A PYMNTS Company

Malfunctioning Machines to Mandatory Standards: Cyber Security Standards for Consumer Smart Devices Have Commenced

By  |  March 31, 2026

By: Cameron Whittfield, Magdalena Blanch-de Wilt & Caitlyn Bellis (Herbert Smith Freehills Kramer)

    Get the Full Story

    Complete the form to unlock this article and enjoy unlimited free access to all PYMNTS content — no additional logins required.

    yesSubscribe to our daily newsletter, PYMNTS Today.

    By completing this form, you agree to receive marketing communications from PYMNTS and to the sharing of your information with our sponsor, if applicable, in accordance with our Privacy Policy and Terms and Conditions.

    In this insight piece, authors Cameron Whittfield, Magdalena Blanch-de Wilt & Caitlyn Bellis (Herbert Smith Freehills Kramer) look into Australia’s new mandatory cybersecurity standards for consumer smart devices, which came into force on 4 March 2026 under the Cyber Security Act 2024. These rules introduce baseline security obligations for internet-connected consumer devices and mark a significant shift in regulatory expectations for manufacturers, importers, and distributors operating in the IoT space.

    The authors explain that the move is driven by rising concerns over vulnerabilities in connected devices, including home appliances, security cameras, and robotics, which have exposed systemic weaknesses in authentication and data protection. Reflecting a broader policy stance that insecure IoT devices pose national security risks, the Australian framework aligns closely with similar regulations in the UK, emphasizing minimum, non-optional safeguards across the sector.

    At the core of the new regime are three key requirements: banning universal default passwords, mandating clear vulnerability disclosure mechanisms, and requiring transparency around the duration of security updates. These obligations apply to a wide range of consumer IoT products, and businesses must also maintain compliance records and provide formal statements of conformity, with non-compliance potentially triggering enforcement actions such as stop or recall notices.

    Finally, the authors highlight the operational and legal implications for businesses, including the need to redesign product onboarding, update disclosures, and ensure robust compliance processes—particularly for importers who may be treated as manufacturers. With enforcement mechanisms in place and further regulatory expansion anticipated, companies are encouraged to proactively adapt as Australia continues to strengthen its approach to IoT cybersecurity…

    CONTINUE READING…