ARTICLE
13 March 2026

Malfunctioning Machines To Mandatory Standards: Cyber Security Standards For Consumer Smart Devices Have Commenced

KL
Herbert Smith Freehills Kramer LLP

Contributor

Herbert Smith Freehills Kramer LLP logo
Herbert Smith Freehills Kramer is a world-leading global law firm, where our ambition is to help you achieve your goals. Exceptional client service and the pursuit of excellence are at our core. We invest in and care about our client relationships, which is why so many are longstanding. We enjoy breaking new ground, as we have for over 170 years. As a fully integrated transatlantic and transpacific firm, we are where you need us to be. Our footprint is extensive and committed across the world’s largest markets, key financial centres and major growth hubs. At our best tackling complexity and navigating change, we work alongside you on demanding litigation, exacting regulatory work and complex public and private market transactions. We are recognised as leading in these areas. We are immersed in the sectors and challenges that impact you. We are recognised as standing apart in energy, infrastructure and resources. And we’re focused on areas of growth that affect every business across the world.
Explore Firm Details
Australia's mandatory security standards for consumer smart devices commenced this week on 4 March 2026, introducing three baseline cyber requirements for consumer‑grade products...
Australia Technology
Cameron Whittfield,Magdalena Blanch-de Wilt, and Caitlyn Bellis
Your Author LinkedIn Connections
Cameron Whittfield’s articles from Herbert Smith Freehills Kramer LLP are most popular:
  • within Technology topic(s)
Herbert Smith Freehills Kramer LLP are most popular:
  • within Technology, Transport, Media, Telecoms, IT and Entertainment topic(s)
  • with Inhouse Counsel

Australia's mandatory security standards for consumer smart devices commenced this week on 4 March 2026, introducing three baseline cyber requirements for consumer‑grade products that can directly or indirectly connect to the internet.

The standards, made under the Cyber Security Act 2024 (Cth), represent a significant shift in regulatory expectations for manufacturers, importers and distributors of consumer‑grade smart devices.

The rationale behind the mandatory standards

The timing is notable. Over the past two years, a series of high‑profile vulnerabilities affecting household robotics, home security cameras and connected appliances have highlighted systemic weaknesses in device authentication, cloud infrastructure security and consumer‑facing protections. The commencement of the new rules reflects a clear policy position: insecure consumer internet-of-things (IoT) products now present a broad national cyber‑risk, and minimum/optional safeguards are no longer optional. Our recent conversations with senior representatives within the Department of Home Affairs revealed that the security of IoT is considered a critical matter of national security.

The mandatory standards in Australia closely align with those established by the United Kingdom's Product Security and Telecommunications Infrastructure (PSTIA) Act 2022, which mandates that all consumer smart devices meet minimum security standards. This legislative reform was enforced in the UK in April 2024. Core requirements under this regime include a ban on default passwords and establish clear vulnerability disclosure requirements and transparent security updates, akin to those introduced in Australia, as outlined below.

What's changing?

The new framework introduces three core requirements applying to manufacturers and suppliers of smart devices supplied to Australian consumers:

  • No universal default passwords – each device must have a unique password or allow the user to set their own.
  • A vulnerability disclosure mechanism – manufacturers must publish clear information on how security issues can be reported.
  • Minimum security update periods – manufacturers must disclose how long security updates will be provided, with a firm end date.

Manufacturers and suppliers must also provide a statement of compliance and keep records for at least five years. Failure to comply may trigger compliance, stop or recall notices issued by the Department of Home Affairs.

What is in scope?

The standards cover most consumer IoT products, from smart appliances to network‑connected home devices.

While certain product categories remain excluded (such as smartphones, laptops, tablets, therapeutic goods and road vehicles), the scope still captures a large portion of the consumer IoT ecosystem, including smart appliances, home robotics, connected sensors and common household devices. Many products supplied for consumer and household use (but less commonly thought of as 'consumer goods') – for example consumer energy resources - are caught.

Why this matters: emerging risks and real‑world breaches

While these obligations may appear straightforward, recent incidents highlight why regulators are now intervening. Modern smart devices frequently collect mapping data, photos, video feeds, behavioural insights, and real‑time location information. Without strong password authentication, secure communication protocols and proper access controls, these devices can be accessed — or misused — at scale.

What this means for manufacturers and suppliers

Manufacturers and suppliers will need a compliance program to ensure the requirements are met. Key implications include:

  • Manufacturers must redesign onboarding flows to eliminate universal passwords.
  • Websites, point-of-sale collateral and/or packaging will need updated, standardised disclosures.
  • Suppliers may need to restructure agreements to ensure they can rely on, or require, manufacturer compliance, including sourcing/obtaining manufacturer‑issued compliance statements.
  • Vulnerability‑reporting channels must be clearly published and operational — not theoretical.

Businesses importing products, where the offshore manufacturer has no Australian presence, should note they may be treated as the "manufacturer" under the rules, and will have responsibility for compliance.

Enforcement

The enforcement framework is designed to encourage engagement with manufacturers and suppliers of smart devices to uplift industry practice.

If an entity fails to comply, the Secretary of the Department of Home Affairs may issue:

  • Compliance notices requiring remediation of identified non‑compliance;
  • Stop notices preventing further supply of affected devices; and
  • Recall notices requiring manufacturers or suppliers to organise the return of non‑compliant devices.

Failure to comply with a recall notice may result in public naming of the non‑compliant entity and product risks. The Department may also conduct product testing or require submission of a compliance statement to verify claims.

Looking ahead

The Government has signalled that further consumer IoT regulation is likely, with this standards‑based model giving regulators flexibility to adapt to emerging technologies and threats. The Australian Government has specifically flagged that it plans to add further requirements to the mandatory standards over time, and to consider appropriate standards for enterprise grade devices as well.

Further guidance materials for industry and consumers are expected following commencement.

You can find more details in: our 2025 article, the fact sheet, and the explanatory document.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Cameron Whittfield
Cameron Whittfield
Photo of Magdalena Blanch-de Wilt
Magdalena Blanch-de Wilt
Photo of Caitlyn Bellis
Caitlyn Bellis
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More