Australia IoT Security Compliance

On 4 March 2026, the Australian Cybersecurity (Security Standards for Smart Devices) Rules 2025 will officially come into force. Regarded as one of the "world's strictest" IoT security regulations, it covers not only mainstream consumer electronic products such as smart home devices and wearable devices, but also sets strict mandatory requirements for key areas including password management, vulnerability disclosure, and security update cycles, with technical specifications far exceeding those of the EU EN 303 645 standard.

Core Regulatory Requirements

Mandatory Personalised Password Setting

Generic default passwords such as "123456" and "admin" are completely prohibited. Factory-set device passwords must meet the following criteria:

①　Uniqueness Generation: Passwords shall be generated based on random algorithms, and predictable patterns such as serial numbers and sequential numbers are strictly forbidden.

②　User Autonomy: Consumers shall be allowed to set custom high-strength passwords when using the device for the first time.

Fully Transparent Vulnerability Response Mechanism

Manufacturers are required to publish their vulnerability disclosure policies in a prominent position on their official websites, and commit to the following:

①　Provide at least one security incident reporting channel (e.g., a dedicated email address, an online form).

②　Send a confirmation receipt to the reporter within 48 hours, and regularly update the progress of vulnerability fixes.

"Lifetime Accountability" for Security Update Cycles

①　The "minimum security support period" (e.g., "supported until 31 December 2030") must be clearly indicated on product packaging, user manuals, and sales pages.

②　Once the period is defined, it can only be extended but not shortened; any mid-term adjustment shall be notified to users.

③　Devices sold on e-commerce platforms must display this information prominently at the top of the product detail page.

Scope of Application

Key Regulated Objects

①　Smart Security Devices: Network cameras, electronic door locks, connected alarms.

②　Home Control Devices: Smart speakers, IoT gateways, Wi-Fi smart sockets.

③　Wearable Devices: Smart watches, health monitoring wristbands.

④　Home Appliances: Connected refrigerators, air conditioners, lighting systems.

Exemption List

①　Mobile phones, tablets, and laptops (already governed by other relevant regulations).

②　In-vehicle devices (subject to the Road Vehicle Standards Act).

③　Medical devices (governed by the Therapeutic Goods Act).

Compliance Solutions

①　Technical Self-Inspection: Immediately conduct a compliance gap analysis of password policies, vulnerability management processes, and OTA upgrade functions.

②　Certification Preparation: Prioritise laboratories with corresponding qualifications to ensure that test reports meet the review requirements of Australian authorities.

③　Supply Chain Collaboration: Negotiate with chip suppliers to integrate security modules, reducing modification costs from the underlying hardware level.

④　As one of the few laboratories in the Asia-Pacific region with both EU en 18031 CNAS accreditation and IEC 62443 industrial security certification capabilities, JJR LAB provides:

⑤　Pre-compliance inspection services for Australia's new regulations (simulated review + vulnerability stress testing).

⑥　Customised password system transformation solutions (in compliance with uniqueness algorithm requirements).

⑦　Security update cycle statement templates and full compliance document packages.

Smart device manufacturers are advised to activate their compliance procedures immediately to avoid market access risks in Australia in 2026.