For covered consumer-grade smart devices, the statement of compliance is the product-level record that connects the manufacturer, the product batch, the declared security-standard compliance position, and the support-period claim.
Use this page to prepare the statement, keep the five-year record, and make the product and statement ready if the Secretary requests them for independent examination.
Structured answer sets in this page tree.
Cited legal and guidance references.
Australia's Cyber Security Act 2024 and the Cyber Security (Security Standards for Smart Devices) Rules 2025 require a statement of compliance for covered consumer-grade relevant connectable products. This guide focuses on the statement itself: who prepares it, who supplies it with the product, what fields it must contain, how long copies must be retained, and what records should be ready for examination.
The statement duty sits in Part 2 of the Cyber Security Act 2024. It applies when rules prescribe a security standard for a class of relevant connectable products that will be acquired in Australia in specified circumstances.
The Smart Device Rules prescribe a security standard for consumer-grade relevant connectable products: products intended by the manufacturer to be used, or of a kind likely to be used, for personal, domestic, or household use or consumption, excluding listed product categories such as desktop and laptop computers, tablets, smartphones, therapeutic goods, road vehicles, and road vehicle components.
For an in-scope product, the manufacturer must provide a statement of compliance for supply in Australia. A supplier that supplies the product in Australia must supply it with the statement of compliance.
The Smart Device Rules specify the contents of the statement for consumer-grade relevant connectable products. Treat these as mandatory data fields, not as optional narrative text.
The statement must identify the product and batch, name and address the manufacturer and relevant authorised representatives, declare that it was prepared by or on behalf of the manufacturer, and include the manufacturer's opinion that the product was manufactured in compliance with the security standard and that the manufacturer complied with other obligations in that standard.
The statement must also include the product's defined support period at the date of issue, plus the signature, name, function, place, and date of issue for the manufacturer's signatory.
The Act requires both the manufacturer and supplier, where the statement duty applies to them, to retain a copy of the statement for the period specified in the rules. For statements of compliance with the consumer-grade smart-device security standard, the Smart Device Rules set that period at five years.
The record should be tied to the exact product type and batch identifier used in the statement. Keep it with evidence for the manufacturer's security-standard position, defined support period publication, vulnerability-reporting process, and supply-chain hand-off so a reviewer can connect the signed statement to the product actually supplied in Australia.
Use this guide to turn each covered smart-device product into a statement record with required fields, retention evidence, supplier hand-off records, and examination-ready support material.
Turn smart-device scope, statement fields, and retention duties into assigned evidence tasks.
Use Research Copilot to answer follow-up questions with cited official source material.
Review product scope, statement fields, retention records, and examination readiness with Sorena.
The Cyber Security Act 2024 allows the Secretary to engage an appropriately qualified and experienced expert to conduct an independent examination of a product where an entity must comply with section 15 or 16 obligations. The examination can assess whether the product complies with the security standard, whether the statement complies with section 16 requirements, or both.
For examination readiness, keep the statement retrievable together with the product identifier, manufacturer details, Australian supplier details, support-period publication evidence, and the technical evidence that supports password, security-issue reporting, and security-update support-period controls.
If a written request is made for examination, the Act says the notice may request the product, the statement of compliance, or both, and must specify matters such as the product, the manufacturer if known, the period for providing the item, the period of retention for testing, the security-standard requirements to be tested, the testing or analysis to be done, and what may happen if the entity does not comply.
"Requirements relating to defined support periods and security updates"
"Examination to assess compliance with security standard and statement of compliance"