Australia's Cyber Security (Security Standards for Smart Devices) Rules 2025 set mandatory baseline requirements for covered consumer-grade relevant connectable products.
Use this guide to scope covered products and document password design, vulnerability-reporting contact points, support-period publication, statements of compliance, and supporting evidence. This guidance is practical, source-linked, and should be validated against current legal and policy requirements before implementation.
Structured answer sets in this page tree.
Cited legal and guidance references.
The Cyber Security Act 2024 allows rules to set mandatory standards for relevant connectable products. The 2025 Smart Devices Rules apply the standard to consumer-grade relevant connectable products that will be acquired in Australia by a consumer, unless an exclusion applies, and require manufacturers and suppliers to handle compliance, publication, and statement-of-compliance duties.
Start with product scope. The Rules cover relevant connectable products that are intended by the manufacturer for personal, domestic or household use or consumption, or are of a kind likely to be used that way, where the product will be acquired in Australia by a consumer.
Do not treat every connected product as covered. The Rules exclude desktop computers and laptops, tablet computers, smartphones, therapeutic goods, road vehicles, and road vehicle components.
For covered products with password functionality, passwords used with covered hardware and software must either be unique per product or defined by the user. The rule applies to product hardware when not in the factory default state, pre-installed software when not in the factory default state, and software that must be installed for the manufacturer's intended purposes.
A unique-per-product password cannot be a simple sequence, public-information derivative, or plain serial-number derivative. If it is based on a unique product identifier such as a serial number, the Rules require an encryption method or keyed hashing algorithm accepted as good industry practice.
Manufacturers of covered products must publish information on how a person can report security issues for the product's hardware, pre-installed software, required software for intended purposes, and software used for or in connection with the manufacturer's intended purposes.
The publication must include at least one point of contact, plus when the reporter will receive acknowledgement of receipt and status updates until the reported security issues are resolved. The information must be accessible, clear, transparent, in English, free of charge, available without a prior request, and available without requesting personal information just to access the reporting information.
Manufacturers must publish the defined support period for security updates for covered product hardware and software that can receive security updates. The defined support period is the period, expressed as a period of time with an end date, during which security updates will be provided by or on behalf of the manufacturer.
Once published, the defined support period must not be shortened. If it is extended, the new support period must be published as soon as practicable. For manufacturer-controlled websites that offer the product, the support-period information must be prominently published with consumer purchase information and given equal prominence where the product's main characteristics are published.
For covered products, the statement of compliance must be prepared by or on behalf of the manufacturer. It must identify the product type and batch identifier, manufacturer and authorised representative details, the compliance declarations, the defined support period at issue date, signatory details, and the place and date of issue.
The Rules set a five-year retention period for statements of compliance made for the consumer-grade relevant connectable product standard. Pair that retained statement with the technical and publication evidence that supports the manufacturer's declarations.
Use this guide to turn the Smart Devices Rules into product-scope records, credential reviews, vulnerability-reporting publication evidence, support-period records, and statement-of-compliance files inside Sorena.
Convert smart-device standards into scoped questions, evidence fields, owners, and review tasks.
Use Research Copilot to answer follow-up questions from the Cyber Security Act 2024 and the Smart Devices Rules.
Review product scope, password controls, vulnerability-reporting pages, support-period publication, and statements of compliance with Sorena.
"the period is 5 years"
"Obligation to provide and supply products with a statement of compliance"