How to get Australia’s Cybersecurity Standard EN 303 645?

In recent years, global cyber attacks have occurred frequently and become increasingly rampant, posing a severe threat to the security of critical infrastructure such as energy, power, and healthcare. To effectively address the increasingly complex cybersecurity challenges, many countries have successively introduced relevant regulations, strengthening the security standards for connected devices to fortify the cybersecurity defenses in critical sectors.

Australia’s New Cybersecurity Regulations

In March 2025, the Australian government officially released the Cyber Security (Security Standards for Smart Devices) Rules 2025 (hereinafter referred to as the "Australian Cybersecurity Rules"). The Rules will come into mandatory effect on March 4, 2026. Designed to enhance the cybersecurity protection capabilities of consumer-connected devices, the new Rules also impose clearer and more stringent compliance requirements on relevant manufacturers.

Objectives and Core Obligations of the Rules 2025

The Australian Cybersecurity Rules specify the minimum cybersecurity standards that smart devices sold in Australia must meet. Enacted under the Cyber Security Act 2024, the Rules primarily target manufacturers.

Pursuant to the Rules, manufacturers must ensure that their products comply with the relevant security standards and issue a Statement of Compliance. This statement shall include multiple details such as product model, manufacturer information, conformity declaration, and defined support cycle, and must be retained for at least 5 years. Enterprises that fail to comply with the requirements will face corresponding civil penalties.

Analysis of Three Core Compliance Requirements under Rules 2025

Similar to the UK’s psti Regulations, Australia’s Rules focus on several core security dimensions, with differences in specific details:

Core Regulatory Requirements

First Lock: Mandatory Password Personalization

▸ Fully prohibit generic default passwords such as "123456" and "admin". Factory-set passwords for devices must meet the following criteria:

①　Unique Generation: Generated based on random algorithms; predictable patterns such as serial numbers or incremental digits are not allowed.

②　User Autonomy: Allow consumers to set customized high-strength passwords upon first use.

Second Lock: Fully Transparent Vulnerability Response Mechanism

▸ Manufacturers shall publish a vulnerability disclosure policy in a prominent position on their official websites, and commit to:

①　Providing at least one feedback channel for security incidents (e.g., dedicated email address, online form).

②　Sending a confirmation receipt to the reporter within 48 hours and updating the repair progress on a regular basis.

Third Lock: "Lifetime Responsibility System" for Security Update Cycles

▸ The "minimum security support period" (e.g., "Valid until December 31, 2030") must be clearly indicated on product packaging, manuals, and sales pages.

①　Once the period is set, it can only be extended, not shortened; any mid-term adjustments must be notified to users via push notifications.

②　For devices sold on e-commerce platforms, this information must also be displayed prominently at the top of the product detail pages.

Scope of Applicable Products under Rules 2025

Which Devices Need to Be Compliant?

The Rules apply to "consumer-related connectable products" that are accessible to consumers in Australia and can connect to the Internet either directly or indirectly.

Typical Covered Products

①　Network cameras, smart door locks, alarm systems

②　Smart home assistants, smart home appliances

③　Wearable devices

④　Smart lighting fixtures, smart controllers, IoT base stations, etc.

Explicitly Excluded Products

①　Desktop computers, laptops

②　Tablet computers

③　Smartphones

④　Therapeutic goods regulated by the Therapeutic Goods Act 1989

⑤　Road vehicles and their components as defined by the Road Vehicle Standards Act 2018