Australia to enforce tougher rules on smart devices

Mandatory cybersecurity standards for smart devices in Australia are due to take effect in March 2026. They will place new obligations on manufacturers and suppliers of connected products as cybercrime rises and consumer scepticism remains high.

Introduced by the Department of Home Affairs, the rules set baseline requirements for consumer smart devices sold in Australia. They focus on password security, vulnerability reporting and transparency about software support-areas long flagged by regulators and security specialists as weak points in connected products.

Manufacturers must remove universal default passwords from devices. Businesses must also provide an accessible way for security researchers and customers to report vulnerabilities. They must disclose how long a device will receive security updates, affecting product labelling, support planning and customer communications.

The changes shift more responsibility onto businesses for product design, testing and maintenance, and place greater emphasis on post-sale support as part of cybersecurity practice. Suppliers and retailers may also face higher expectations in procurement and product selection, particularly for home security, networking and smart home appliances.

Trust pressure

Consumer trust in major brands has fallen after a series of high-profile cyber incidents. Roy Morgan reporting points to immediate and lasting declines in public trust for companies affected by breaches, including retailers, telecommunications providers and airlines.

Joe De Martino, an Artificial Intelligence of Things expert at Dahua Technology, described the incoming requirements as a shift in how organisations treat cybersecurity.

“Cybersecurity is now a frontline business issue, not a technical one,” said Joe De Martino, AIoT expert, Dahua Technology.

Security requirements for connected devices have often varied by vendor and product segment. The new standards formalise minimum expectations in areas tied to everyday user behaviour and common attack paths, such as unchanged default credentials and limited ways to notify vendors of vulnerabilities.

Procurement shift

Businesses selling into government and large corporate environments already face security questionnaires and contractual clauses around vulnerability handling and patching. Mandatory consumer device standards are likely to lift the baseline across the market and add weight to security criteria in tendering and vendor selection.

De Martino said organisations with established security processes may find it easier to respond to the new requirements, and pointed to the growing role of formal certifications in procurement decisions.

“We’re seeing more scrutiny from end-users, from governments, and from enterprise procurement teams. International certifications such as ISO/IEC 27001 give businesses a recognised way to demonstrate that their systems and supply chains meet global security standards,” said De Martino.

Vendors that do not clearly state support periods for security updates may face increased commercial pressure, particularly where devices remain in service for many years. Security teams and buyers often see unclear patch timelines as an operational risk, especially when connected devices share networks with sensitive systems.

Rising losses

The Australian Signals Directorate has reported a rising tempo of cybercrime and higher losses by category of victim. Cybercrime was reported once every six minutes in 2024/25. Average losses for individual victims were $33,000, 8% higher than in 2023/24.

In total, the Australian Signals Directorate received 84,700 cybercrime reports in 2024/25, with losses of more than $2 billion. Average losses also rose across business sizes: small businesses lost $56,600 on average (up 14%), medium businesses $97,200 (up 55%), and large businesses $202,700 (up 219%).

De Martino linked the broader threat environment to changes in attacker capability, saying automation is lowering the barrier for criminals and speeding up campaigns.

“Consumers expect that connected devices, from cameras to appliances to transport systems, are secure by design,” said De Martino.

Industry impact

The standards arrive as connected devices proliferate across households and workplaces, increasing the number of endpoints that can be targeted through weak credentials or unpatched vulnerabilities. Manufacturers will need to ensure password management aligns with the rules, including processes to prevent repeatable credentials being shipped at scale. They will also need a defined intake process for vulnerability reports, including triage and communication back to reporters and customers.

Disclosing update support periods is likely to require tighter coordination between engineering, product and customer service teams. It may also drive changes in product roadmaps and inventory management, as longer support expectations can affect cost and development planning.

In aviation, the consequences of cyber incidents can extend beyond remediation costs to reputation and customer sentiment. Qantas has faced scrutiny after criminals accessed customer data and later published it on the dark web following an extortion attempt, according to accounts included in industry commentary. Roy Morgan reporting indicates the airline has not seen a meaningful recovery in trust scores since an earlier cyber incident in 2022.

Dahua Technology says it has implemented security governance measures and holds multiple international certifications related to cybersecurity practices. De Martino said the new Australian requirements will raise expectations for all suppliers of connected technology, linking compliance to customer confidence.

“Organisations that invest early in meeting and exceeding new standards will be in a far stronger position to maintain trust,” said De Martino.