The rules, introduced by the Department of Home Affairs, establish baseline security requirements for consumer smart devices sold nationally, targeting long-standing vulnerabilities in password management, disclosure of software support periods and the handling of security flaw reporting.

Under the new framework, manufacturers must eliminate universal default passwords from devices and provide clear channels for customers and security researchers to report vulnerabilities.

They must also publicly disclose how long products will receive security updates, a change expected to reshape product labelling, lifecycle planning and customer communications.

The reforms also shift greater responsibility onto businesses for secure product design, testing and ongoing maintenance, while raising expectations for suppliers and retailers involved in procurement decisions, particularly across home security, networking and smart appliance markets.

Consumer Confidence

Consumer confidence in major brands has weakened following a string of prominent cyber incidents, with Roy Morgan reporting showing immediate and lasting declines in trust for organisations affected by breaches, including retailers, telecommunications providers and airlines.

Joe De Martino, an Artificial Intelligence of Things expert at Dahua Technology, described the incoming requirements as a shift in how organisations treat cybersecurity.

“Cybersecurity is now a frontline business issue, not a technical one,” said Joe De Martino, AIoT expert, Dahua Technology.

Security requirements for connected devices have historically varied widely between vendors and product segments.

The new standards formalise minimum expectations tied to everyday user behaviour and common attack vectors, including unchanged default credentials and limited mechanisms for notifying vendors of vulnerabilities.

How Connected Devices Are Assessed

Companies supplying devices to government and large corporate environments already face detailed security questionnaires and contractual requirements covering patching and vulnerability management.

Mandatory consumer standards are expected to lift the overall security baseline and add further weight to cybersecurity criteria in vendor selection and tendering processes.

De Martino said organisations with established security governance may find compliance easier, highlighting the growing importance of formal certifications in procurement decisions.

“We’re seeing more scrutiny from end-users, from governments, and from enterprise procurement teams,” said De Martino.

“International certifications such as ISO/IEC 27001 give businesses a recognised way to demonstrate that their systems and supply chains meet global security standards,” he said.

Vendors that fail to clearly define update support timelines may face increasing commercial pressure, particularly where connected devices remain operational for many years and share networks with sensitive systems.

Increasing Losses

The Australian Signals Directorate reports a continuing rise in both cybercrime activity and financial losses.

Cybercrime was reported once every six minutes in 2024/25, with average individual losses reaching $33,000—an 8% increase compared with 2023/24.

Overall, the agency received 84,700 cybercrime reports during the year, with total losses exceeding $2 billion.

Average losses also climbed across business segments: small businesses recorded average losses of $56,600 (up 14%), medium businesses $97,200 (up 55%), and large businesses $202,700 (up 219%).

De Martino linked the expanding threat landscape to increasing attacker automation and faster-moving campaigns.

“Consumers expect that connected devices, from cameras to appliances to transport systems, are secure by design,” said De Martino.

Connected Devices Surge

The standards arrive as the number of connected devices across homes and workplaces continues to surge, expanding the number of potential attack points linked to weak credentials or unpatched vulnerabilities.

Manufacturers will need to implement password-management controls that prevent repeatable credentials from being deployed at scale, while also building structured intake, triage and response processes for vulnerability reporting.

Mandatory disclosure of security-update support periods is also expected to drive closer coordination between engineering, product and customer service teams, potentially reshaping product roadmaps, lifecycle planning and inventory strategies as longer support commitments influence development costs.

In aviation, cyber incidents can have lasting reputational and customer-confidence consequences. Qantas has faced scrutiny after criminals accessed customer data and later published it on the dark web following an extortion attempt, according to accounts included in industry commentary.

Roy Morgan reporting indicates the airline has not seen a meaningful recovery in trust scores since an earlier cyber incident in 2022.

Dahua Technology says it has implemented security governance measures and holds multiple international cybersecurity certifications.

De Martino say the incoming standards will raise expectations across the connected-technology supply chain, linking compliance directly to market trust.

“Organisations that invest early in meeting and exceeding new standards will be in a far stronger position to maintain trust,” said De Martino.