Australia Cyber Security Act 2024 Smart device security standards

The Australia Cyber Security Act 2024 smart device security standards apply to the class of relevant connectable products defined in Section 8 of the Rules. A relevant connectable product is any product that can connect directly or indirectly to the internet. The specified class is all relevant connectable products that are intended by the manufacturer to be used, or are of a kind likely to be used, for personal, domestic, or household use or consumption. The specified circumstance is that the product will be acquired in Australia by a consumer as defined under section 3 of the Australian Consumer Law.

Consumer energy resources including rooftop solar inverters and home batteries were added to the scope through a supplementary impact analysis prepared by the Department of Climate Change, Energy, the Environment and Water. This addition recognises that an estimated 35 per cent of the consumer energy resource fleet will be internet connected by 2027 and that these devices face the same market failure that drives insecure consumer smart devices generally.

Section 8(1)(b) of the Rules excludes six categories from the scope of the Australia Cyber Security Act 2024 smart device security standards. Desktop computers and laptops are exempt. Tablet computers are exempt. Smartphones are exempt. Therapeutic goods within the meaning of the Therapeutic Goods Act 1989 are excluded because they are regulated under a separate framework administered by the Therapeutic Goods Administration. Road vehicles and road vehicle components within the meaning of the Road Vehicle Standards Act 2018 are also excluded. The Explanatory Statement confirms that computers, tablets and smartphones were excluded because of the difficulty manufacturers would face in complying due to the complex nature of supply chains for product components. These same product categories were excluded from the UK PSTI framework.

The Explanatory Statement provides specific examples to help manufacturers assess whether their products fall within scope of the Australia Cyber Security Act 2024 smart device security standards. Smart meters are not considered within scope because their primary purpose is supply, installation, and use by electricity retailers, not acquisition by a consumer. Contactless payment devices are in scope because they meet at least one of the business consumer guarantee conditions under the Australian Consumer Law. Smart TVs, smart watches, home assistants, baby monitors, smart speakers, connected cameras, smart doorbells, smart lighting, smart thermostats, and similar consumer devices are all in scope.

Clause 2 of Schedule 1 sets the password security requirements under the Australia Cyber Security Act 2024 smart device security standards. This clause ensures that every consumer grade relevant connectable product either uses a password that is unique per product or requires the user to define the password. The standard prohibits shared default passwords across a product class or product type. Clause 2 applies to passwords used with the product in three contexts defined by Subclause 2(1). First, hardware of the product when the product is not in the factory default state. Second, software that is pre-installed on the product at the point of supply to a consumer when the product is not in the factory default state. Third, software that is not pre-installed but must be installed on the product for all of the manufacturer's intended purposes of the product that use hardware, pre-installed software, or installable software. This third category covers companion applications and software updates installed after sale that require additional password controls.

Under Subclause 2(2), every password that falls within scope must satisfy one of two options under the Australia Cyber Security Act 2024 smart device security standards. Option A requires the password to be unique per product, which means unique for each individual product of a given product class or type. Option B requires the password to be defined by the user. The choice between these two options belongs to the manufacturer. If the manufacturer chooses Option A, the password is further subject to the four prohibitions in Subclause 2(3).

Subclause 2(3) sets four specific prohibitions for passwords that are unique per product under the Australia Cyber Security Act 2024 smart device security standards. First, the password must not be based on incremental counters. The Rules define an incremental counter as a method of password generation in which multiple passwords are the same except for a small number of characters that change per password to make them unique, such as 'password1' and 'password2'. Second, the password must not be based on or derived from publicly available information, which includes any data that a third party could look up or discover without privileged access, including marketing materials, product listings, or publicly accessible databases. Third, the password must not be based on or derived from unique product identifiers such as serial numbers, MAC addresses, or other hardware identifiers, unless the derivation uses an encryption method or keyed hashing algorithm that is accepted as part of good industry practice. Fourth, the password must not be otherwise guessable in a manner unacceptable as part of good industry practice.

The term 'good industry practice' is defined in Clause 1 of Schedule 1 as the exercise of that degree of skill, diligence, prudence and foresight which would reasonably and ordinarily be expected from a skilled and experienced cryptographer engaged in the same type of activity. This definition sets a professional standard, not a general consumer standard. It means that password generation must be assessed against the expectations of a qualified cryptographer, not against the knowledge of an average product designer. The Explanatory Statement confirms that the intention of Subclause 2(3) is to ensure that manufacturers employ all parts of good industry practice to ensure default passwords are not unacceptably guessable by any party.

The definition of 'password' in Schedule 1 Clause 1 explicitly excludes three categories from the scope of the Australia Cyber Security Act 2024 smart device security standards. Cryptographic keys, defined as data used to encrypt and decrypt data, are excluded. Personal identification numbers used for pairing in communication protocols that do not form part of the internet protocol suite are excluded. Application programming interface keys, defined as strings of characters used to identify and authenticate a particular user, product, or application for API access, are excluded. This means that Bluetooth Low Energy pairing PINs and Zigbee network keys are not subject to the password requirements, but Wi-Fi passwords, web interface login credentials, and mobile application login passwords are in scope.

The Explanatory Statement to the Rules confirms that the security standards in Schedule 1 closely follow the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (UK), which themselves implement the first three provisions of ETSI EN 303 645. These three provisions are: no universal default passwords (Provision 5.1), implement a means to manage reports of security vulnerabilities (Provision 5.2), and keep software updated (Provision 5.3). The Australia Cyber Security Act 2024 smart device security standards therefore represent a deliberate policy choice to focus on the three most impactful controls rather than the full 13 provisions of ETSI EN 303 645.

The Australian Government's Impact Analysis found that the UK modelled the probability of attacks on smart devices could be reduced by between 20 and 70 per cent through a standard consisting of these first three principles. The Australian Cyber Security Centre confirmed that these three principles are the highest priority technical controls. The IoT Security Foundation found that 78.4 per cent of smart device manufacturers do not have a readily detectable vulnerability disclosure policy, demonstrating the scale of the gap that these standards are designed to close.

For manufacturers already compliant with the UK PSTI Act 2022, compliance with the Australia Cyber Security Act 2024 smart device security standards will require minimal additional effort. The Explanatory Statement confirms that responsible entities operating across other jurisdictions with similar compliance frameworks can provide the same statement of compliance for the Australian market, as long as all the requirements set out in Section 9 of the Rules are met. Products carrying a Singapore Cybersecurity Labelling Scheme rating at Level 1 or above will have addressed the same password and vulnerability reporting requirements and should map their existing evidence to the Australian clause structure.

Manufacturers should retain records that show which ETSI EN 303 645 provisions their product meets, so that future extensions of the Australian standard can be addressed without starting from scratch. During Strategy consultation, industry groups and manufacturers tended to support initially mandating only the first three ETSI principles as a way of balancing security with cost to industry. Consumer advocates and some cyber security companies advocated for adoption of the entire 13-provision standard. The Australian Government may revisit the scope in a post-implementation review no later than two years after the enforcement date.

Clause 3 of Schedule 1 sets the security issue reporting requirements under the Australia Cyber Security Act 2024 smart device security standards. This clause obligates the manufacturer to publish information on how a person can report security issues in relation to the product. The scope of Subclause 3(1) covers four categories of product components. First, the hardware of the product. Second, software that is pre-installed on the product at the point of supply to a consumer. Third, software that must be installed on the product for all of the manufacturer's intended purposes of the product that use hardware, pre-installed software, or installable software. Fourth, software used for or in connection with any of the manufacturer's intended purposes of the product. This fourth category is broader than the password scope in Clause 2 and captures companion applications, cloud services, and backend systems that the manufacturer provides for the product's operation.

Under Subclause 3(2), the manufacturer must publish two categories of information under the Australia Cyber Security Act 2024 smart device security standards. Subclause 3(2)(a) requires the manufacturer to publish at least one point of contact that allows a person to report security issues to the manufacturer. Subclause 3(2)(b) requires the manufacturer to publish information about when a person who makes a report will receive an acknowledgement of receipt of the report and when they will receive status updates until the resolution of the reported security issues. This means the manufacturer cannot simply publish an email address. The manufacturer must also explain the expected timelines for acknowledgement and for ongoing updates. This creates a feedback loop between the reporter and the manufacturer that persists until the issue is resolved.

Subclause 3(3) imposes four accessibility requirements on the published information under the Australia Cyber Security Act 2024 smart device security standards. The information must be accessible, clear, and transparent. It must be made available without prior request, meaning it cannot be hidden behind a login, a support ticket system, or require the person to contact the manufacturer before seeing the reporting path. It must be published in English. It must be provided free of charge. And it must be accessible without requesting the provision of personal information about the person seeking the reporting information. This last point means the manufacturer cannot require a name, email address, phone number, or account registration merely to view the reporting instructions.

The Explanatory Statement clarifies an important distinction under the Australia Cyber Security Act 2024 smart device security standards. While the manufacturer cannot require personal information for a person to access the published reporting information, the manufacturer may request reasonable contact information such as an email address from the person who actually submits a report. This request is permitted for the purpose of providing the required acknowledgement and status updates under Subclause 3(2)(b). Any collection, use, or disclosure of personal information by the manufacturer in this context remains subject to the Privacy Act 1988.

This is one of the most visible obligations under the Australia Cyber Security Act 2024 smart device security standards because researchers, consumers, and regulators can directly verify whether the required information is published, whether it is accessible without login, and whether it states the expected timelines for acknowledgement and status updates. The IoT Security Foundation found that 78.4 per cent of smart device manufacturers do not have a readily detectable vulnerability disclosure policy, which demonstrates that this requirement addresses a widespread gap in the current market.

Clause 4 of Schedule 1 sets the defined support period and security update requirements under the Australia Cyber Security Act 2024 smart device security standards. This clause obligates the manufacturer to publish the period during which security updates will be provided for the product. Subclause 4(1) defines the scope of coverage across four categories. First, hardware of the product that is capable of receiving security updates. Second, software that is pre-installed on the product at the point of supply and is capable of receiving security updates. Third, software that must be installed for the manufacturer's intended purposes and is capable of receiving security updates. Fourth, software developed by or on behalf of any manufacturer that is capable of receiving security updates and is used for or in connection with the manufacturer's intended purposes of the product.

Subclause 4(2) defines 'security update' under the Australia Cyber Security Act 2024 smart device security standards as a software update that protects or enhances the security of the product, including a software update that addresses a security issue which has been discovered by or reported to the manufacturer. This definition is broad. It covers patches for known vulnerabilities, proactive security improvements, and updates that address issues found through the manufacturer's own testing or through the reporting mechanism required by Clause 3.

Subclause 4(3) defines 'defined support period' as the period, expressed as a period of time with an end date, for which the security updates will be provided by or on behalf of the manufacturer of the product. The Explanatory Statement emphasises that the defined support period must include a fixed end date, not an open-ended promise. The specific example given is 'no later than 30 June 2027'. A statement such as 'supported for at least two years' would not satisfy this requirement under the Australia Cyber Security Act 2024 smart device security standards because it does not include an end date. A statement such as 'security updates provided until end of life' would also fail because 'end of life' is not a date.

Subclause 4(4) provides that the manufacturer must not shorten the defined support period after it is published under the Australia Cyber Security Act 2024 smart device security standards. Once a date is committed, it is binding. Under Subclause 4(5), if the manufacturer extends the defined support period, the new period must be published by or on behalf of the manufacturer as soon as is practicable. The Explanatory Statement clarifies that during the defined support period, the manufacturer must provide available security updates to the product as far as practicable and in line with good industry practice. This means the obligation is not merely to publish a date but also to actually deliver patches during the committed period.

Subclause 4(6) imposes publication requirements that are more extensive than those for security issue reporting under the Australia Cyber Security Act 2024 smart device security standards. The information must be accessible, clear, and transparent. It must be available without prior request, in English, free of charge, and without requesting personal information. Crucially, it must also be presented in a way that is understandable by a reader without prior technical knowledge. This plain language requirement is unique to Clause 4 and does not appear in Clause 3. It means the support period information must be written in everyday language that a non-technical consumer can understand, avoiding jargon, firmware version numbers, and acronyms.

Subclause 4(7) adds additional requirements that apply when the manufacturer offers to supply the product on its own website or another website under its control under the Australia Cyber Security Act 2024 smart device security standards. In that scenario, the manufacturer must satisfy two conditions. First, the defined support period must be prominently published alongside other information on the website that is intended to inform consumers' decisions to acquire the product. This applies in each instance on the website where such information appears. Second, for each instance on the website where the main characteristics of the product are published, the defined support period must be published alongside or given equal prominence to those main characteristics.

The Explanatory Statement provides detailed guidance on how to interpret these website prominence requirements. Product information pages, product purchase pages, and product comparison pages are all locations where the defined support period is likely required. Generic press releases, support articles, and accessory purchase pages are not likely to trigger the requirement. The Explanatory Statement states that a consumer should not need to know that the Cyber Security Act 2024 or its Rules exist in order to discover the defined support period. The information must be findable through normal browsing of product information. It should not be buried in a statement of compliance or in a regulatory section of a website if product characteristics appear elsewhere.

Beyond the three technical standards in Schedule 1, the Australia Cyber Security Act 2024 smart device security standards framework includes mandatory statement of compliance requirements under Division 3 of Part 2 of the Rules. Section 16 of the Act requires manufacturers to provide a statement of compliance for the supply of the product in Australia, and requires suppliers to supply the product accompanied by that statement. Section 9 of the Rules specifies the detailed content requirements for the statement.

The statement must be prepared by or on behalf of the manufacturer and must include the following fields under the Australia Cyber Security Act 2024 smart device security standards: the product type and batch identifier; the name and address of the manufacturer; the name and address of an authorised representative of the manufacturer; the name and address of each of the manufacturer's other authorised representatives in Australia (if any); a declaration that the statement was prepared by or on behalf of the manufacturer; a declaration that in the opinion of the manufacturer the product was manufactured in compliance with the security standard and the manufacturer has complied with all other obligations in the standard; the defined support period for the product at the date the statement is issued; the signature, name, and function of the signatory of the manufacturer; and the place and date of issue of the statement.

Section 10 sets the retention period for statements of compliance at five years for both manufacturers and suppliers under the Australia Cyber Security Act 2024 smart device security standards. This five-year period was reduced from the originally proposed ten years following stakeholder consultation, on the basis that five years is consistent with the average lifespan of a relevant connectable product and reduces administrative burden on industry. The statement is primarily for the regulator's use to verify compliance. Statements are not required to be provided with the product at point of sale, but must be available for the regulator on request.

Products that already comply with the UK Product Security and Telecommunications Infrastructure Regulations 2023 can provide the same statement of compliance for the Australian market under the Australia Cyber Security Act 2024 smart device security standards, provided all requirements in Section 9 are met. Manufacturers operating across both jurisdictions should verify that their UK statement includes the defined support period as at the date the statement is issued and includes the name and address of any authorised representatives in Australia.

Clause 1 of Schedule 1 defines several terms that manufacturers must understand when applying the Australia Cyber Security Act 2024 smart device security standards. 'Good industry practice' means the exercise of that degree of skill, diligence, prudence, and foresight which would reasonably and ordinarily be expected from a skilled and experienced cryptographer engaged in the same type of activity. This standard of care applies to password generation and encryption decisions under Clause 2 and is the benchmark for assessing whether a password is 'otherwise guessable' under Subclause 2(3)(d).

'Factory default state' means the state of the product after factory reset or after final production or assembly. 'Hardware' means a physical electronic information system, or parts thereof, capable of processing, storing, or transmitting digital data. 'Incremental counter' means a method of password generation in which multiple passwords are the same save for a small number of characters that change per password to make them unique. 'Keyed hashing algorithm' means an algorithm that uses a data input and a secret key to produce a value that cannot be guessed or reproduced without knowledge of both the data input and the secret key.

'Manufacturer's intended purpose' of a product means the use for which the product is intended according to the data provided by the manufacturer, including on the label, in the instructions for use, or in promotional or sales materials or statements. The Explanatory Statement clarifies that the manufacturer's intended purpose remains consistent even if a user does not use the product for that purpose. 'Unique per product' means unique for each individual product of a given product class or type. 'Secret key' means a cryptographic key intended to be known only by the person who encrypted or authorised the encrypting of the data, and any person authorised by that person. 'Consumer' is defined by reference to section 3 of the Australian Consumer Law.

The Cyber Security Act 2024 establishes a graduated enforcement framework that applies when a responsible entity is suspected of non-compliance with the Australia Cyber Security Act 2024 smart device security standards. The framework operates through three types of notices under Division 3 of Part 2 of the Act, supported by additional regulatory powers under Part 6.

Section 17 authorises the Secretary to issue a compliance notice if the Secretary is reasonably satisfied that an entity is not complying with an obligation under Section 15 (manufacturer compliance) or Section 16 (statement of compliance), or is aware of information that suggests that the entity may not be complying with the obligation. The compliance notice must set out the name of the entity, brief details of the non-compliance or possible non-compliance, the corrective action within the entity's control, a reasonable period for completion, and an explanation of what may happen if the entity does not comply. This is the first step in the enforcement ladder under the Australia Cyber Security Act 2024 smart device security standards.

Section 18 authorises a stop notice, which can halt the supply of non-compliant products. Section 19 authorises a recall notice, which can require the removal of products from the Australian market. A recall notice is the most severe enforcement action and is used when other measures have not resolved the non-compliance. Under Section 20, the Minister may publicly notify failure to comply with a recall notice on the Department's website or through another method. Section 11 of the Rules specifies that the public notification may include details of the recall notice and recommended actions for consumers, such as destroying the product or taking extra precautions during continued use.

Part 6 of the Act provides additional regulatory powers including civil penalty provisions, enforceable undertakings, injunctions, monitoring and investigation powers, and infringement notices. These provisions give the regulator a graduated enforcement toolkit for addressing non-compliance with the Australia Cyber Security Act 2024 smart device security standards. Section 22 of the Act provides for internal review of decisions to issue compliance, stop, or recall notices.

Both manufacturers and suppliers carry distinct obligations under the enforcement framework. Manufacturers who are aware, or could reasonably be expected to be aware, that a product will be acquired in Australia must manufacture the product in compliance with the Australia Cyber Security Act 2024 smart device security standards and must comply with all other obligations in the standard. Suppliers who are aware, or could reasonably be expected to be aware, that a product will be acquired in Australia must not supply a non-compliant product and must accompany the product with a valid statement of compliance.

Teams that comply successfully with the Australia Cyber Security Act 2024 smart device security standards build a single release gate that checks the password model against all four Subclause 2(3) prohibitions, verifies the vulnerability reporting page meets the Subclause 3(3) accessibility requirements, confirms the support period publication on every required website location under Subclause 4(7), and validates the update delivery path. The release gate should also verify that the statement of compliance has been prepared with all Section 9 fields, signed by the appropriate signatory, and stored in a system that will maintain the record for the five-year retention period.

A product can meet the letter of the Australia Cyber Security Act 2024 smart device security standards and still be difficult to defend in an enforcement action if the evidence is fragmented. Build the evidence trail while the product is in development, not after launch. Capture screenshots of the published vulnerability reporting page with timestamps. Generate test reports confirming the password generation method meets good industry practice standards. Capture screenshots of every website location where the defined support period is published alongside product characteristics. Store these artifacts in a central compliance repository with clear version history so that the compliance state at any point in time can be reconstructed.

For manufacturers already compliant with the UK PSTI Act, the primary additional work to meet the Australia Cyber Security Act 2024 smart device security standards involves confirming that the statement of compliance includes all Section 9 fields (including authorised representatives in Australia), that the defined support period publication satisfies the Australian website prominence rules under Clause 4(7), and that the security issue reporting information is accessible in English without requesting personal information. Map existing UK evidence to the Australian clause structure and fill any gaps.

Train customer support and security triage teams on the published reporting process so that incoming vulnerability reports are handled within the timelines stated on the public page. If the published page states that acknowledgement will be provided within 5 business days and status updates will be provided monthly, the internal workflow must be configured to meet those commitments. Retest compliance after every firmware update, companion application update, account system change, or update mechanism change.