On November 29, 2024, Australia's Cyber Security Act 2024 (CSA) received Royal Assent and became law[1]. In the following, we will take a closer look at the CSA to find out what impact it will have on manufacturers and suppliers of IoT devices.
The CSA is divided into 6 parts:
- Preliminary
- Security standards for smart devices
- Ransomware reporting obligations
- Coordination of significant cyber security incidents
- Cyber Incident Review Board
- Regulatory powers
- Miscellaneous
Part 2 will be of particular interest to manufacturers and suppliers of IoT devices, as it introduces the use of security standards for smart devices (IoT devices).
According to the CSA, a smart device or connected device is defined as a device that can communicate directly or indirectly with the Internet.
Australian legislation will provide mandatory security standards in this area over the coming years.
The first standard to be introduced under ministerial regulations is expected to address the cybersecurity of consumer-oriented IoT devices.
The Australian government intends to base this on the "Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (UK)", which refer to ETSI EN 303 645. [2]
The security standard is expected to contain provisions for at least the following three topics:
- No universal default passwords
- Implementing a method for managing vulnerability reports
- Provide information about the duration of support for the device
After publication of such a security standard, there will be a 12-month transition period before its application becomes mandatory.
For the first security standard, an exclusion-based approach to the scope of the devices is likely to be chosen.
This means that devices that fall under one of the following points can be excluded from the application of the safety standard:
- there are already existing laws that adequately cover the cybersecurity risks posed by these devices;
- a higher or tailored standard for these devices is already being developed within the government; or
- the complexity of that device means that an obligation under those rules risks achieving a lower standard.
With the CSA, Australia joins the emerging body of international cyber security legislation, see the Cyber Resilience Act, Brazil's Act No. 77 - "Cyber Security Requirements For Telecommunication Equipment" and California's IoT Bill (SB-327), among others.
Parallels to the EU's Cyber Resilience Act (CRA) are the cyber security requirements for certain products as well as the requirements for reporting security incidents. One difference, however, is the degree of effectiveness of the respective legal acts. While the CRA's definition of "products with digital elements" covers significantly more products than IoT devices, the CSA only specifies "connected devices" that can communicate directly or indirectly with the internet. A similar definition can be found in Delegated Regulation 2022/30, which extends the Radio Equipment Directive 2014/53/EU to include the cybersecurity aspect of Article 3 d), e) and f). Incidentally, compliance with this is mandatory from August 2025.
If the CRA requires a declaration of conformity and is subject to CE marking, the CSA states that manufacturers and suppliers of IoT devices must draw up a "statement of compliance" in which they assure conformity with the CSA. This statement of compliance will require, among other things, the listing of the safety standards met and an indication of the duration of support for the product.
As already mentioned, the CSA also considers the reporting of safety incidents. Part 3 of the CSA prescribes the mandatory reporting of ransomware attacks. Australian companies are obliged to report such a security incident to the competent authority within 72 hours. However, the reporting obligation is limited by law to security incidents that involve an immediate monetary claim or other claims for benefits.
According to Part 4 of the CSA, other significant security incidents can be reported voluntarily to the National Cyber Security Coordinator. The "National Cyber Security Coordinator" is being introduced for the first time by the CSA and is intended to support the coordination and handling of significant security incidents. In comparison, the CRA requires an initial notification of any actively exploited vulnerability within 24 hours to ENISA and the CSIRT designated as coordinator in accordance with Article 14, paragraph 1." Part 5 establishes a "Cyber Incident Review Board". This board is to carry out assessments for certain cyber security incidents. Such a process can be initiated by various bodies. These include the Australian Minister, a member of the board itself or the National Cyber Security Coordinator.
The purpose of such an assessment is to develop recommendations for action to detect, respond to, minimize or prevent cyber security incidents of a similar nature in the future.
In conclusion, manufacturers and suppliers of IoT devices must first wait for the publication of the security standards for this category of devices. They will then have 12 months to implement the requirements.
Author
Anne Barsuhn
Junior Consultant Cybersecurity
DEFINITIONS AND ABBREVIATIONS
IoT - Internet of Things: Networked devices equipped with sensors, software and other technologies to transmit and receive data to and from other devices.
