Mandatory Cyber security requirements in Australia
While the EU is now making its impact on mandatory cybersecurity requirement with Cyber Resilience Act, Australia is also ready to enter the stage. Already on the 4 March 2026, Australia ‘s new cybersecurity requirements specified in the Cyber Security (Security Standards for Smart Device) Rules 2025 will commence, following a 12-month transition period which began on the date of their registration on 4 March 2025.
What products?
The background for the requirements was the increase in connected products along with the increased malicious activities, so the main group of the scope is connected products for consumers.
The regulation specifying the scope in Cyber Security (Security Standards for Smart Devices) Rules 2025 and includes, of course, products being internet-connected but is not limited to internet-connected products only. Typical products may be smart TVs, IP cameras, routers, smart lighting- and household products.
Products specifically excluded are e.g., desktop computer, laptop, tablet computer, smartphone, therapeutic goods within the meaning of the Therapeutic Goods Act 1989, road vehicle within the meaning of the Road Vehicle Standards Act 2018, road vehicle component within the meaning of the Road Vehicle Standards Act 2018.
Please note that these products may also have cybersecurity requirements but under other regulations.
What are the requirements?
The requirements are divided into 3 main groups:
• Passwords
• Support period
• Vulnerability reporting
These requirements may be evaluated based on the Cyber Security (Security Standards for Smart Devices) Rules 2025 but as these requirements align closely with ETSI EN 303 645 (“Cyber Security for Consumer IoT”), which is widely recognized as the baseline standard for consumer IoT security, ETSI EN 303 645 may also be used to check for conformity. Evaluating products against ETSI EN 303 645 can effectively demonstrate compliance with the Australian Rules because the principles are consistent.
The ETSI EN 303 645
This standard was first published in 2020 and quickly became the most used IoT cyber security standard internationally, also outside of Europe. It is a pragmatic approach to cyber security, ensuring a good basic level of security, and forms the basis of several certification schemes. In 2023, it was also formally accepted by the IECEE for use in the CB certification scheme, which by far is the largest certification scheme for electrical products, with more than one hundred thousand certificates issued annually. ETSI EN 303 645 keeps being relevant and has been update to version 3.1.3 on the 2024.09.
How to comply?
The bare minimum is to comply with the three requirements of the Cyber Security (Security Standards for Smart Devices) Rules 2025 on Passwords, Support Period and Vulnerability reporting, and make self-declaration accordingly.
For broader market acceptance and stronger customer trust, adopting an international standard such as ETSI EN 303 645 is highly recommended. Doing so not only demonstrates best practice but also positions manufacturers to meet both upcoming mandatory cybersecurity requirements and existing national regulations in markets where they seek access.
Is my product in the scope?
To find if your product is in the scope and what requirements are relevant for your products in particular, use the below link to set up a free Teams meeting with one of our cybersecurity experts.