Australia Cyber Security Act 2024 Statement of Compliance and Recordkeeping

Section 9(3) of the Cyber Security (Security Standards for Smart Devices) Rules 2025 prescribes seven mandatory elements that every Australia Cyber Security Act 2024 statement of compliance must include. The statement of compliance must be prepared by, or on behalf of, the manufacturer of the product under Section 9(2). There is no prescribed format or template, but every Australia Cyber Security Act 2024 statement of compliance must include all seven elements to satisfy the Rules. Omitting any single element means the statement of compliance does not meet the requirements, which means the product is not lawfully supplied with a compliant document.

The Explanatory Statement for the Rules clarifies the purpose of each element. Product type and batch identifier are required to differentiate between products that may appear similar. For example, two products with different manufacturing dates may have different security updates installed by default. The manufacturer details provide the regulator with a point of contact if there are concerns with the Australia Cyber Security Act 2024 statement of compliance. The defined support period at the date of issue locks the manufacturer into a commitment that cannot be shortened after publication.

Section 16(1) of the Australia Cyber Security Act 2024 places the primary statement of compliance obligation on manufacturers. An entity that manufactures a relevant connectable product must provide, for the supply of the product in Australia, a statement of compliance with the security standard. This obligation applies when the product is included in a class covered by the Rules and the manufacturer is aware, or could reasonably be expected to be aware, that the product will be acquired in Australia in the specified circumstances.

Section 9(2) of the Rules reinforces that the Australia Cyber Security Act 2024 statement of compliance must be prepared by, or on behalf of, the manufacturer. This means the manufacturer can delegate the preparation of the statement of compliance to an authorised representative or other agent, but the manufacturer remains responsible for the accuracy and completeness of the document. The declaration in Element (c) explicitly attributes the Australia Cyber Security Act 2024 statement of compliance to the manufacturer regardless of who drafted it.

The compliance declaration in Element (d) of Section 9(3) requires the manufacturer to state their opinion that the product was manufactured in compliance with the security standard and that the manufacturer has complied with any other obligations in the security standard. This means the manufacturer must have verified all three pillars of the smart device security standard before signing the Australia Cyber Security Act 2024 statement of compliance: password controls are correct, the security issue reporting channel is published and accessible, and the defined support period is published with an end date.

Manufacturers operating across multiple jurisdictions should note that the Australia Cyber Security Act 2024 statement of compliance is for the use of the regulator to ensure the responsible entity has met its obligations under the Act and Rules. The Explanatory Statement confirms that statements of compliance are not required to be provided with the product at point of sale. However, responsible entities may provide or publish statements of compliance with their product if they wish.

Section 16(3) of the Australia Cyber Security Act 2024 creates a separate obligation for suppliers. An entity that supplies a relevant connectable product in Australia must supply the product with the Australia Cyber Security Act 2024 statement of compliance. This obligation applies when the product is included in a class covered by the security standard and the supplier is aware, or could reasonably be expected to be aware, that the product will be acquired in Australia in the specified circumstances.

Section 16(4) requires the supplier to retain a copy of the Australia Cyber Security Act 2024 statement of compliance for the period specified in the Rules. Under Section 10 of the Rules, the retention period for suppliers is the same as for manufacturers: 5 years. This means every entity in the Australian supply chain that handles the product has an independent obligation to retain the Australia Cyber Security Act 2024 statement of compliance for 5 years.

A supplier who is aware, or could reasonably be expected to be aware, that the product will be acquired in Australia by a consumer cannot lawfully supply a product that was not manufactured in compliance with the security standard under Section 15(3) of the Act. This means the supplier should have a process to confirm that the Australia Cyber Security Act 2024 statement of compliance exists, that it covers the correct product type and batch, and that the defined support period and declarations appear complete before the product enters the Australian supply chain. Supply chain contracts should address statement of compliance handoff, verification, and retention responsibilities explicitly.

Element (e) of Section 9(3) requires the Australia Cyber Security Act 2024 statement of compliance to include the defined support period for the product at the date the statement of compliance is issued. The defined support period is the period, expressed as a period of time with an end date, for which the manufacturer will provide security updates for the product. The Explanatory Statement specifies that the defined support period should include a fixed end date rather than just a duration, for example 'no later than 30 June 2027'.

Schedule 1, Clause 4 of the Rules governs the defined support period. The manufacturer must publish the defined support period in a location that is accessible, free of charge, does not require the creation of an account, is in English, and does not require the provision of personal information. If the manufacturer offers the product on its website, the defined support period must be prominently published alongside the main product characteristics with equal prominence. Once published, the manufacturer must not shorten the defined support period under Clause 4(4). If the manufacturer extends the defined support period, the new period must be published as soon as practicable under Clause 4(5).

The Australia Cyber Security Act 2024 statement of compliance locks the defined support period at the date of issue. If the statement of compliance declares a support period ending 30 June 2027, the manufacturer cannot later reduce that commitment. The support period on the manufacturer's public website must match the support period declared in the Australia Cyber Security Act 2024 statement of compliance. Any mismatch between these two records is a compliance failure that the regulator can identify through a straightforward comparison.

Element (f) of Section 9(3) requires the Australia Cyber Security Act 2024 statement of compliance to include the signature, name, and function of the signatory of the manufacturer. This creates personal accountability within the manufacturer's organization. The signatory must be identified by full name and by their role or job title, and must sign the Australia Cyber Security Act 2024 statement of compliance. The Explanatory Statement acknowledges that the signatory's personal information will be disclosed in the statement of compliance, and accepts this as a proportionate limitation on privacy rights given the public safety purpose of the smart device regime.

Element (b) requires the Australia Cyber Security Act 2024 statement of compliance to include the name and address of the manufacturer, an authorised representative of the manufacturer, and each (if any) of the manufacturer's other authorised representatives that are in Australia. This means the statement of compliance must identify all authorised representatives, not just one. Manufacturers with multiple authorised representatives in Australia must list each one. The authorised representative details give the regulator alternative contact points within the Australian jurisdiction.

Manufacturers should define internal signatory authority rules that specify which individuals are authorised to sign the Australia Cyber Security Act 2024 statement of compliance on behalf of the manufacturer. The signatory register should be maintained as a controlled document, updated when personnel changes occur. If the signatory has left the organisation or changed roles, the register should be updated and future statements of compliance should be signed by a currently authorised person.

Section 10 of the Cyber Security (Security Standards for Smart Devices) Rules 2025 sets the retention period for the Australia Cyber Security Act 2024 statement of compliance at 5 years. This period applies to both manufacturers under Section 16(2) of the Act and suppliers under Section 16(4) of the Act. The obligation to retain the Australia Cyber Security Act 2024 statement of compliance for 5 years applies equally across the supply chain.

The 5 year retention period was reduced from a proposed 10 years following industry consultation. The Explanatory Statement records that stakeholders recommended reducing the retention period to 5 years because it is consistent with the average lifespan of a relevant connectable product and reduces administrative burden on industry. This recommendation was accepted and incorporated into the final Rules.

Retaining the Australia Cyber Security Act 2024 statement of compliance alone is necessary but may not be sufficient for a robust compliance position. The statement of compliance declares that the product meets the security standard and states the defined support period. If the regulator or an independent expert under Section 23 examines the statement of compliance, the manufacturer should be able to produce the evidence that supported the declarations at the time of issue. This means test reports, vulnerability assessment records, support period publication evidence, and signatory approval records should all be retained alongside the Australia Cyber Security Act 2024 statement of compliance.

The 5 year retention period for the Australia Cyber Security Act 2024 statement of compliance should be reflected in the organisation's document retention schedule and records management system. The obligation is not just to store the statement of compliance. The obligation is to be able to retrieve it on demand. If the Secretary requests the Australia Cyber Security Act 2024 statement of compliance under Section 23 of the Act, the entity must be able to produce the document within the period specified in the written notice.

The Australia Cyber Security Act 2024 statement of compliance is a declaration document. The evidence pack is the technical and operational record that proves the declarations in the statement of compliance were justified at the time of issue. A complete evidence pack for each Australia Cyber Security Act 2024 statement of compliance should cover all three pillars of the smart device security standard in Schedule 1 of the Rules: password controls, security issue reporting, and defined support period and security updates. Each pillar should have its own section within the evidence pack.

The evidence pack should also include records related to the signatory, the product identity, and the date alignment between the defined support period in the statement of compliance and the published defined support period on the manufacturer's website. If the regulator or an independent expert under Section 23 asks why the manufacturer declared compliance in the Australia Cyber Security Act 2024 statement of compliance, the answer should be a retrievable evidence pack, not a recollection or a verbal explanation.

Organisations should assign a unique reference number to each Australia Cyber Security Act 2024 statement of compliance and use the same reference number to identify the corresponding evidence pack. This linkage ensures that the statement of compliance and its evidence can always be retrieved together. The evidence pack should be retained for the same 5 year period as the statement of compliance itself.

Organisations should use a single approved template for the Australia Cyber Security Act 2024 statement of compliance. The template should contain all mandatory fields from Section 9(3) of the Rules as labelled placeholders. Teams should not modify the wording or layout without compliance review. The template itself should be a controlled document with its own version number and approval record so that all issued statements of compliance can be traced back to the template version in force at the time of issue.

The template for the Australia Cyber Security Act 2024 statement of compliance should be connected to the product release or supply approval workflow. The statement of compliance should not be issued until the evidence pack is complete, the defined support period page is live and verified, and the signatory has reviewed and approved the content. Automating the generation of the Australia Cyber Security Act 2024 statement of compliance from approved source data (product database, legal entity register, defined support period system) reduces the risk of transcription errors, stale data, and inconsistencies across product families.

If the organisation manufactures multiple product families, maintain one master template for the Australia Cyber Security Act 2024 statement of compliance and populate it from a central product data source rather than maintaining separate templates per product. This approach ensures consistency and simplifies template governance.

The Australia Cyber Security Act 2024 statement of compliance should not be treated as an afterthought that happens outside the product release process. It should be gated into the release approval or supply approval workflow so that no product enters the Australian market without a valid statement of compliance. For manufacturers, the statement of compliance issue step should sit after final test approval and after the defined support period page is confirmed live. For suppliers and importers, the Australia Cyber Security Act 2024 statement of compliance verification step should sit at goods inward or import clearance before the product is released into Australian distribution.

Automated validation should check product version, batch identifier, legal entity name, authorised representative details, defined support period consistency, and signatory authority before the Australia Cyber Security Act 2024 statement of compliance is finalised. A manual process creates opportunities for mismatched identifiers, stale support period data, and unauthorized signatories. If a product variant or firmware update changes the security posture of the product, the organisation should assess whether a new Australia Cyber Security Act 2024 statement of compliance is required for the updated configuration.

Section 23 of the Cyber Security Act 2024 gives the Secretary the power to engage an appropriately qualified and experienced expert to carry out an independent examination of a product to determine whether the product complies with the security standard and whether the Australia Cyber Security Act 2024 statement of compliance complies with the requirements of Section 16. The Secretary can issue a written notice under Section 23(3) requesting the entity to provide the product, the statement of compliance, or both.

The written notice under Section 23(4) must specify the product, the manufacturer of the product (if known to the Secretary), a reasonable period within which the entity must respond, the period for which the product will be retained for testing, the requirements of the security standard the product will be tested against, and the kind of testing or analysis that will be performed. The expert may examine the product by opening packaging, operating the product, testing or analysing the product using electronic equipment, reading records or documents contained in the product, and taking photographs or video recordings. Entities are entitled to reasonable compensation from the Commonwealth for complying with an examination request under Section 23(5).

Audit preparation for the Australia Cyber Security Act 2024 statement of compliance means being able to respond to a Section 23 notice quickly and completely. The organisation should be able to locate the correct statement of compliance for any product batch, produce the supporting evidence pack, and explain the compliance declaration and the defined support period declaration without delay. Organisations should run an internal rehearsal at least once per year to test their readiness.

Select a product at random, locate its Australia Cyber Security Act 2024 statement of compliance, pull the corresponding evidence pack, confirm the defined support period still matches the published page, verify the signatory was authorised at the date of issue, and measure the total time from request to production. If the process takes more than a few business days, the retrieval workflow needs improvement.

The Explanatory Statement for the Rules confirms that responsible entities operating across jurisdictions with similar compliance frameworks can reuse the same information for the Australian statement of compliance. The most significant example is the United Kingdom. Products supplied to the UK market under the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 can provide the same statement of compliance for the Australian market, provided all requirements in Section 9 of the Australian Rules are met.

This cross-jurisdictional recognition reduces the compliance burden for manufacturers who already sell into the UK market. The Australian security standards in Schedule 1, Part 1 of the Rules closely follow the UK PSTI Regulations, which are themselves based on the first three provisions of ETSI EN 303 645. Because the underlying security requirements are substantially aligned, a UK PSTI statement of compliance may already contain most of the information required by Section 9(3) of the Australian Rules. Manufacturers should verify that the UK statement includes all seven Australian elements, particularly the Australian authorised representative details and the place and date of issue.

Most failures with the Australia Cyber Security Act 2024 statement of compliance are process failures, not template failures. The template may contain all seven required elements, but the data populating those elements may be wrong, stale, or inconsistent. Fixing these weaknesses requires process design, not legal drafting. Teams should audit the data sources feeding the Australia Cyber Security Act 2024 statement of compliance and verify that handoff controls between manufacturing, product security, legal, and supply chain functions are reliable.

Every mistake listed below can lead to a non-compliant Australia Cyber Security Act 2024 statement of compliance, which means the product is not lawfully supplied with a compliant document. Under the enforcement provisions of the Act, this can trigger a compliance notice (Section 17), a stop notice (Section 18), or a recall notice (Section 19). The most detectable failure is a mismatch between the defined support period published on the manufacturer's website and the defined support period declared in the statement of compliance, because the regulator can identify this failure through a simple comparison without requesting any internal records.

Division 3 of Part 2 of the Cyber Security Act 2024 provides a graduated enforcement model for failures related to the Australia Cyber Security Act 2024 statement of compliance. The Act does not impose a direct monetary penalty for statement of compliance deficiencies. Instead, the Secretary operates a staged enforcement escalation that can result in compliance notices, stop notices, recall notices, and public notification of failure. Before issuing any notice, the Secretary must notify the entity and provide at least 10 days for the entity to make representations. This pre-notice representation right applies at every stage of the enforcement path.

The enforcement path begins when the Secretary is reasonably satisfied that an entity is not complying with Section 15 (security standards) or Section 16 (Australia Cyber Security Act 2024 statement of compliance obligations), or becomes aware of information suggesting possible non-compliance. Section 23 gives the Secretary the separate power to engage an independent expert to examine whether the product complies with the security standard and whether the Australia Cyber Security Act 2024 statement of compliance complies with the requirements of Section 16. This examination power can be used at any time, not only after a notice has been issued.

If the entity fails to comply with a recall notice, the Minister may publish the entity's identity, details of the product, details of the non-compliance, and the risks posed by the product on the Department's website or in any other way the Minister considers appropriate under Section 20 of the Act. Monitoring powers under Part 2 of the Regulatory Powers (Standard Provisions) Act 2014 also apply to Sections 15 and 16, and enforceable undertakings under Part 6 of the Regulatory Powers Act allow the Secretary to accept formal compliance commitments.