| Scope and covered activity | PSTI: define the exact products, services, processing, claims, entities, assets, or activities that bring this side into scope; record out-of-scope facts separately. | Australia Cyber Security Act: test its own scope boundary, exclusions, and covered activity; do not copy the PSTI conclusion without a separate source-linked finding. | Write two scope findings first so the team can see which products and facts belong to PSTI, which belong to Australia Cyber Security Act, and which facts need a separate source-linked review before work starts. |
|---|
| Who must act | PSTI: identify the manufacturer, importer, distributor, authorised representative, or UK responsible person that owns the connected-product duty. | Australia Cyber Security Act: identify the regulated entity for the relevant duty, such as a reporting business entity, smart-device supplier, ransomware-reporting entity, or critical-infrastructure responsible entity under the separate SOCI framework. | Name each role separately because one company can be a manufacturer, importer, distributor, or other regulated entity in different workstreams, and each role can carry its own evidence and review step. |
|---|
| Trigger or threshold | PSTI: state the fact that starts the obligation, such as market placement, processing, designation, incident, reporting period, transfer, data request, supplier change, or public claim. | Australia Cyber Security Act is triggered only by the facts named in its source, such as thresholds, regulated status, risk tier, designation, incident, market placement, certification need, or supervisory notice. | Start with the trigger so teams do not apply the wrong regime to the wrong facts. |
|---|
| Core obligations | The UK PSTI Act requires manufacturers of connectable products to ban universal default passwords, publish a vulnerability disclosure policy with a named contact point, and declare the minimum security update support period before selling the product in the UK. | The Australia Cyber Security Act requires manufacturers of smart devices sold in Australia to meet minimum cyber security standards set by the government, notify the Cyber and Infrastructure Security Centre of reportable cyber incidents, and implement a voluntary cyber security framework for critical infrastructure operators. | Convert each obligation into a separate action item, such as a ticket, notice, record, control, or contract clause, so the team can show exactly how compliance will be done. |
|---|
| Evidence and records | PSTI: keep the evidence that proves this side of the decision, including cited text, registers, policies, test records, contracts, notices, reports, approvals, or audit artifacts. | Australia Cyber Security Act: keep comparator evidence in a distinct record set and link only the artifacts that genuinely satisfy both source-linked requirements. | Keep source links, factual analysis, owner approval, and implementation evidence together. |
|---|
| Timing and cadence | PSTI: capture the application date, commencement date, transition period, reporting clock, review cadence, remediation window, or certification renewal that controls this side. | Australia Cyber Security Act: track the comparator schedule separately so a later deadline, recurring audit, or incident timer is not hidden by the other workstream. | Use current source dates; do not reuse old project plans after amendments or guidance updates. |
|---|
| Enforcement or assurance route | PSTI: identify the competent authority, regulator, assessor, customer audit, certification body, contractual remedy, penalty, or supervisory process tied to this side. | Australia Cyber Security Act: identify the comparator enforcement or assurance route and record where supervision, penalties, market access, certification, or contract leverage differs. | Escalate when enforcement routes differ because a regulator, market-surveillance authority, certification body, customer, or contract counterparty may require different proof. |
|---|
| Overlap and reuse | PSTI: reuse controls only where the source-linked duty, evidence standard, owner, and timing align with the comparator; otherwise keep a bridge note. | Australia Cyber Security Act can reuse evidence from the other side only when the same fact pattern, system boundary, control, owner, and source-linked requirement are genuinely aligned. | Document overlap explicitly instead of merging both tests into one vague compliance label. |
|---|
| Practical decision rule | PSTI: treat this as the controlling workstream when its scope trigger, deadline, regulator, or required artifact is the immediate blocker. | Australia Cyber Security Act: run a parallel or follow-on workstream when this side adds separate actors, evidence, timing, penalties, customer assurances, or implementation constraints. | If the product is a UK consumer connectable product, treat PSTI as the default starting point; if the Australian law adds a separate duty, run Australia Cyber Security Act in parallel and escalate when the same product, evidence set, or control would need to satisfy both regimes. |
|---|