For consumer-grade relevant connectable products, the evidence record should prove that the right product is in scope, the manufacturer prepared the statement, the required statement fields are complete, and the manufacturer or supplier can retain and produce the statement.
Use this page to structure records for product launches, imports, supplier onboarding, retailer checks, and regulator examination readiness. This guidance is practical, source-linked, and should be validated against current legal and policy requirements before implementation.
Structured answer sets in this page tree.
Cited legal and guidance references.
Australia's Cyber Security Act 2024 requires manufacturers and suppliers to handle statements of compliance for relevant connectable products when the product is in a regulated class and is expected to be acquired in Australia in the specified circumstances. The Smart Devices Rules set the statement fields and make the retention period five years for consumer-grade relevant connectable products.
Keep this evidence file focused on Part 2 smart-device duties, not ransomware reporting, critical-infrastructure obligations, privacy breach records, or general cyber controls. The trigger is a relevant connectable product that falls within the consumer-grade class covered by the Smart Devices Rules and will be acquired in Australia by a consumer.
The minimum evidence set should tie one product type and batch identifier to the manufacturer, any authorised representatives, the applicable security standard, the manufacturer's compliance opinion, the defined support period at issue, and the signed place and date of issue.
The Smart Devices Rules specify the content of the statement of compliance. A useful evidence pack should therefore be field-by-field, rather than a generic compliance memo.
For each statement, capture the source record that proves the field value, the person who approved it, and the version of product or support-period information used when the statement was issued.
The statement says whether, in the manufacturer's opinion, the product was manufactured in compliance with the security standard and whether the manufacturer met the other obligations in that standard. That opinion should be backed by technical records for the three security-standard areas in Schedule 1.
The technical file does not need to be public, but it should be understandable to product security, legal, compliance, and supplier-management reviewers who may need to explain why the statement was accepted.
For consumer-grade relevant connectable products covered by the Smart Devices Rules, the statement-of-compliance retention period is five years. The Act applies retention duties to both the manufacturer that provides the statement and the supplier that supplies the product with it.
Examination readiness matters because the Secretary may arrange an independent examination of the product, the statement, or both. Evidence should be retrievable by product and batch so the business can respond without rebuilding the file after a request arrives.
Use this Australia Cyber Security Act guide to assign statement fields, technical proof, supplier records, retention ownership, and examination-ready evidence inside Sorena.
Turn product, batch, manufacturer, and supplier facts into assigned evidence questions.
Use Research Copilot to verify statement fields, retention rules, and examination-readiness claims against cited sources.
Talk through statement ownership, supplier hand-offs, and missing evidence before products are supplied in Australia.
"the period is 5 years"
"provide the product, or the statement"