Stay in the know
Receive timely insights and briefings from HSF Kramer, tailored to keep you informed and ahead
Australia’s mandatory security standards for consumer smart devices commenced this week on 4 March 2026, introducing three baseline cyber requirements for consumer‑grade products that can directly or indirectly connect to the internet.
The standards, made under the Cyber Security Act 2024 (Cth), represent a significant shift in regulatory expectations for manufacturers, importers and distributors of consumer‑grade smart devices.
The timing is notable. Over the past two years, a series of high‑profile vulnerabilities affecting household robotics, home security cameras and connected appliances have highlighted systemic weaknesses in device authentication, cloud infrastructure security and consumer‑facing protections. The commencement of the new rules reflects a clear policy position: insecure consumer internet-of-things (IoT) products now present a broad national cyber‑risk, and minimum/optional safeguards are no longer optional. Our recent conversations with senior representatives within the Department of Home Affairs revealed that the security of IoT is considered a critical matter of national security.
The mandatory standards in Australia closely align with those established by the United Kingdom’s Product Security and Telecommunications Infrastructure (PSTIA) Act 2022, which mandates that all consumer smart devices meet minimum security standards. This legislative reform was enforced in the UK in April 2024. Core requirements under this regime include a ban on default passwords and establish clear vulnerability disclosure requirements and transparent security updates, akin to those introduced in Australia, as outlined below.
The new framework introduces three core requirements applying to manufacturers and suppliers of smart devices supplied to Australian consumers:
Manufacturers and suppliers must also provide a statement of compliance and keep records for at least five years. Failure to comply may trigger compliance, stop or recall notices issued by the Department of Home Affairs.
The standards cover most consumer IoT products, from smart appliances to network‑connected home devices.
While certain product categories remain excluded (such as smartphones, laptops, tablets, therapeutic goods and road vehicles), the scope still captures a large portion of the consumer IoT ecosystem, including smart appliances, home robotics, connected sensors and common household devices. Many products supplied for consumer and household use (but less commonly thought of as ‘consumer goods’) – for example consumer energy resources - are caught.
While these obligations may appear straightforward, recent incidents highlight why regulators are now intervening. Modern smart devices frequently collect mapping data, photos, video feeds, behavioural insights, and real‑time location information. Without strong password authentication, secure communication protocols and proper access controls, these devices can be accessed — or misused — at scale.
Manufacturers and suppliers will need a compliance program to ensure the requirements are met. Key implications include:
Businesses importing products, where the offshore manufacturer has no Australian presence, should note they may be treated as the “manufacturer” under the rules, and will have responsibility for compliance.
The enforcement framework is designed to encourage engagement with manufacturers and suppliers of smart devices to uplift industry practice.
If an entity fails to comply, the Secretary of the Department of Home Affairs may issue:
Failure to comply with a recall notice may result in public naming of the non‑compliant entity and product risks. The Department may also conduct product testing or require submission of a compliance statement to verify claims.
The Government has signalled that further consumer IoT regulation is likely, with this standards‑based model giving regulators flexibility to adapt to emerging technologies and threats. The Australian Government has specifically flagged that it plans to add further requirements to the mandatory standards over time, and to consider appropriate standards for enterprise grade devices as well.
Further guidance materials for industry and consumers are expected following commencement.
You can find more details in: our 2025 article, the fact sheet, and the explanatory document.
Partner, Melbourne
Executive Counsel, Melbourne
Senior Associate, Sydney
The contents of this publication are for reference purposes only and may not be current as at the date of accessing this publication. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action based on this publication.
© Herbert Smith Freehills Kramer 2026
Receive timely insights and briefings from HSF Kramer, tailored to keep you informed and ahead