Australia Cyber Security Act 2024 Smart Device Compliance Checklist

This Australia Cyber Security Act 2024 smart device compliance checklist is designed as a pre-supply release gate. Run through every section before a product enters the Australian distribution channel. Each checklist item corresponds to a specific clause in Schedule 1 of the Cyber Security (Security Standards for Smart Devices) Rules 2025 or a section in the Cyber Security Act 2024. The references are included so your legal and product teams can trace each requirement back to the official text.

The Australia Cyber Security Act 2024 smart device compliance checklist is organized into eleven sections that mirror the structure of the Rules. Start with scope verification to confirm the product is covered. Then confirm the product does not fall into the excluded products list under Section 8. Move through each technical control: password security under Clause 2, vulnerability disclosure under Clause 3, and defined support period under Clause 4. After the technical controls, verify security update delivery capability, confirm public information accessibility, prepare the statement of compliance under Section 9, lock the evidence pack under Section 10, and complete supply chain readiness checks.

If any item on this Australia Cyber Security Act 2024 smart device compliance checklist cannot be confirmed, stop the release process. Under Section 15 of the Act, manufacturers must manufacture in-scope products in compliance with the security standard if they are aware, or could reasonably be expected to be aware, that the product will be acquired in Australia. Under Section 16, suppliers must not supply a product in Australia if the product does not comply with the applicable security standard and the supplier is aware, or could reasonably be expected to be aware, of the non-compliance. Enforcement escalates from compliance notice (Section 17) to stop notice (Section 18) to recall notice (Section 19), with the Minister able to publish the failure publicly under Section 20.

Each section of this Australia Cyber Security Act 2024 smart device compliance checklist includes practical testing criteria that describe how to verify each requirement. These testing criteria are not mandated by the Rules themselves, but they represent the evidence you would need to demonstrate compliance if the Secretary issues a compliance notice and you must respond within the minimum 10 day representation period provided under Section 17(3)(b) of the Act.

The first step in the Australia Cyber Security Act 2024 smart device compliance checklist is to confirm whether the product falls within the scope of the Cyber Security (Security Standards for Smart Devices) Rules 2025. Section 8 of the Rules defines the class of products covered: all relevant connectable products that are intended by the manufacturer to be used, or are of a kind likely to be used, for personal, domestic or household use or consumption. The specified circumstance is that the products will be acquired in Australia by a consumer as defined under Section 3 of the Australian Consumer Law.

Under Section 13 of the Cyber Security Act 2024, a relevant connectable product is a product that is an internet-connectable product or a network-connectable product and is not exempted under the Rules. An internet-connectable product can connect to the internet using a communication protocol that forms part of the internet protocol suite to send and receive data. A network-connectable product can send and receive data by electrical or electromagnetic energy and meets the conditions in Section 13(6) or 13(7) of the Act for indirect internet connectivity. This broad definition means that products communicating over Bluetooth, Zigbee, Z-Wave, or similar protocols to an internet-connected hub are still classified as relevant connectable products.

The scope determination also depends on the Australian Consumer Law definition of consumer. Under Section 3 of the ACL, a person acquires goods as a consumer if the goods cost less than the prescribed threshold (currently $100,000 including GST), or the goods are of a kind ordinarily acquired for personal, domestic or household use and consumption regardless of cost, or the goods are a vehicle or trailer used primarily for transporting goods on public roads. Products that are not ordinarily acquired by consumers, such as smart meters installed by electricity retailers, fall outside the scope of this Australia Cyber Security Act 2024 smart device compliance checklist.

Practical testing criteria for scope verification: Document the product's communication protocols and confirm whether it connects directly or indirectly to the internet. Record the manufacturer's intended use as stated on the label, in instructions, and in promotional materials. Confirm whether the product is of a kind ordinarily acquired by consumers. Check the price against the ACL threshold. Record the date of manufacture or first supply to confirm it falls on or after 4 March 2026. File the scope decision with a signature from the product compliance owner.

Section 8(1)(b) of the Cyber Security (Security Standards for Smart Devices) Rules 2025 lists six categories of products that are explicitly excluded from the consumer grade class even if they are relevant connectable products intended for personal, domestic, or household use. These exclusions exist because the excluded products are covered by other regulatory frameworks or have component supply chains too complex for the current standard. If your product falls into one of the excluded categories, the Australia Cyber Security Act 2024 smart device compliance checklist does not apply to that product. However, you must document your exclusion decision and retain it for at least five years alongside any related product records.

The six excluded categories are: desktop computers and laptops; tablet computers; smartphones; therapeutic goods within the meaning of the Therapeutic Goods Act 1989; road vehicles within the meaning of the Road Vehicle Standards Act 2018; and road vehicle components within the meaning of the Road Vehicle Standards Act 2018. The Explanatory Statement for the Rules explains the rationale for each exclusion. Desktop computers, tablets, and smartphones are excluded due to the difficulty manufacturers of these products would face in complying because of the complex nature of the supply chains of product components. Medical devices are excluded because they are more strictly regulated by the Therapeutic Goods Administration. Road vehicles and road vehicle components are excluded because they are covered by the Road Vehicle Standards Act 2018.

Practical testing criteria for exclusion verification: If you are claiming an exclusion, identify which of the six categories applies. Then confirm the product meets the legal definition of that excluded category under the relevant Act. For example, a product claimed as a therapeutic good must actually be registered or listed as a therapeutic good under the Therapeutic Goods Act 1989. A product claimed as a road vehicle component must meet the definition under the Road Vehicle Standards Act 2018. A borderline product that does not cleanly fit an exclusion category should be treated as within scope of this Australia Cyber Security Act 2024 smart device compliance checklist.

Edge cases to evaluate carefully: Consumer energy resources such as smart solar inverters and home battery systems are within scope of the Rules and are not excluded. Point of sale and contactless payment devices are within scope provided they cost less than the ACL threshold. Smart accessories for smartphones, such as Bluetooth earbuds, are within scope even though the smartphone itself is excluded, because the accessory is a separate relevant connectable product in its own right.

Clause 2 of Schedule 1 of the Smart Device Rules 2025 sets out the password security requirements for the Australia Cyber Security Act 2024 smart device compliance checklist. These requirements apply to passwords used with the hardware of the product (when not in factory default state), pre-installed software, and any software that must be installed for the manufacturer's intended purposes. The password checklist items below cover both the unique per product model and the user-defined model. The definition of password in Clause 1 of Schedule 1 excludes cryptographic keys, personal identification numbers used for pairing in communication protocols that do not form part of the internet protocol suite, and application programming interface keys.

The Rules define 'unique per product' as unique for each individual product of a given product class or type. This means every single manufactured unit must have a different password. The Rules also define several prohibited derivation methods in Clause 2(3). Passwords must not be based on incremental counters (such as 'password1' and 'password2'). Passwords must not be based on or derived from publicly available information. Passwords must not be based on or derived from unique product identifiers such as serial numbers, unless the derivation uses an encryption method or keyed hashing algorithm accepted as good industry practice. Passwords must not be otherwise guessable in a manner unacceptable as part of good industry practice.

Good industry practice is defined in Clause 1 of Schedule 1 as the exercise of that degree of skill, diligence, prudence, and foresight which would reasonably and ordinarily be expected from a skilled and experienced cryptographer engaged in the same type of activity. This definition sets a high bar. A password generation scheme reviewed only by software developers, without input from a qualified cryptographer, may not meet this standard for this Australia Cyber Security Act 2024 smart device compliance checklist.

If your product ships with no password and requires the user to set one during initial setup, the user-defined model under Clause 2(2)(b) applies and the prohibited derivation restrictions in Clause 2(3) do not apply. However, you must verify that the product cannot be used in any meaningful way without the user first setting a password. A product that can be operated, configured, or accessed over a network without authentication fails this section of the Australia Cyber Security Act 2024 smart device compliance checklist.

Practical testing criteria for password security: Sample at least 20 units from different production batches. Extract the factory password from each unit and confirm every password is different. Verify no password follows an incremental counter pattern by checking for sequential characters across units. Confirm that no password can be derived from publicly visible information on the product packaging, label, or documentation. If passwords are derived from product identifiers, obtain the cryptographic design document and confirm a qualified cryptographer has reviewed the encryption method or keyed hashing algorithm. For the user-defined model, attempt to operate the product in a meaningful way without setting a password, including network access, configuration interfaces, and data retrieval.

Clause 3 of Schedule 1 of the Smart Device Rules 2025 requires manufacturers to publish specific information about how security issues can be reported. This section of the Australia Cyber Security Act 2024 smart device compliance checklist verifies that the vulnerability disclosure process meets every requirement in the Rules. The reporting requirements apply to security issues in the hardware, pre-installed software, software required for the manufacturer's intended purposes, and any software used for or in connection with those purposes. This last category, Clause 3(1)(d), is broader than the password requirements in Clause 2 because it includes companion applications, cloud services, and any other software used in connection with the product's intended purpose.

The published information must include at least one point of contact where a person can report security issues to the manufacturer. The manufacturer must also specify when a reporter will receive an acknowledgement of their report and when they will receive status updates until the security issue is resolved. This means you need a defined triage and response workflow, not just a contact email address. The word 'when' in Clause 3(2)(b) requires a stated timeframe, such as 'acknowledgement within 5 business days', not a vague commitment like 'as soon as possible'.

Clause 3(3) of the Rules adds four accessibility requirements that are frequently missed during compliance reviews for this Australia Cyber Security Act 2024 smart device compliance checklist. The vulnerability disclosure information must be available without prior request, in English, free of charge, and without requiring the reporter to provide personal information to access the contact details. A vulnerability reporting page that sits behind a login wall or requires registration fails this section of the checklist. However, as the Explanatory Statement clarifies, once a person submits a report, the manufacturer may request reasonable contact information such as an email address for the purpose of providing the acknowledgement and status updates required under Clause 3(2)(b).

Practical testing criteria for vulnerability disclosure: Open a browser in private or incognito mode (to simulate an anonymous visitor) and navigate to the manufacturer's vulnerability reporting page. Confirm the page loads without requiring login, registration, or submission of any personal information. Confirm the page is in English. Confirm no paywall or subscription is required. Confirm the page states at least one contact method (email address, web form, or phone number). Confirm the page states a specific timeframe for acknowledgement of receipt. Confirm the page states a specific timeframe or frequency for status updates until resolution. Then submit a test report and verify that the acknowledgement and status update process works within the published timeframes.

Clause 4 of Schedule 1 of the Smart Device Rules 2025 requires manufacturers to publish a defined support period for security updates. This is one of the most consequential items on the Australia Cyber Security Act 2024 smart device compliance checklist because the defined support period, once published, cannot be shortened under Clause 4(4). If the manufacturer extends the defined support period, Clause 4(5) requires the new period to be published as soon as is practicable.

The defined support period must be expressed as a period of time with an end date, as required by Clause 4(3). The Explanatory Statement provides an example: 'no later than 30 June 2027'. A vague statement like 'updates provided for the life of the product' or 'updates until further notice' does not satisfy this requirement. The end date must be a calendar date that a consumer can understand without technical knowledge.

Clause 4(1) lists four categories of components that require a published defined support period: hardware capable of receiving security updates; pre-installed software capable of receiving security updates; software that must be installed for the manufacturer's intended purposes and is capable of receiving security updates; and software developed by or on behalf of any manufacturer that is capable of receiving security updates and used for or in connection with the manufacturer's intended purposes. Each of these components may have a different support end date, and each must be published individually if they differ.

Clause 4(2) defines a security update as a software update that protects or enhances the security of the product, including a software update that addresses a security issue which has been discovered by or reported to the manufacturer. The manufacturer must provide available security updates to the product while it is within its defined support period, as far as practicable and in line with good industry practice.

The publication requirements for the defined support period are more demanding than most manufacturers expect when completing this Australia Cyber Security Act 2024 smart device compliance checklist. Clause 4(6) requires the information to be accessible, clear, and transparent. It must be in English. It must be free of charge. It must be available without prior request. It must be available without requiring personal information. And it must be understandable by a reader without prior technical knowledge. This last requirement, in Clause 4(6)(b)(v), is unique to the defined support period and does not appear in the vulnerability disclosure requirements.

Practical testing criteria for the defined support period: Read the published support period statement. Confirm it includes a calendar end date. Confirm the end date is in the future at the time of first supply. Confirm the statement is in plain language a non-technical person can understand. For each of the four component categories in Clause 4(1), confirm whether the component is capable of receiving security updates. If it is, confirm a defined support period is published for that component. If the support end dates differ by component, confirm each is published separately. Check that the published period has not been shortened from any previously published version.

While the Smart Device Rules 2025 focus on publishing the defined support period rather than prescribing a specific update mechanism, this section of the Australia Cyber Security Act 2024 smart device compliance checklist addresses the operational capability to deliver security updates throughout the published support period. Clause 4(2) of Schedule 1 defines a security update as a software update that protects or enhances the security of the product, including updates that address security issues discovered by or reported to the manufacturer.

Once you publish a defined support period, you are committing to provide security updates for the entire duration of that period. The Explanatory Statement confirms that the manufacturer must provide an available security update to a product, while the product is within its defined support period, as far as practicable and in line with good industry practice. A product that cannot reliably receive updates, or that has an update path vulnerable to tampering, undermines the entire compliance framework of this Australia Cyber Security Act 2024 smart device compliance checklist.

Test the update path end to end before the product is supplied in Australia. Confirm that updates can be delivered to the hardware, pre-installed software, and any required software components. Verify update integrity checks, rollback capabilities, and version traceability. These operational tests are not explicitly mandated by the Rules, but they provide the evidence that your defined support period commitment is credible and that you can meet the good industry practice standard referenced throughout Schedule 1.

Practical testing criteria for security update delivery: Push a test update to at least five units from different production batches. Verify the update installs successfully on each unit. Verify the update's digital signature or checksum is validated before installation. Attempt to push a tampered update file and confirm the device rejects it. Simulate an interrupted update (such as a power loss during installation) and confirm the device recovers to a functional state. Record the firmware version before and after each test to confirm version traceability.

The Smart Device Rules 2025 treat public-facing information as part of the compliance obligation, not as a marketing activity. Both Clause 3 (vulnerability disclosure) and Clause 4 (defined support period) require information to be published in a way that meets specific accessibility standards. This section of the Australia Cyber Security Act 2024 smart device compliance checklist consolidates all the public information requirements into one verification pass.

The key accessibility requirements appear in both Clause 3(3) and Clause 4(6) of Schedule 1: information must be accessible, clear, and transparent. It must be in English. It must be free of charge. It must be available without prior request. It must be available without requiring the person to provide personal information. For defined support period information, Clause 4(6)(b)(v) adds that the information must be understandable by a reader without prior technical knowledge.

If the manufacturer sells the product on its own website, Clause 4(7) adds further requirements. The defined support period must appear alongside the main product characteristics and be given equal prominence. The Explanatory Statement explains that the defined support period must be published in any location on the website where either of two criteria are met: information intended to inform consumer acquisition decisions is published, or the main characteristics of the product are published. This may require the manufacturer to publish the defined support period in multiple locations on the website. The Explanatory Statement provides examples: product information pages, product purchase pages, and product comparison pages are likely to require the support period. Generic press releases, support articles, and accessory pages are not likely to require it.

Practical testing criteria for public information: Visit the manufacturer's website in a private browser session. Locate the vulnerability disclosure page and the defined support period page. Confirm both are accessible without login, registration, or payment. Confirm both are in English. Confirm the defined support period is understandable by a non-technical reader. Then visit every product listing, product comparison, and product purchase page on the website and confirm the defined support period is displayed with equal prominence to the main product characteristics.

Section 9 of the Smart Device Rules 2025 specifies the mandatory contents for the statement of compliance. Under Section 16 of the Cyber Security Act 2024, manufacturers must provide a statement of compliance for the supply of in-scope products in Australia, and suppliers must supply the product accompanied by a statement of compliance that meets the requirements in the Rules. The statement must be prepared by, or on behalf of, the manufacturer. Do not issue the statement as a paperwork exercise at the end of the process. The statement is the final output of the Australia Cyber Security Act 2024 smart device compliance checklist and should only be completed when every preceding section has been passed.

Section 9(3) of the Rules lists seven categories of required information. The statement must include: the product type and batch identifier; the name and address of the manufacturer, an authorised representative, and any other authorised representatives in Australia; a declaration that the statement was prepared by or on behalf of the manufacturer; a declaration that the product was manufactured in compliance with the security standard and that the manufacturer has complied with any other obligations; the defined support period at the date the statement is issued; the signature, name, and function of the signatory; and the place and date of issue.

The statement of compliance is not required to be physically included with the product at the point of sale. As the Explanatory Statement confirms, the statement is primarily for the regulator to verify that the responsible entity has met its obligations under the Act and Rules. However, manufacturers and suppliers may choose to provide or publish the statement with their product. If you already comply with the UK PSTI statement of compliance requirements, you can use the same information for Australia, provided all the requirements in Section 9 of the Smart Device Rules 2025 are met.

Practical testing criteria for statement of compliance: Prepare a draft statement and compare every field against the seven categories in Section 9(3). Verify the product type and batch identifier match the manufacturing records. Verify all names and addresses are current. Verify the defined support period in the statement matches the period published on the website. Have the signatory confirm they have the authority to sign on behalf of the manufacturer and document the approval chain. Record the place and date of issue. Then file the signed statement in the evidence pack before first supply in Australia.

Section 10 of the Smart Device Rules 2025 specifies that statements of compliance must be retained for five years. This five year period applies to both manufacturers and suppliers. The period was reduced from the originally proposed ten years following stakeholder feedback during the public consultation, as noted in the Explanatory Statement. The Explanatory Statement states this reduction is consistent with the average lifespan of a relevant connectable product and reduces administrative burden on industry.

A compliance checklist is only as strong as the evidence behind it. Every item on this Australia Cyber Security Act 2024 smart device compliance checklist should be backed by documented evidence that can be produced if the Secretary issues a compliance notice under Section 17, a stop notice under Section 18, or a recall notice under Section 19 of the Cyber Security Act 2024. Build your evidence pack as you work through the checklist, not after the product has been released.

If the Secretary issues a compliance notice under Section 17 of the Act, the entity has a minimum of 10 days to make representations before the notice takes effect, as required by Section 17(3)(b). Having a complete evidence pack ready before this situation arises is the most effective way to respond quickly and demonstrate compliance. Under Section 23 of the Act, the Secretary may also request the manufacturer or supplier to provide the product, the statement of compliance, or both for the purposes of an independent audit to assess compliance.

Practical testing criteria for recordkeeping: Confirm that a document management system or repository is in place and that it supports retention for at least five years. Confirm that every category of evidence listed below has been uploaded or filed before first supply in Australia. Assign a retention start date equal to the date of first supply. Set a calendar reminder for the five year retention expiry. Confirm that records can be retrieved within 48 hours if the Secretary requests them.

The Cyber Security Act 2024 places obligations on both manufacturers and suppliers. Under Section 15, manufacturers must manufacture in-scope products in compliance with the security standard if they are aware, or could reasonably be expected to be aware, that the product will be acquired in Australia in the specified circumstances. Under Section 16, suppliers must not supply non-compliant products and must ensure every product is accompanied by a compliant statement of compliance. The term 'supply' has the same meaning as in the Australian Consumer Law, which means obligations extend across the entire distribution chain in Australia.

This section of the Australia Cyber Security Act 2024 smart device compliance checklist ensures that everyone in the supply chain understands their role. Distributors, importers, and retailers all qualify as suppliers under the Act if they supply the product in Australia. Each supplier must have access to the statement of compliance and must be able to confirm that the product they are supplying meets the security standard. Each supplier must also retain a copy of the statement of compliance for five years under Section 16(4) of the Act, as specified in Section 10 of the Rules. If a supplier becomes aware that a product is non-compliant, the supplier must stop supplying that product immediately.

Build compliance communication into your distribution agreements. Every entity that supplies the product in Australia should know where to find the statement of compliance, how to verify it, and what to do if they receive a compliance notice, stop notice, or recall notice from the Secretary. Under Section 20 of the Act, the Minister may publicly notify failure to comply with a recall notice, including the identity of the entity, product details, and recommended consumer actions. Under Section 11 of the Rules, the Minister may also publish details of the recall notice and recommend actions such as destroying the product or taking extra precautions when using the product.

Practical testing criteria for supply chain readiness: Contact each entity in the Australian distribution chain and confirm they have received a copy of the statement of compliance. Confirm each entity understands their obligation not to supply the product if they become aware of non-compliance. Confirm each entity has a process to escalate compliance concerns to the manufacturer. Confirm distribution agreements include clauses addressing obligations under the Cyber Security Act 2024 and Smart Device Rules 2025.