Australia: Cyber Security (Security Standards for Smart Devices) Rules 2025

The requirements are already mandatory!

Every industrialized and emerging country we know of already regulates the cybersecurity of critical infrastructures. The regulations are rarely as comprehensive and far-reaching as the European Union's NIS-2 Directive (EU) 2022/2555, but are often comparable to its predecessor, NIS (EU) 2016/1148.

The EU is also a pioneer when it comes to the cybersecurity of products. The most prominent example of this is the Cyber Resilience Regulation (EU) 2024/2847 (EU-CRA for short). The EU CRA is the world's first horizontal regulation for products on this scale. It requires not only transparency and basic requirements, but also a more comprehensive security regime across the entire product lifecycle, including secure-by-design, risk assessment, due diligence obligations for third-party components and vulnerability handling.

We are not yet aware of any regulations in other countries that are comparable to the EU CRA. There are reduced projects, or voluntary certification procedures, and of course numerous sectoral regulations (e.g. in the medical device industry).

Now, Australia is also getting involved: "Cyber Security (Security Standards for Smart Devices) Rules 2025". The most important thing to note is that this regulation has been in effect since March 4, 2026. The 12-month transition period has already ended.

In terms of content, the new Australian regulation is much closer to the UK PSTI Act than to the EU CRA. Australia covers most "smart devices" for household use in Australia ("for personal, domestic or household use or consumption"), very similar to the UK PSTI Act. Smart devices are described as products that can be connected directly or indirectly to the internet (so-called relevant internet-enabled products).

However, the exceptions are different: desktop PCs, laptops, smartphones, tablets, as well as certain therapeutic goods and road vehicles or vehicle components are exempt. Operational priorities are passwords, the disclosure of vulnerabilities, defined support/update periods and the "Statement of Compliance" by the manufacturer.

 

Would you like to find out more about cyber security for products? Then read:

→ PSTI law in the UK, February 13, 2024
→ Cyber Trust Mark and the FCC IoT label for consumer products in the USA, September 09, 2024

 

Author's note

This article has been machine translated into English.

 


The UK Product Security and Telecommunications Infrastructure Act 2022 (PSTI Act), in force since April 2024, requires manufacturers, importers and distributors of connected IoT consumer products in the UK to comply with new cybersecurity standards.

Published on 31.03.2026
Category: Focus Industry, Focus Consumer Goods & Retail, Fokus Electrical and Wireless, Fokus Third Party, Insider-Compliance, Compliance

back to list

Compliance News

The latest developments in all areas of market authorization and product compliance.

Comprehensive expertise in Standards Management
More News
International: ISO- und IEC-Standards

Drafts

Read more

Europe: CEN, CENELEC

Adopted standards and drafts from CEN/CENELEC

Read more

EU: June 2026, new references of OJ listed harmonized standards (hEN)

Medical devices and ATEX

Read more

Expert-verified information packages for compliant products worldwide

Save resources, reduce liability risk, gain security!

learn more and order now

De En
Login
x

In accordance with the EU ePrivacy (Cookie) Directive (2009/136/EG), we would like to inform you that our website uses cookies. By using our website, you accept and agree to our Privacy policy. Please view our Privacy policy to find out what cookies we use and how to disable them.

OK