Australia’s regulatory approach to the Internet of Things is a blend of existing sector-agnostic legal frameworks and an emerging body of IoT-specific cybersecurity measures. In particular, the passing of the Cyber Security Act in 2024 will have significant impacts on the regulation and safety of IoT within Australia.

Existing laws and regulations concerning data handling, telecommunications, and consumer protection form the basis for IoT regulation within Australia. These include the Privacy Act 1988 and the attendant Australian Privacy Principles Schedule, the Telecommunications Act 1997, the Telecommunications (Interception and Access) Act 1979, the Australian Consumer Act 1997, the Australian Consumer Law, and the Spam Act 2003.

Australian Privacy Principles

The Privacy Act 1988 (APA) and Australian Privacy Principles (APPs) define obligations on the collection, use, storage, and disclosure of personal information, including from IoT devices.

The APA requires that organisations take “reasonable steps” to implement security measures and requires explicit consent for the collection of sensitive information or the use of data for secondary purposes. The Notifiable Data Breaches (NDB) Scheme established under the APA imposes a requirement for organisations to notify the Office of the Australian Information Commissioner (OAIC) within 72 hours of discovering a data breach likely to cause serious harm.

The Telecommunications Act

The Telecommunications Act 1997 (Telecom Act) and Telecommunications (Interception and Access) Act 1979 (TIA Act) together with the APA govern the use and disclosure of telecommunications data. They stipulate that certain types of data, such as call times, sender and recipient details, and location data, be retained for at least two years. The Australian Communications and Media Authority (ACMA) certifies wireless communication devices to ensure they adhere to industry standards for connection to Australian telecommunications networks.

The Australian Consumer Law (ACL) ensures that all products sold within Australia, including IoT devices, meet prescribed safety, quality, and security standards. The Australian Competition and Consumer Commission (ACCC) can intervene, initiate product recalls, or impose penalties if a device is found to be defective or to pose a privacy risk.

The Spam Act

The Spam Act 2003 established consent as a legal prerequisite for sending commercial electronic messages, mandating clear sender identification and the provision of a functional unsubscribe mechanism.

In addition to ACMA and ACCC, the Office of the Australian Information Commissioner (OAIC) holds primary responsibility for enforcing the Privacy Act 1988 and the Australian Privacy Principles. The Australian Signals Directorate (ASD) and Australian Cyber Security Centre (ACSC) provide guidelines for securing connected devices, encompassing encryption, access controls, and vulnerability management. They also receive system information from designated Systems of National Significance to maintain a near-real-time understanding of cyber threats.

The Digital Platform Regulators Forum (DP-REG), which includes the ACCC, ACMA, eSafety Commissioner, and OAIC, ensures regulatory coherence, including at the intersection of AI and IoT.

The Cyber Security Act 2024

A major departure in the regulation of IoT in Australia was the Cyber Security Act 2024, enacted on November 2024. An associated rules schedule was registered in March 2025, and commencement is set for March 4, 2026. The Act is a core component of the Australian Government’s broader 2023-2030 Cyber Security Strategy.

The Act introduces several critical measures designed to enhance national cybersecurity, with a particular emphasis on IoT. The Act establishes a dedicated regime for minimum security standards applicable to “relevant connectible products.” These encompass both IoT and other network-connectible devices sold in Australia. These standards apply to both Australian and international manufacturers and suppliers.

The Cyber Security Rules 2025

The Cyber Security (security standards for smart devices) Rules 2025 detail these requirements, which aim to align with international best practices, such as those from the European Telecommunications Standards Institute (ETSI) and the UK’s Product Security and Telecommunications Infrastructure Act 2022, while in some areas imposing more rigorous obligations.

Key mandates of Cyber Security Rules 2025 include: the prohibition of universal default passwords: a vulnerability reporting mechanism; minimum security update periods; statement of compliance; and enforcement tools.

Under the Rules, devices must feature unique passwords or enable users to define their own strong passwords, in order to eliminate easily guessable or predictable default credentials. Manufacturers are also required to implement and publicise a clear disclosure policy outlining contact information and timelines for acknowledging and resolving reported security issues. Manufacturers must also provide transparent and accessible information regarding the duration of security update support for their products. This published period cannot be shortened but may be extended, and are obligated to provide a formal statement of compliance with applicable security standards for each product, and both manufacturers and suppliers must retain a copy of this statement for five years.

Another requirement of the Act is mandatory ransomware payment reporting. Organisations with an annual turnover exceeding AUD $3 million, or those operating critical infrastructure, are now required to report any ransomware payments to the Department of Home Affairs and the Australian Signals Directorate within 72 hours of payment.

Limited Use Obligation

The Act establishes a National Cyber Security Coordinator (NCSC) and Cyber Incident Review Board (CIRB). The NCSC will manage significant cyber incidents within a voluntary information-sharing framework. At the same time, a new Cyber Incident Review Board (CIRB) will conduct post-incident reviews of major cybersecurity events, with the authority to compel information when voluntary cooperation is insufficient.

The Act creates a ‘Limited Use’ obligation to encourage greater collaboration between the private sector and government during cyber incidents. It restricts how information voluntarily provided to the NCSC can be used and disclosed, preventing its use for non-cyber regulatory action, fostering business confidence in sharing sensitive information.

It also reinforces the government’s power to impose additional cybersecurity requirements on owners and operators of over 220 designated critical assets across sectors such as energy, communications, transport, financial services, food, and data storage. These obligations include developing incident response plans, conducting cybersecurity exercises, and performing vulnerability assessments.

There is advocacy within Australia for the adoption of a phased approached to the Cyber Security Act, to make it easier for manufacturers to meet its requirements across the board. The University of New South Wales has published research that argues for an implementation based on the Manufacturer Usage Description (MUD) Standard as a scalable approach to implementation. This would require manufacturers to declare expected behaviour of their devices so that network operators can enforce policies to restrict unnecessary device communications. This would reduce attack surfaces and minimise security costs by shifting protection responsibilities away from individual device manufacturers.