New federal cyber rules kicked in on Tuesday. There wasn't an announcement most people would have seen. The coverage that did exist was mostly aimed at manufacturers and importers, which is technically where obligations land. But there's a reason it matters to you even if you're not selling routers for a living.
The Cyber Security (Security Standards for Smart Devices) Rules 2025 are part of the broader Cyber Security Act 2024 that got Royal Assent in November. From the 4th of March, any smart device manufactured for Australian consumers has to ship without universal default passwords so no more "admin/admin" on every unit off the line, and manufacturers have to publish how long the device will get security updates, and provide a way for people to report vulnerabilities. That's the gist. The Department of Home Affairs is running enforcement. Routers, IP cameras, smart doorbells, VoIP phones, smart TVs. All in scope. Your laptop and phone are explicitly excluded.
None of this applies to devices that were already manufactured before Tuesday. The TP-Link in the comms cabinet, the cameras that went up during your last fit-out, the smart TV in the boardroom that IT didn't really sign off on, they're untouched by this. You can't legislate backwards at gear that's already in the field. So the practical uplift takes years to flow through as old stuff gets replaced.
Which means the more pressing question isn't what's coming into your office, it's what's already there.
The part of the Cyber Security Act 2024 even fewer people know about
The smart device rules are one piece of a broader Cyber Security Act 2024 that received Royal Assent in November. The other piece that matters for business owners: mandatory ransomware payment reporting. If your business suffers an incident and pays a ransom, you now have 72 hours to report it to the Australian Signals Directorate. Non-compliance carries civil penalties up to $94,000. Government's stated approach is education-first, but the obligation is there.
That fits the same pattern as ASIC's action against FIIG Securities last month. The regulatory environment around cyber has been tightening in a quiet, incremental way, and businesses that haven't been paying attention are going to find the gap between where they are and where they're expected to be has grown while they weren't looking.
What's worth doing now
When you next buy a connected device for the office, be it a camera, a router, or smart TV that was manufactured after Tuesday, you're entitled to a statement of compliance from the supplier. Worth asking about.
For everything already there: find out what's on your network, check whether default credentials have ever been changed, and work out whether any of it has passed its manufacturer support date. Separating consumer-grade devices onto their own network segment, away from business systems, is a reasonable precaution that doesn't require a lot to implement.
None of this is new advice. But there's now a federal framework that says this kind of thing matters, which is probably a useful thing to be able to point to.
We've been looking after Sydney businesses for over 20 years. If you want us to take a look at what's actually connected to yours, get in touch. No sales pitch, just a straight conversation.
WhatsApp 