On 4 March 2026, Australia commenced a national, mandatory baseline of cybersecurity requirements for most consumer-grade smart devices supplied to Australian consumers. The Cyber Security (Security Standards for Smart Devices) Rules 2025, made under the Cyber Security Act 2024, require manufacturers and suppliers of internet-connected consumer products to meet three core obligations: no universal default passwords, a published channel for reporting security issues, and transparency about the minimum period of software support – including an end date.
The rules apply to in-scope smart devices manufactured on and from 4 March 2026 that are reasonably expected to be acquired in Australia by a consumer for personal, domestic, or household use. The regime covers devices such as smart TVs, cameras, routers, smart speakers, wearables, smart locks, and home automation equipment, but explicitly excludes desktops and laptops, tablets, smartphones, certain therapeutic goods, and specified road vehicles and components. Products manufactured before the commencement date are not required to comply.
The requirements are deliberately narrow. They closely follow the first three provisions of ETSI EN 303 645, the European standard for consumer IoT cybersecurity that at least nine countries have adopted or referenced in regulatory frameworks. Rather than inventing a new standard, Australia is enforcing an existing one.
Governments have decided that an insecure connected device is a defective product – and that cybersecurity, for a growing class of consumer goods, is a product safety obligation.
What makes this more than a compliance footnote is the enforcement architecture behind it – and what it reveals about a broader regulatory convergence underway in Australia, the United Kingdom, and the European Union: the reclassification of cybersecurity from a technical discipline into a product safety obligation.
The enforcement design question
The Department of Home Affairs wrote the rules and holds the enforcement power. The secretary of the department can issue compliance notices, stop notices prohibiting supply of non-compliant products, and recall notices. The department describes its approach as “uplift-focused” – designed to “encourage engagement with manufacturers and suppliers” and “uplift industry best practice” rather than lead with penalties.
That language is not unusual in a new regime. But the institutional setting is. Home Affairs is a national security department. It is not a product safety regulator. It does not have the market surveillance infrastructure that a consumer product safety agency typically maintains – the kind of routine testing, border inspection, and retail monitoring that catches non-compliant goods on shelves.
The consumer harms from insecure devices, meanwhile, rarely arrive labelled as “cybersecurity incidents”. A compromised baby monitor or smart door lock presents as a privacy breach and a safety issue. A hacked router manifests as service disruption, fraud, or network abuse. The technical root cause sits in cybersecurity. The visible harm is distributed across product safety, consumer protection, privacy, and the continuity of regulated services in sectors such as energy and health.
Australia’s regulatory landscape reflects that fragmentation. The Australian Competition and Consumer Commission (ACCC) leads on general product safety and consumer law. The Office of the Australian Information Commissioner (OAIC) enforces privacy law. The Australian Communications and Media Authority (ACMA) oversees communications equipment and codes. Sector regulators in energy, health, and financial services supervise the services that increasingly depend on connected devices. Yet none of those agencies is the primary enforcer of the smart device rules.
That institutional design creates a coordination burden. Unless referral pathways, memoranda of understanding, and shared intelligence arrangements are actively built, there is a risk that the new standards sit on the statute book without a clear operational route from harm to enforcement.
Manufacturers must prepare a statement of compliance for in-scope products; suppliers must ensure products are supplied with that statement; and both must retain the documentation for five years. A government-funded, industry-led voluntary labelling scheme for smart devices is being developed in parallel by the IoT Alliance Australia, with project completion required by 31 March 2027. The intent is to give consumers a visual indicator of a device’s security posture – complementing, not replacing, the mandatory rules.
The UK: product safety framing, limited visible enforcement
The UK’s regime offers a different answer to the enforcement design question – and a different set of trade-offs.
The Product Security and Telecommunications Infrastructure Act 2022 (PSTI Act) has been in force since 29 April 2024. It imposes three core security requirements on “consumer connectable products”: banning universal default and easily guessable passwords, mandating a public point of contact for vulnerability reporting, and requiring clear information about the minimum support period for security updates.
Enforcement sits with the Office for Product Safety and Standards (OPSS), part of the Department for Business and Trade. OPSS is a product safety regulator. It already runs national market surveillance programmes, conducts testing, liaises with border authorities, and manages product recalls. The PSTI Act effectively extends this product safety machinery into the domain of cybersecurity.
The penalty framework is substantially more muscular than Australia’s. OPSS can impose civil penalties of up to £10 million or 4% of a company’s global annual revenue, whichever is higher, with additional daily penalties of up to £20,000 for continuing contraventions. It can also compel manufacturers, importers, and distributors to take corrective action including withdrawal or recall of non-compliant products.
Nearly two years after the requirements took effect, however, publicly reported enforcement under the regime appears limited. OPSS’s published list of enforcement actions for the period 1 April to 30 September 2025 covers construction products and general product safety interventions but does not include any actions explicitly identified as taken under the consumer connectable product security regulations.
That does not prove no PSTI enforcement has occurred – publication may lag behind activity, and not all regulatory engagement will appear in a single list – but it does mean the regime’s enforcement phase has been quiet on the public record.
A regime can still spend a long time in a guidance-heavy phase before enforcement actions become visible.
OPSS describes its approach as “risk-based, pragmatic and proportionate”, noting that it will take account of “the maturity of the legislation” when deciding how to respond to breaches. For Australian policymakers, the UK experience illustrates both the benefit and the limitation of a strong product safety framing. Housing enforcement in a product safety regulator ensures access to established market surveillance capabilities. But a regime can still spend a long time in a guidance-heavy phase before enforcement actions become visible.
The EU’s Cyber Resilience Act: lifecycle obligations and delayed standards
Where Australia and the UK concentrate on baseline consumer IoT requirements, the EU’s Cyber Resilience Act (CRA) takes a far more expansive approach. The regulation entered into force on 10 December 2024 and will apply in stages: reporting obligations for actively exploited vulnerabilities and incidents commence on 11 September 2026, with most substantive requirements applying from 11 December 2027.
The CRA covers all “products with digital elements” placed on the EU market – consumer and commercial, hardware and software – not just consumer IoT. It imposes obligations across the entire product lifecycle, including secure design and development processes, vulnerability handling, and the provision of security updates throughout a product’s support period. Manufacturers must prepare technical documentation that includes a Software Bill of Materials (SBOM), giving greater transparency into the components and dependencies that make up a product.
Enforcement is decentralised. National market surveillance authorities – often the same bodies that enforce general product safety law – will oversee compliance and can order corrective actions, withdrawals, or recalls. The regulation’s penalty framework sets maximum levels for breaches of different obligations, with some infringements carrying potential fines of up to €15 million or 2.5% of a company’s global annual turnover, whichever is higher. Member states are responsible for setting specific penalty schemes within that framework.
The scale of the CRA creates its own implementation risks. The European Commission has issued standardisation request M/606, asking European Standards Organisations to develop 41 harmonised standards to support CRA compliance. Those standards are being delivered in stages, not as a single package, with the first deliverables expected in Q3 2026. Until harmonised standards are available for key aspects of the regime, manufacturers may struggle to demonstrate conformity – particularly for high-risk products that must undergo third-party conformity assessment.
| Australia | United Kingdom | European Union | |
| Legislation | Cyber Security Act 2024; Smart Devices Rules 2025 | Product Security and Telecommunications Infrastructure Act 2022 | Cyber Resilience Act (Reg. 2024/2847) |
| In force | 4 March 2026 | 29 April 2024 | Reporting: 11 September 2026; Full: 11 December 2027 |
| Scope | Consumer smart devices (excl. desktops, laptops, smartphones, tablets, certain therapeutic goods, road vehicles) | Consumer connectable products (broad; incl. smartphones, excl. vehicles, medical devices, meters) | All products with digital elements – hardware and software |
| Core obligations | No default passwords; vulnerability disclosure; defined support period | No default passwords; vulnerability disclosure; defined support period | Cybersecurity by design; lifecycle vulnerability management; SBOM; CE marking |
| Standards alignment | Closely follows ETSI EN 303 645 (first three provisions) | Based on ETSI EN 303 645 | 41 harmonised standards requested (M/606) |
| Enforcement body | Secretary, Dept of Home Affairs | OPSS (Dept for Business and Trade) | National market surveillance authorities |
| Max penalties | Enforcement notices; civil penalties for related obligations | £10m or 4% global revenue; £20k/day continuing | €15m or 2.5% global turnover (Member State schemes) |
| Stated posture | “Uplift-focused” | “Pragmatic and proportionate” | Phased: reporting first, full compliance later |
Canada and New Zealand: critical infrastructure first, consumer IoT later (if at all)
Canada and New Zealand have been moving on cybersecurity regulation, but not yet in ways that create mandatory baseline security standards for consumer smart devices.
In Canada, current federal legislative attention is on critical systems and telecommunications security. Bill C‑8 was introduced on 18 June 2025, after the prorogation of parliament on 6 January 2025 caused its predecessor Bill C‑26 to die on the order paper. Bill C‑8 would impose cybersecurity obligations on designated telecoms service providers and operators of critical cyber systems in federally regulated sectors including banking, telecommunications, energy, and transportation.
The proposed administrative monetary penalty regime is stringent. For some contraventions, the bill allows penalties of up to C$15 million for organisations, with each day of a continuing contravention treated as a separate violation. However, this is not a consumer IoT device security regime. It targets network operators and critical infrastructure providers, not manufacturers of household connected devices. There is no national baseline law equivalent to the PSTI Act or Australia’s smart device rules proposed or in development on the consumer side.
New Zealand’s Cyber Security Strategy 2026–2030, released by the Department of the Prime Minister and Cabinet on 27 February 2026, similarly focuses first on critical infrastructure and national resilience. Alongside the strategy, the government published a discussion document proposing a mandatory cybersecurity framework for providers of seven essential services: communications and data, defence, energy, finance, health, transport, and drinking water and wastewater. The consultation runs until 19 April 2026.
Among the proposals are enforceable obligations to implement risk-appropriate cybersecurity measures, new regulator powers to issue directions and conduct inspections, and a tiered penalty structure. For the most serious breaches – such as negligent or knowing failure to meet minimum cyber risk management requirements or national security directions – proposed penalties reach up to NZ$5 million or 2% of turnover for entities, and up to NZ$500,000 in personal criminal liability for directors. Those sanctions are consultation-stage proposals, not enacted law.
As in Canada, none of these proposals currently creates a mandatory baseline for consumer IoT devices. New Zealand’s IoT Alliance has been pursuing voluntary initiatives and trans-Tasman alignment with Australia’s IoT Alliance Australia – particularly around the smart device labelling scheme. A new trans-Tasman standards agreement signed in February 2026 commits both countries to aligning standards across areas including cybersecurity. But voluntary alignment is not the same as enforceable standards.
Without a mandatory regime, both countries remain dependent on the assumption that manufacturers complying with Australian, UK, or EU rules will extend that compliance to all markets – an assumption that regulatory arbitrage in product safety makes unreliable.
What this convergence means for other regulators
The reclassification of cybersecurity as product safety has consequences for regulators well beyond the agencies holding direct enforcement power.
Connected devices are now embedded in the infrastructure that energy, health, and financial services regulators oversee. Smart meters, connected diagnostic equipment, IoT-enabled payment terminals, and networked building management systems all depend on devices that are now – or soon will be – subject to cybersecurity product safety obligations in at least three major markets.
The reclassification of cybersecurity as product safety has consequences for regulators well beyond the agencies holding direct enforcement power.
Treating cybersecurity as product safety carries two practical implications for sector regulators. First, they gain a potential ally. Where smart devices are covered by product safety-style cybersecurity standards, sector regulators can factor those upstream obligations into their own supervisory work – through procurement guidance, licensing conditions, and on-site inspections that assume certain classes of equipment must meet defined security baselines.
Second, they must still plan for failure. Even with upstream standards, insecure or non-compliant devices will reach critical sectors. Sector regulators therefore need clear referral pathways to the agencies that enforce product security rules, and internal capabilities to assess the systemic risk that insecure devices pose to the services they oversee. In Australia, that means practical arrangements between Home Affairs, the ACCC, ACMA, OAIC, and sector regulators. In the UK and EU, it means coordination between OPSS or national market surveillance authorities and the regulators responsible for energy, health, finance, and transport.
The direction of travel is clear. Technical standards bodies, national security agencies, product safety regulators, and sectoral supervisors are being pulled into a shared domain in which cybersecurity failures are treated as defects in products and systems, not just in code. The jurisdictions moving first – the UK with PSTI, the EU with CRA, and now Australia with its smart device rules – are defining not just what “secure by design” means on paper, but how hard it will be to make it real.
Frequently asked questions
What do Australia’s smart device cybersecurity rules actually require?
From 4 March 2026, in-scope smart devices manufactured on and from that date must not use universal default passwords, must provide a way for security issues to be reported, and must make clear how long security updates will be provided – including an end date. Manufacturers must prepare a statement of compliance; suppliers must ensure products are supplied with that statement; and both must retain the documentation for five years. The rules closely follow the first three provisions of ETSI EN 303 645 and mirror the UK’s PSTI requirements.
How do Australia’s rules compare to the UK and EU?
Australia’s regime is a narrow baseline: three core obligations for consumer smart devices, enforced by the Department of Home Affairs, with enforcement notices as the main tool. The UK’s PSTI Act imposes the same three obligations on a broader category of “consumer connectable products”, enforced by OPSS with significantly higher potential penalties of up to £10 million or 4% of global revenue. The EU’s Cyber Resilience Act goes further still, covering all products with digital elements, imposing lifecycle obligations including vulnerability handling and SBOM documentation, and setting maximum penalties of up to €15 million or 2.5% of global turnover for some infringements.
What should sector regulators outside cybersecurity do now?
Regulators in sectors such as energy, health, and financial services should start by mapping where connected devices sit in the systems they oversee and whether those devices fall within a product security regime in their jurisdiction. They should then establish referral arrangements with the agencies that enforce those regimes, and update their own supervisory expectations, procurement guidance, and risk assessments to assume that device-level cybersecurity is part of the product safety landscape – not a separate technical concern.
Related: March 2026 regulatory update: stress-testing new regimes · Regulation in 2026: from framework to enforcement.
