a
News
Australia Mandates Security Standards for Smart Devices. Here's What That Means.
9 Mar 2026
The average Australian household is already running 20 to 25 smart devices, and that number is expected to nearly double by 2030. Most of them go unnoticed. Not the phone in your pocket, but the security camera at your front door or the thermostat connected to your Wi-Fi. They sit on home and office networks, often the last thing considered in a security conversation, and until recently, there was no minimum standard in Australia for how they had to be built or sold.
From 4 March 2026, that is no longer the case. The Cyber Security (Security Standards for Smart Devices) Rules 2025, enacted under the Cyber Security Act 2024, establishes a minimum baseline for how connected devices must be built, sold, and supported.
Three requirements now apply to in-scope devices:
No universal default passwords: each device must ship with a unique password, or require one to be set before first use. (We've written about why default and reused passwords create easy entry points for attackers, read it here.)
Vulnerability disclosure: suppliers must provide a publicly accessible contact point for reporting security flaws, with status updates on resolution.
Defined support periods: suppliers must clearly state how long a device will receive security updates, including an end date.
On the whole, this is a good thing. Default passwords on shared device models have been a known attack vector for years. The absence of published support timelines has made it difficult to know when a device stops being safe to run. These standards address both.
What the Rules Cover
The legislation applies to IoT and connected devices, not general computing. Desktop computers, laptops, smartphones, and tablets are explicitly excluded. In scope are the kinds of connected devices that often get overlooked in security conversations: security cameras, smart locks, digital whiteboards, wearables, smart TVs, and similar products. Routers and other networking hardware may also fall in scope depending on classification, so it is worth checking against the full exemption list in section 8 of the Rules.
The rules apply to devices manufactured on or after 4 March 2026. Devices already in the market before that date are not required to meet the new standards.
What This Means for You
From March 2026, any in-scope device manufactured from here on should arrive with a unique password, a clear support timeline, a published way to report security issues, and a statement of compliance from the supplier. For schools, businesses, and government agencies buying connected hardware, that is a meaningful shift from how many of these products have been sold up to now.
The same applies at home. If you are buying a new security camera, a smart TV, or any connected device this year, the manufacture date is worth checking. For anyone managing procurement at a business or institution, it is a reasonable question to ask your supplier too. Products made before March 2026 are not required to meet the new standards, which means older stock on shelves may not meet the new baseline. There may be a real difference in what you are getting.
To be clear: the compliance obligation does not fall on you as the buyer or operator. The legal requirements sit with manufacturers and distributors. You are not required to audit existing devices, replace hardware, or certify anything under these rules. But the standards do change what you should expect when buying new devices, and that is worth knowing.
Whether it is a device at home or on a workplace network, the expectation from March 2026 is that new connected products come with a basic level of built-in security. That is not a high bar. But it is a meaningful change from where things have been, and it is worth understanding what has shifted.
How Secure ISS Can Help
Secure ISS works with Australian organisations on device security and risk. If you want to understand your connected device environment or what the new standards mean for your next procurement decision, get in touch.
