Australia Cyber Security Act Smart Device Applicability Workflow

Start the workflow when a product team plans to manufacture, import, distribute, list, relabel, materially redesign, or continue supplying a connected product for the Australian market. The intake owner should be the product compliance lead, with security engineering confirming connectivity and product counsel confirming the statutory classification.

The first question is whether the item is a relevant connectable product. The Act covers products that can connect directly or indirectly to the internet, and the Rules explain that smart devices are typically the device hardware and internal software plus any device external software, such as a companion application or app.

If the product is connectable, test the current prescribed class under the Smart Devices Rules. The covered class is a relevant connectable product intended by the manufacturer to be used, or of a kind likely to be used, for personal, domestic, or household use or consumption. The specified circumstance is that the product will be acquired in Australia by a consumer.

Do not stop at the product name. A product that looks consumer-facing can still fall outside the current smart-device standard if it is one of the excluded groups in the Rules. Conversely, the explanatory statement identifies everyday products such as smart TVs, smart watches, home assistants, baby monitors, and consumer energy resources as examples discussed for the standard.

When the product is in scope, split the workflow by statutory role. The Rules' outline explains that manufacturers must manufacture covered products in compliance with the security standard and comply with other obligations in the standard, while suppliers must not supply non-compliant products in Australia when they are aware, or could reasonably be expected to be aware, of the Australian consumer acquisition circumstance.

The statement-of-compliance work belongs in the same applicability record because a supplier must supply the product in Australia accompanied by a statement of compliance that meets the Rules. The statement must be prepared by, or on behalf of, the manufacturer and must include the product type and batch identifier, manufacturer and authorised-representative details, compliance declarations, defined support period, signatory details, and place and date of issue.

The applicability workflow should not end at an in-scope label. Once a consumer-grade relevant connectable product is covered, security engineering and product operations must check the three Schedule 1 control areas: passwords, security-issue reporting, and defined support periods for security updates.

For website listings controlled by the manufacturer, the support-period check should be linked to the publication workflow. The explanatory statement says a consumer should not need to navigate unnecessarily or know about the Act, Rules, or Schedule to discover the defined support period.

Re-run the workflow when a product line changes enough to affect connectivity, intended purpose, consumer acquisition, exclusions, manufacturer identity, supplier channel, statement contents, password design, vulnerability reporting, or support-period publication. A prior answer for one batch or model should not be reused where the facts that support the statement of compliance have changed.

Escalation should be concrete. Product counsel should resolve statutory scope issues, security engineering should resolve control evidence, channel operations should resolve supply facts, and compliance should block release where the statement or publication evidence is missing for an in-scope product.