With the rapid development of Internet of Things (IoT) technology, smart connected devices have been deeply integrated into daily life, but the accompanying cybersecurity risks have become increasingly prominent. As a major global consumer of smart devices, Australia has introduced the Cyber Security (Smart Device Security Standards) Rules 2025 as a subsidiary regulation under the Cyber Security Act 2024 to strengthen market supervision and protect consumer rights. This new regulation will be officially enforced on March 4, 2026. It clearly defines security standards, responsible entities, and penalty mechanisms for various connected smart devices, becoming a critical threshold for enterprises entering the Australian market. Equipped with professional testing capabilities and rich compliance experience, Guangdong Energy Storage Testing Technology Co., Ltd. provides end-to-end compliance solutions for all types of smart device enterprises, helping products smoothly open the door to the Australian market.

I. Scope of Application & Exempt Product Categories

The regulatory target of Australia’s new cybersecurity regulation covers all consumer-grade smart devices sold in Australia with direct or indirect connectivity functions, uniformly defined as "relevant connected products" in the regulation. These devices realize core operations such as data interaction, remote control, and function upgrades via networks, posing potential risks like data leakage and malicious intrusion—thus being included in the strict regulatory framework.

The new regulation also clearly specifies an exemption list, including three main categories:

1. Desktop computers, laptops, and tablets
2. Smartphones
3. Medical supplies, road vehicles, and their core components as defined by local Australian laws

In terms of mainstream market products, smart cameras, smart locks, smart routers, smart TVs, smart speakers, home security alarms, etc., all fall within the regulatory scope. Manufacturers of these products must strictly comply with the new regulation requirements and complete compliance certification before market launch.

II. In-Depth Analysis of Typical Regulated Products

Combined with Australian market consumer demand and new regulatory requirements, compliance key points of the following five typical smart connected devices deserve enterprises’ focused attention—their security design directly determines whether products can enter the market smoothly:

1. Smart Cameras

As core home security devices, smart cameras enable remote real-time monitoring, video storage, motion detection alerts, and other functions via networks, making them frequent targets of cyberattacks due to their connected nature. According to the new regulation:

• No default universal passwords: Manufacturers must generate a unique initial password for each device or force users to set a custom high-strength password on first boot.
• 24/7 vulnerability reporting channel: A dedicated channel must be established. If firmware vulnerabilities leading to video data leakage are discovered, an emergency response mechanism must be activated within 48 hours to synchronize risk information with regulators and users.
• Clear support cycle: Security update services must last no less than 5 years after product discontinuation to ensure full-lifecycle security protection.

2. Smart Locks

Smart locks realize remote unlocking, temporary password authorization, unlock record query, and other functions via networks, directly related to users’ personal and property safety. The new regulation’s core requirements focus on identity authentication and data encryption:

1. Adopt multi-factor authentication; remote unlocking operations require dual verification (password + verification code / biometrics).
2. Encrypt sensitive data such as unlock records and user information using AES-256 to prevent theft.
3. Manufacturers must commit to at least 3 years of security update support to timely fix vulnerabilities in Bluetooth and WiFi communication protocols.

3. Smart Routers

As the "central nervous system" of home networks, smart routers connect all connected devices—their security directly determines the defense capability of home networks. In accordance with the new regulation and the internationally recognized EN 18031 security standard, smart routers must meet multiple stringent requirements:

• Disable factory default weak passwords; force users to set complex passwords of 10+ characters (including letters, numbers, and special symbols) during initial configuration.
• The management backend must use the HTTPS (TLS 1.3) encrypted transmission protocol to prevent interception and tampering of management commands.
• Built-in intrusion detection system (IDS) to automatically identify and block attacks such as port scanning and brute-force cracking.
• Provide at least 5 years of firmware security update services to timely patch cybersecurity vulnerabilities.

4. Smart TVs

Smart TVs integrate functions such as connected video streaming, voice interaction, and smart home control, involving the collection and transmission of large amounts of user behavior data. The new regulation requires:

• Establish a transparent data collection mechanism to clearly inform users of data collection scope and purposes.
• Implement password strength detection for user accounts to reject easily crackable passwords (e.g., pure numbers, consecutive characters).
• Establish a regular security update mechanism for system firmware; the support cycle must cover at least the product sales cycle + 2 years to ensure users receive continuous security protection upgrades.

5. Smart Speakers

Smart speakers realize music playback, smart home control, information query, and other functions via voice interaction. Their microphones remain in standby mode at all times, posing privacy leakage risks. The new regulation’s core requirements for smart speakers include:

1. Obtain explicit user authorization for voice data collection; encrypt data transmission and storage throughout the entire process.
2. Set up convenient vulnerability feedback channels to allow users to report security issues such as abnormal voice wake-up and misoperations at any time.
3. Manufacturers must publicly disclose the security update support cycle; for discontinued products, provide at least 1 year of security patch push services.

III. Three Core Requirements of the New Regulation & Compliance Key Points

Australia’s new cybersecurity regulation builds a smart device security protection system from three dimensions—password security, security issue reporting, support cycle & security updates—and clarifies manufacturers’ responsibilities for compliance declarations:

1. Password Security Requirements

Passwords must be resistant to dictionary attacks. The new regulation explicitly prohibits universal default passwords, a core measure to curb cyberattacks. Manufacturers must ensure that each device is either assigned a unique and unpredictable initial password at the factory or forces users to set a custom password on first boot. Following international standard recommendations:

• Password length should be no less than 10 characters, including uppercase and lowercase letters, numbers, and special symbols.
• Devices must have built-in password strength detection functions to reject weak password settings.
• For remote control functions, multi-factor authentication (MFA) must be mandatory to reduce risks caused by password leakage.

2. Security Issue Reporting Requirements

Vulnerability channels must be publicly accessible. Manufacturers must establish a free, publicly available, and easily accessible security vulnerability reporting channel. This channel must support 24/7 feedback reception and allow issue submission without requiring users to provide personal information. Key requirements for the channel include:

• Send a confirmation receipt to the reporter within 48 hours of receiving a vulnerability report.
• Regularly update the progress of vulnerability handling.
• If a vulnerability may affect user security, immediately report it to regulators, notify users via in-product push notifications and official website announcements, and provide temporary protective measures and final solutions.

3. Support Cycle & Security Update Requirements

Sustained security updates are mandatory. Manufacturers must clearly publicize the product’s security update support cycle in prominent locations such as product manuals and official websites. Once determined, the cycle cannot be shortened; any extension must be updated to the public in a timely manner. Drawing on industry practices, the new regulation recommends a support cycle of no less than 5 years after product discontinuation. During the support cycle:

• Manufacturers must continuously provide firmware security patches to fix known vulnerabilities.
• Patches must be transmitted via encrypted channels to prevent tampering during updates.
• Automatic update detection functions must be supported to remind users to upgrade in a timely manner.

4. Compliance Declaration Retention Requirements

Document of Compliance (DOC) must be retained. Manufacturers must prepare a compliance declaration for each product model, which must include at least 12 core elements: product type, batch code, manufacturer & authorized representative information, support cycle, security standard compliance statement, etc. The declaration must be signed by the enterprise’s responsible person. It must be properly retained for at least 5 years for random inspections by Australian regulators—failure to retain the declaration as required will be deemed a violation.

IV. Penalty Mechanisms & Enterprise Response Strategies

The Australian government has formulated a tiered penalty system for non-compliant manufacturers with severe enforcement—enterprises must attach great importance to avoid market losses caused by violations:

1. Compliance Notice: Regulators will issue a written notice to non-compliant enterprises, specifying non-compliant points, rectification requirements, and consequences of overdue rectification. Enterprises must complete rectification within the specified time limit and submit a re-inspection application.
2. Stop Notice: If enterprises fail to complete rectification on time, regulators will issue a stop notice, requiring immediate suspension of all production, import, and sales activities of non-compliant products to prevent further market entry.
3. Recall Notice: For non-compliant products already on the market, regulators will order enterprises to implement a full recall. Enterprises must bear all costs incurred by the recall (transportation, testing, return and exchange, etc.) and suspend all sales of the product in Australia.
4. Public Disclosure & Fines: If enterprises refuse to cooperate with regulatory requirements, the government will publicly disclose the manufacturer’s identity, non-compliant product information, specific violations, and product risks via official channels. Fines of up to 40% of the product’s Australian sales revenue may be imposed, and enterprises will be included in the government procurement blacklist, restricting their participation in government project bidding.

To meet strict regulatory requirements, smart device enterprises should deploy compliance work in advance:

1. Integrate new regulatory requirements into the product design phase, incorporating password security, data encryption, and other functions into the product architecture.
2. Select professional testing institutions for compliance testing to identify and rectify potential issues in a timely manner.
3. Establish a sound post-sales security service system to ensure the effective operation of security update and vulnerability response mechanisms.

Guangdong Energy Storage Testing Technology Co., Ltd. provides one-stop services covering compliance assessment, testing & rectification, and declaration preparation, helping enterprises accurately meet new regulatory requirements and reduce compliance costs.

V. Frequently Asked Questions (FAQs)

Q1: What are the typical smart devices regulated by Australia’s new cybersecurity regulation?

A1: The new regulation mainly covers consumer-grade smart devices with connectivity functions, including smart cameras, smart locks, smart routers, smart TVs, smart speakers, home security alarms, smart sockets, etc. Desktop computers, smartphones, medical devices, etc., are not within the regulatory scope.

Q2: What are the specific password requirements under the new regulation?

A2: The new regulation prohibits universal default passwords—manufacturers must assign a unique initial password to each device or force users to set a custom password on first boot. Passwords should be no less than 10 characters long, including uppercase and lowercase letters, numbers, and special symbols. For remote control functions, multi-factor authentication must be enabled to enhance account security.

Q3: What content must a product compliance declaration include, and how long should it be retained?

A3: The compliance declaration must include at least 12 elements such as product type, batch code, manufacturer & authorized representative information, security standard compliance statement, and product support cycle, and must be signed by the enterprise’s responsible person. According to the new regulation, the declaration must be retained for at least 5 years—electronic or paper storage is acceptable, provided the content is complete and traceable.

Q4: If a product has passed EU or US cybersecurity certifications, is it still required to comply with Australia’s new regulation?

A4: Yes. Australia’s new regulation has independent security standards and requirements—certifications such as EU EN 303 645 and US NIST cannot directly replace Australian compliance testing. Enterprises must complete special testing and prepare compliance declarations in accordance with the specific clauses of Australia’s new regulation.

Q5: What are the advantages of Guangdong Energy Storage Testing Technology Co., Ltd.’s compliance testing services?

A5: 1. Professional Team Advantage: We have senior testing experts familiar with Australia’s new regulation, capable of accurately interpreting regulatory requirements. 2. End-to-End Services: Covering compliance assessment, product testing, rectification guidance, declaration preparation, and other links. 3. Efficient Collaboration: Maintaining close communication with relevant Australian regulators to timely synchronize regulatory updates, helping enterprises quickly obtain compliance qualifications.

Conclusion

The implementation of Australia’s new cybersecurity regulation on March 4, 2026, marks the entry of the local smart device market into a new phase of "security and compliance". For smart device enterprises, compliance is not only a "passport" to enter the Australian market but also a core driver to enhance product competitiveness and win consumer trust. Guangdong Energy Storage Testing Technology Co., Ltd. will leverage professional technical services and comprehensive compliance support to help enterprises break through trade barriers and achieve high-quality global product sales.