Late in 2024, the Australian Government passed the Cybersecurity Act 2024, Australia’s first piece of standalone cybersecurity legislation.
Part 2 of the Act, which will impose numerous obligations on suppliers and manufacturers of smart devices and other internet-connected products, will come into effect no later than 29 November 2025.
To whom will the Act apply?
If your business supplies or manufactures a product or device that is internet or network-connectable, the Act may apply. It is primarily concerned with smart devices, including ‘smart home’ products and wearables.
The following products are regulated through separate legislative schemes, and will not be subject to rules under the Act:
- vehicles or vehicle components (including infotainment systems)
- laptops or computers
- smartphones or tablets.
What will the Act require?
All relevant connected products will be subject to a set of ‘minimum security standards’ under Part 2 of the Act.
These standards are:
- Passwords: Where a device requires a password, it must be unique per product, or set by the user. Universal default passwords such as ‘admin’ or ‘123’ must not be used. These passwords must not be based on incremental numbers, and must not be easily guessable.
- Security mechanisms: Manufacturers must publish security issue disclosure mechanisms. These mechanisms must include one point of contact to allow a person to report security issues relating to the device.
- Support periods: Manufacturers must define a support period for security updates for their products, including an end-date, which consumers can use to consider the purchase of a product. The Act does not set out any kind of minimum period, it just requires that one must be defined.
Manufacturers must comply and provide a statement of compliance before the product is supplied.
Suppliers are prohibited from supplying a product that does not comply with these standard, and products must be supplied with the manufacturer’s statement of compliance.
What are the consequences of non-compliance?
Failures by either manufacturers or suppliers to meet their obligations could result in:
- ‘stop’ or ‘recall’ notices being issued, and
- the Minister publishing details of the non-compliance online.
However, no fines or other penalties will apply.
What should businesses do?
The Act will take effect no later than November 29 2025. Before then, This gives businesses an opportunity to begin preparing their pathways to compliance, including drafting compliance certificates.
CIE Legal will continue to make timely updates to our clients where they may be affected. If you have any questions or require assistance in regards to compliance, please contact our team.