News

Australia’s new smart device cybersecurity rules started on 4 March 2026. They set minimum security standards for many connected consumer devices, including products such as smart cameras, smart TVs, smart watches, home assistants and other internet-connected devices. For Australian businesses, the rules are a useful reminder to check which smart devices are connected to the workplace network, whether they are still supported, and whether they are being managed safely.

Key takeaways

• The rules apply mainly to consumer-grade smart devices manufactured on and from 4 March 2026.
• The three baseline requirements to focus on: no universal default passwords, clear vulnerability reporting, and published security support periods.
• Laptops, desktops, smartphones and tablets are excluded, along with some other categories.
• Businesses should not assume a compliant device is automatically safe on a business network.
• A smart device review should sit alongside broader cybersecurity controls such as MFA, patching, endpoint protection, network segmentation and monitoring.

What counts as a smart device under the new rules?

A smart device is generally a connectable product that can communicate over the internet or another network. In business settings, this can include security cameras, smart access systems, printers, smart displays, building sensors, conferencing equipment, IoT-enabled appliances and some energy management devices.

The Home Affairs explains that the rules cover products consumers use every day, including smart TVs, smart watches, home assistants, baby monitors and consumer energy resources. The standards apply to in-scope products manufactured on and from 4 March 2026.

This matters because many businesses buy consumer-grade devices for office, retail, warehouse or home-office use. A device may look low risk because it is inexpensive or simple, but it can still connect to Wi-Fi, store data, receive updates or expose a path into a network.

What are the three minimum cybersecurity requirements?

The new cybersecurity rules introduce three security obligations for in-scope products.

1. Devices must not rely on universal default passwords.
Passwords must be unique per product or set by the user where required for the product’s intended use. This addresses a common weakness where many devices share the same default login.

2. Manufacturers must publish a way to report security issues.
This gives researchers, customers and partners a route to disclose vulnerabilities and receive status updates.

3. Clear information about security support periods
Manufacturers must publish information about the device’s security support period, including an end date. For businesses, this is useful because unsupported devices can become a hidden risk after updates stop.

These rules are a baseline. They do not replace good business cybersecurity practice, and they do not mean every smart device is suitable for every workplace.

Why businesses should pay attention even if they are not manufacturers

Many Australian SMEs will not manufacture or import smart devices. Even so, the rules affect purchasing decisions and risk management.

A compliant device may still need secure setup, network controls and ongoing monitoring. For example, a smart camera with a unique password can still be risky if it is connected to the same network as accounting systems, left unpatched, shared with too many users or managed through an unmanaged cloud account.

The Australian Signals Directorate’s Essential Eight is recommended as a baseline to make systems harder for adversaries to compromise, although ASD notes no set of mitigations can protect against every threat.

You can book a cybersecurity consultation or contact Tech Engine Australia to understand whether their managed IT and cybersecurity services are the right fit and what the next step would involve.

Frequently Asked Questions:

Do Australia’s 2026 smart device rules apply to every business device?

No. The rules focus on most consumer-grade smart devices acquired in Australia by consumers. Some categories, including desktops, laptops, smartphones and tablets, are excluded. Businesses should still review all connected devices from a cybersecurity risk perspective.

Does a statement of compliance mean a smart device is safe for business use?

Not necessarily. A statement of compliance indicates the product meets specified requirements. Business suitability also depends on configuration, updates, network design, user access and monitoring.

Should Australian SMEs replace old smart devices immediately?

Not always. A sensible first step is to check whether the device is still supported, whether passwords and access are controlled, and whether it sits on a safe part of the network. Unsupported or high-risk devices may need replacement or isolation.

What smart devices are commonly overlooked in offices?

Commonly overlooked devices include security cameras, smart TVs, meeting room equipment, smart locks, printers, sensors, routers, access control systems and devices installed by third-party contractors.

Can Tech Engine Australia help with smart device cybersecurity?

Tech Engine Australia provides managed IT and cybersecurity services for Australian businesses, including security audits, risk strategy, endpoint protection, application control, managed SIEM, password management and Essential Eight-aligned support. Exact scope, pricing and suitability should be confirmed directly with the team.

If smart devices are persistent, costly, unclear or starting to affect your confidence, time, safety, compliance or decision-making, it may be worth getting tailored advice. You can book a cybersecurity consultation or contact Tech Engine Australia to understand whether their managed IT and cybersecurity services are the right fit and what the next step would involve.