Smart devices and the Law: When Does Cybersecurity Become Product Safety?
…Unsplash
Insecure smart devices have long occupied a tricky legal space. When a device like a baby monitor or smart speaker is hacked, the consequences feel severe, yet cybersecurity has been regarded as separate from product regulation—focused on patches and passwords rather than on legal design. Australia’s new standards are beginning to change, signalling a shift where manufacturers now need to incorporate fundamental cybersecurity measures into connected products if they want to sell in Australia, rather than treating it as an afterthought.[i]
That shift is a sound one. Part 2 of the Cyber Security Act 2024 (Cth) allows rules for security standards on “relevant connectable products” in certain situations.[ii] Manufacturers must ensure their products comply with applicable security standards when they know or should know that they will be used in such circumstances. Suppliers are also prohibited from supplying non-compliant products,[iii] shifting the responsibility upstream as they now require designers and manufacturers to meet minimum cybersecurity obligations rather than leaving consumers to research on quality.
The Cyber Security (Security Standards for Smart Devices) Rules 2025 (Cth) adopt a restrained model, which is a strength. For relevant connected consumer products, the Rules require three forms of protection. First, products must avoid universal default passwords; non-default passwords must be unique or user-defined. Second, manufacturers must publish information on security issue reporting. Third, they must state the minimum security support period, in months or years, from a specified date.[iv]
These modest but significant requirements address common security issues in consumer devices. Default passwords enable mass exploitation. Unclear reporting channels hinder vulnerability reporting. Limited support periods leave consumers uncertain about product safety. The Rules do not eliminate risks but make them legally visible, holding manufacturers responsible for addressing them.
The compliance regime reinforces accountability where manufacturers must provide a statement of compliance for in-scope products, and suppliers must supply products with that statement.[v] The Rules specify the minimum content of the statement: product type, batch ID, manufacturer’s name and address, compliance declaration, and support period.[vi] Both manufacturers and suppliers must retain the statement for five years after initial provision.[vii] This requirement is important because cybersecurity is difficult for consumers to evaluate at the point of sale. A compliance statement will not turn buyers into experts, but it does establish accountability within the supply chain and provides regulators with a clearer basis for investigation.
This enforcement framework highlights the regime's significance. If the Secretary believes someone has breached obligations, they can issue compliance, stop, or recall notices. Ignoring a recall may result in the publication of details about the non-compliance and the associated risks. These are legal standards supported by regulatory powers.[viii]
The regime faces criticism mainly over its scope. The Rules exclude products such as desktops, laptops, tablets, smartphones, therapeutic goods, and vehicles, making the framework less comprehensive than the term “smart device security standards” suggests. Some exclusions are reasonable, as those products already have specialised regulations or require bespoke standards. However, these exclusions also indicate that Australia lacks a comprehensive cyber product safety regime.[ix]
A second critique is that the standards are floor-setting rather than transformative. A manufacturer may comply while offering only minimal security support, provided it is disclosed.[x] Similarly, the Rules do not mandate secure architecture, high-quality patches, penetration testing, or guaranteed support throughout a product’s lifespan, where Manufacturers only need to meet basic standards, not necessarily robust ones. Critics argue that this normalises minimal compliance instead of fostering genuinely secure-by-design products.
Official guidance states that the Act requires products to be supplied “with” or “accompanied” by a statement of compliance, but does not define these terms, leaving businesses to interpret compliance. Smaller suppliers and importers may face challenges, particularly in online sales and complex distribution chains. This is a concern if the regime aims to be practical rather than punitive.
Despite criticisms, the reform's value remains. The product safety law focuses on preventing recurring harms and holding those most capable of acting accountable, rather than guaranteeing perfect safety. Australia’s standards for smart devices reflect this approach, recognising that insecurity in connected products results from design flaws, market incentives, and information gaps—not just consumer choices. The law is gradually adjusting to technological realities.
Australia is correct to treat insecure smart devices as more than minor issues. The current rules are limited, and future reforms may broaden standards or product coverage. As a starting point, it signals that in a connected economy, cybersecurity is part of product safety. This isn't an overreach, but a sensible recognition that digital safety is becoming standard product safety by 2026. [xi]
─────────────────────────────────────────
References
[i] Cyber Security Act 2024 (Cth) s 3(a) (‘Cyber Security Act’).
[ii] Ibid s 14(1).
[iii] Ibid ss 15(1), (3).
[iv] Cyber Security (Security Standards for Smart Devices) Rules 2025 (Cth) sch 1 pt 1 cls 2(1)–(2), 3(1), 4(1)–(4) (‘Cyber Security Rules’).
[v] Cyber Security Act (n 1) s 16(1), (3).
[vi] Cyber Security Rules (n 4) s 9(2)(a)–(f).
[vii] Ibid s 10(1)–(2).
[viii] Cyber Security Act (n 1) ss 17(1)–(2), 18(1)–(2), 19(1)–(2), 20(1)–(2).
[ix] Cyber Security Rules (n 4) s 8(1)(b)(i)–(vii).
[x] Ibid sch 1 pt 1 cl 4(1).
[xi] Ibid sch 1 pt 1 cls 2–4; Cyber Security Act (n 1) ss 14–20.