely a wire or cable used to connect another product. - Record whether the product can send and receive data over the internet using an internet-protocol communication protocol. - If it is not directly internet-connectable, test whether it can send and receive data by electrical or electromagnetic transmission and connect directly to an internet-connectable product. - For multi-product kits or peripherals, identify the linking product and whether other wireless input products connect to it as described in the Act. - Do not treat a plain cable or wire as in scope merely because it connects other products. Sources for this answer: - [Cyber Security Act 2024](https://www.legislation.gov.au/Details/C2024A00098?ref=sorena.io) - Section 13 defines relevant connectable products, internet-connectable products, network-connectable products, and the wire-or-cable exclusion. - [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/Details/F2025L00276?ref=sorena.io) - Section 5 of the Rules explains that the smart-device standards apply to products that can directly or indirectly connect to the internet. ## Apply the consumer-grade class and listed product exclusions The Smart Devices Rules prescribe a security standard for consumer-grade relevant connectable products. The class is limited to relevant connectable products that the manufacturer intends for personal, domestic or household use or consumption, or that are of a kind likely to be used that way. The Rules then remove specific product classes even if they otherwise look consumer-grade: desktop computers and laptops, tablet computers, smartphones, therapeutic goods, road vehicles, and road vehicle components. These exclusions should be recorded as product-scope findings, not as informal assumptions. - Use labels, instructions, promotional material, intended-use statements, sales channels, and product documentation to support the personal, domestic or household use finding. - Check the explicit exclusion list before assigning smart-device controls to complex consumer electronics, medical or therapeutic goods, vehicles, or vehicle components. - For products with companion applications, include the hardware, internal software, pre-installed software, and device external software in the scope evidence. - For consumer energy resources such as rooftop solar inverters or small-scale batteries, do not assume exclusion only because the product connects to energy infrastructure; the explanatory material says consumer energy resources are within the reform scope. Sources for this answer: - [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/Details/F2025L00276?ref=sorena.io) - Section 8 identifies the consumer-grade product class and the six excluded product categories. - [Explanatory Statement to the Smart Devices Rules 2025](https://www.legislation.gov.au/Details/F2025L00276/Explanatory%20Statement/Text?ref=sorena.io) - The explanatory statement clarifies that a smart-device product is typically the device, internal software, and device external software such as a companion app. ## Check the Australian consumer acquisition circumstance A consumer-grade relevant connectable product is subject to the Schedule 1 security standard only in the specified circumstance set by the Rules: the product will be acquired in Australia by a consumer. The Rules define consumer by reference to section 3 of the Australian Consumer Law. This is where sales, import, distribution, and channel evidence matters. The Act's manufacturer and supplier duties turn on whether the entity is aware, or could reasonably be expected to be aware, that the product will be acquired in Australia in the specified circumstances. - Keep Australian SKU, listing, distributor, import, reseller, direct-to-consumer, and marketplace evidence with the scope record. - For business-facing products, check whether the goods are still acquired as a consumer under the Australian Consumer Law criteria referenced in the explanatory statement. - Use the explanatory statement's examples carefully: smart meters are described as outside scope because they are supplied, installed, and used by electricity retailers, while point-of-sale or contactless payment products can be in scope if the consumer-acquisition criteria are met. - Do not rely on a global launch classification if the Australian channel, product bundle, price point, or acquisition route is different. Sources for this answer: - [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/Details/F2025L00276?ref=sorena.io) - Sections 6 and 8 tie the specified circumstance to acquisition in Australia by a consumer. - [Explanatory Statement to the Smart Devices Rules 2025](https://www.legislation.gov.au/Details/F2025L00276/Explanatory%20Statement/Text?ref=sorena.io) - The explanatory statement gives smart-meter and contactless-payment examples for applying the consumer acquisition test. - [Cyber Security Act 2024](https://www.legislation.gov.au/Details/C2024A00098?ref=sorena.io) - Sections 15 and 16 use the awareness or reasonable-expectation test for products acquired in Australia in specified circumstances. ## Connect the scope decision to compliance evidence A yes answer is not just a label. If the product is in scope, the manufacturer-side record should connect the product to the Schedule 1 security standard: password requirements, a published security-issue reporting mechanism, and a published defined support period for security updates. The statement-of-compliance evidence should also be prepared early enough for supply decisions. The Rules require the statement to include the product type and batch identifier, manufacturer and authorised representative details, declarations about compliance, the defined support period at the date of issue, signatory details, and the place and date of issue. The Rules set a five-year retention period for statements of compliance. - Store the scope conclusion with the source section used, product identifiers, batch or model identifiers, and the Australian acquisition evidence. - For in-scope products, attach the password design evidence, vulnerability-reporting publication, and defined support-period publication to the same product file. - For out-of-scope products, record the exact reason: not relevant connectable, not consumer-grade, listed exclusion, not acquired in Australia by a consumer, or second-hand supply outside the Act's application rule. - Review the scope record when the manufacturer changes intended use, firmware or companion-app architecture, Australian channels, bundles, product claims, or the defined support period. Sources for this answer: - [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/Details/F2025L00276?ref=sorena.io) - Schedule 1 sets the password, security-issue reporting, and defined-support-period requirements for in-scope consumer-grade relevant connectable products. - [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/Details/F2025L00276?ref=sorena.io) - Sections 9 and 10 specify statement-of-compliance content and the five-year retention period. - [Cyber Security Act 2024](https://www.legislation.gov.au/Details/C2024A00098?ref=sorena.io) - Section 13 applies Part 2 to relevant connectable products manufactured after commencement or supplied, other than as second-hand goods, after commencement. *Recommended next step* *Placement: after the scope guidance* ## Turn the Australian smart-device scope test into product evidence Use this applicability guide to connect product classification, Australian acquisition evidence, exclusions, security-standard controls, and statement-of-compliance records inside Sorena. - [Open Assessment Autopilot for Australia Cyber Security Act](/solutions/assessment.md): Create a product-scope intake for relevant connectable products, consumer-grade use, exclusions, and Australian acquisition evidence. - [Review source evidence](/solutions/research-copilot.md): Use Research Copilot to trace a smart-device scope answer back to the Act, Rules, and explanatory statement. - [Discuss smart-device readiness](/contact.md): Review product scope, statement records, and security-standard evidence for Australian supply. ## Primary sources - [Cyber Security Act 2024](https://www.legislation.gov.au/Details/C2024A00098?ref=sorena.io) - Primary statutory source for the relevant connectable product definition, manufacturer and supplier duties, statement-of-compliance duty, and Part 2 application rule. - Quote: "relevant connectable product" - [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/Details/F2025L00276?ref=sorena.io) - Primary rules source for the consumer-grade smart-device class, exclusions, Australian consumer acquisition circumstance, security requirements, and statement records. - Quote: "consumer grade relevant connectable products" - [Explanatory Statement to the Smart Devices Rules 2025](https://www.legislation.gov.au/Details/F2025L00276/Explanatory%20Statement/Text?ref=sorena.io) - Official explanatory source for product examples, companion-app scope context, consumer-acquisition examples, and policy context for consumer energy resources. - Quote: "device external software" ## Related Topic Guides - [Australia Cyber Security Act 2024 scope and definitions](/artifacts/apac/australia-cyber-security-act/scope-and-definitions.md): Grounded scope guide for Australia's Cyber Security Act 2024: relevant connectable products, consumer-grade smart devices, reporting business entities, ransomware payment reports, and SOCI overlap. - [Australia Cyber Security Act and SOCI Act overlap](/artifacts/apac/australia-cyber-security-act/security-of-critical-infrastructure-act-overlap.md): How the Australia Cyber Security Act overlaps with the Security of Critical Infrastructure Act for responsible entities, ransomware payment reporting, smart devices, and evidence records. - [Australia Cyber Security Act Applicability Test](/artifacts/apac/australia-cyber-security-act/applicability-test.md): Decide whether the Australia Cyber Security Act 2024 applies to a smart-device product, supplier, manufacturer, or ransomware payment reporting scenario. - [Australia Cyber Security Act Compliance Checklist](/artifacts/apac/australia-cyber-security-act/checklist.md): Concrete checklist items for Australian Cyber Security Act smart-device and ransomware duties, with SOCI and APRA CPS 234 evidence checks. - [Australia Cyber Security Act Compliance Guide](/artifacts/apac/australia-cyber-security-act/compliance.md): A source-linked compliance guide for Australia Cyber Security Act smart-device statements, ransomware payment reporting, incident coordination, and review-board readiness. - [Australia Cyber Security Act Deadlines and Compliance Calendar](/artifacts/apac/australia-cyber-security-act/deadlines-and-compliance-calendar.md): Calendar of grounded Australia Cyber Security Act milestones for ransomware reporting, smart-device security standards, statements of compliance, and statutory review. - [Australia Cyber Security Act FAQ](/artifacts/apac/australia-cyber-security-act/faq.md): Answers to Australia Cyber Security Act questions on smart device scope, statements of compliance, ransomware reports, enforcement notices, and incident review. - [Australia Cyber Security Act penalties and fines](/artifacts/apac/australia-cyber-security-act/penalties-and-fines.md): Grounded guide to Australia Cyber Security Act civil penalties, smart-device enforcement notices, ransomware reporting exposure, Board notice failures, and evidence records. - [Australia Cyber Security Act recordkeeping FAQ](/artifacts/apac/australia-cyber-security-act/faq/recordkeeping.md): What records to keep for Cyber Security Act 2024 smart-device statements, ransomware payment reports, and supported SOCI or APRA overlap checks. - [Australia Cyber Security Act Requirements](/artifacts/apac/australia-cyber-security-act/requirements.md): Australia Cyber Security Act requirements for smart-device security standards, statements of compliance, ransomware payment reports, notices, and evidence records. - [Australia Cyber Security Act Statement of Compliance Evidence](/artifacts/apac/australia-cyber-security-act/statement-of-compliance-evidence.md): Evidence guide for Australia Cyber Security Act smart-device statements of compliance: required fields, manufacturer and supplier records, five-year retention, and examination readiness. - [Australia Cyber Security Act templates](/artifacts/apac/australia-cyber-security-act/templates.md): Grounded template fields for Australia Cyber Security Act smart-device scope, statements of compliance, ransomware reports, notices, SOCI overlap, and records. - [Australia Cyber Security Act Timeline And Commencement Guide](/artifacts/apac/australia-cyber-security-act/timeline-and-commencement.md): Australia Cyber Security Act guidance for Timeline And Commencement, with practical decisions, evidence, edge cases, and external source citations. - [Australia Cyber Security Act vs EU Cyber Resilience Act](/artifacts/apac/australia-cyber-security-act/australia-cyber-security-act-vs-eu-cyber-resilience-act.md): Compare Australia's Cyber Security Act 2024 with the EU Cyber Resilience Act across smart-device duties, ransomware reporting, product-with-digital-elements scope, actors, records, and enforcement routes. - [Australia Cyber Security Act vs UK PSTI Act Guide](/artifacts/apac/australia-cyber-security-act/australia-cyber-security-act-vs-uk-psti-act.md): Compare Australia's Cyber Security Act 2024 smart-device, ransomware, and SOCI-adjacent obligations with the UK's PSTI connected-product regime. - [Australia ransomware payment reporting 72-hour duty](/artifacts/apac/australia-cyber-security-act/ransomware-payment-reporting-72-hours.md): Explain when Australia's Cyber Security Act 2024 requires a ransomware payment report, when the 72-hour clock starts, and what information the report must contain. - [Australia Smart Device Security Standards under the Cyber Security Act](/artifacts/apac/australia-cyber-security-act/smart-device-security-standards.md): Plain-English guide to Australia's Cyber Security (Security Standards for Smart Devices) Rules 2025: scope, passwords, vulnerability reporting, support periods, statements of compliance, and evidence records. - [Australia Smart Device Statement of Compliance Evidence Workflow](/artifacts/apac/australia-cyber-security-act/statement-of-compliance-evidence-workflow.md): Evidence workflow for preparing, supplying, and retaining statements of compliance under Australia's Cyber Security Act 2024 and Smart Devices Rules. - [CSA 2024 Ransomware Payment Reporting Workflow](/artifacts/apac/australia-cyber-security-act/ransomware-payment-reporting-workflow.md): Operational workflow for Australia Cyber Security Act 2024 ransomware payment reports: scope, 72-hour trigger, report fields, owners, evidence, and cited Act and Rules sources. - [CSA 2024 Ransomware Threshold & Report FAQ](/artifacts/apac/australia-cyber-security-act/faq/ransomware-payment-threshold-and-report-content.md): FAQ answer on Australia's Cyber Security Act ransomware payment reporting scope, $3 million turnover threshold, 72-hour trigger, report fields, and evidence. - [CSA 2024 Smart Device Statement of Compliance](/artifacts/apac/australia-cyber-security-act/statement-of-compliance-and-recordkeeping.md): What a smart-device statement of compliance must contain under Australia's Cyber Security Act 2024 and Smart Device Rules, who prepares and supplies it, how long to retain it, and how to prepare for examination. - [Cyber Security Act 2024 Smart Device Compliance Checklist](/artifacts/apac/australia-cyber-security-act/smart-device-compliance-checklist.md): Checklist for Australia Cyber Security Act 2024 smart-device scope, password controls, vulnerability reporting, security-update support periods, statements of compliance, retention, and evidence. - [Cyber Security Act 2024 Statements of Compliance FAQ](/artifacts/apac/australia-cyber-security-act/faq/statements-of-compliance.md): FAQ answer on Australian Cyber Security Act 2024 statements of compliance for smart devices, including scope, actors, required contents, retention, evidence, and citations. - [Cyber Security Act vs EU CRA: scope and obligations comparison](/artifacts/apac/australia-cyber-security-act/cyber-security-act-vs-eu-cyber-resilience-act.md): Compare Australia's Cyber Security Act 2024 with the EU Cyber Resilience Act across smart-device duties, ransomware reporting, product-with-digital-elements scope, actors, records, and enforcement routes. - [Cyber Security Act vs UK PSTI Act: device security obligations compared](/artifacts/apac/australia-cyber-security-act/cyber-security-act-vs-uk-psti-act.md): Compare Australia's Cyber Security Act 2024 smart-device, ransomware, and SOCI-adjacent obligations with the UK's PSTI connected-product regime. - [How do notices and recalls work under the Australia Cyber Security Act?](/artifacts/apac/australia-cyber-security-act/faq/notices-and-recalls.md): FAQ on Australia Cyber Security Act compliance notices, stop notices, recall notices, public notifications, owners, evidence fields, and grounded timing. - [How does the Australia Cyber Security Act overlap with the SOCI Act?](/artifacts/apac/australia-cyber-security-act/faq/security-of-critical-infrastructure-act-overlap.md): FAQ on when Australia Cyber Security Act ransomware reporting overlaps with SOCI critical infrastructure assets, responsible entities, and smart-device duties. - [Manufacturer, Importer, and Supplier Duties under Australia's Cyber Security Act 2024](/artifacts/apac/australia-cyber-security-act/faq/manufacturer-and-importer-obligations.md): Direct FAQ answer on Cyber Security Act 2024 smart-device duties for manufacturers, importers, and suppliers, including scope, statement records, exceptions, and citations. - [Smart Device Applicability: CSA 2024](/artifacts/apac/australia-cyber-security-act/smart-device-applicability-workflow.md): A source-linked workflow for deciding whether a connected product is covered by Australia's Cyber Security Act 2024 smart-device standard and what evidence to keep. - [SOCI overlap triage workflow for Australia Cyber Security Act](/artifacts/apac/australia-cyber-security-act/soci-overlap-triage-workflow.md): Triage SOCI Act overlap with Australia Cyber Security Act ransomware reporting and smart-device standards using separate owners, evidence, and source-linked scope checks. - [Which smart devices are in scope under Australia's Cyber Security Act 2024?](/artifacts/apac/australia-cyber-security-act/faq/smart-device-scope.md): FAQ on Cyber Security Act 2024 smart-device scope: relevant connectable products, consumer-grade criteria, exclusions, Australian consumer acquisition, and records to keep. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/apac/australia-cyber-security-act/smart-device-applicability-and-product-scope