(Shenzhen, China) – As of 4 March 2026, Australia’s Cyber Security (Security Standards for Smart Devices) Rules 2025 have become fully mandatory. All consumer-grade smart connected devices sold in the Australian market are now required to meet mandatory cybersecurity compliance requirements, or face market access restrictions and regulatory penalties.
ETSI EN 303 645 (Version 3.1.3) serves as the core technical reference for Australia‘s new rules, with the two frameworks fully aligned across all three mandatory requirements – password management, vulnerability disclosure policy, and defined security update support period. KE MEI OU LAB CO., LTD. (“Ke Mei Ou Lab”) has officially added ETSI EN 303 645 (Version 3.1.3) to its ISO/IEC 17025:2017 accreditation scope (ANAB Certificate No. AT-1532), becoming one of the few testing laboratories in China accredited to perform testing to both ETSI EN 303 645 and the EN 18031 series.
With this unique advantage, Ke Mei Ou Lab offers one‑stop cybersecurity compliance testing services for consumer IoT device manufacturers exporting to Australia and global markets, helping products meet Australian regulatory requirements and efficiently gain access to the Australian market.
Since 4 March 2026, the Cyber Security (Security Standards for Smart Devices) Rules 2025 – a core instrument under Australia’s Cyber Security Act 2024 – has been in full enforcement. The rules apply to all consumer-grade smart devices sold in Australia that can directly or indirectly connect to the internet, including smart cameras, smart locks, smart routers, smart TVs, smart speakers, smart lighting devices, wearables, and home security alarms. Desktop computers, laptops, tablets, and smartphones are explicitly exempt.
The Australian rules are directly aligned with the first three principles of ETSI EN 303 645, forming the mandatory cybersecurity baseline for compliance:
| Core Requirement | EN 303 645 Clause | Australia Rule Detail |
|---|---|---|
| No Universal Default Passwords | 5.1 | Devices must have a unique password or require user‑set passwords on first activation |
| Vulnerability Disclosure Policy | 5.2 | Manufacturers must maintain a 24/7 reporting channel for vulnerabilities |
| Defined Security Support Period | 5.3 | Security updates must be provided for at least 5 years after the last product sale |
From March 2027, the Australian Government will also launch a voluntary Security Labelling Scheme for Smart Devices. The label is expected to display security ratings (A–D) at the point of sale, helping consumers easily compare security protections and encouraging manufacturers to further enhance product security. Once fully implemented, the labelling scheme is likely to further increase market demand for third‑party cybersecurity testing and certification services.
ETSI EN 303 645 (Version 3.1.3) is globally recognized as the baseline cybersecurity standard for consumer IoT devices. Its 13 mandatory security provisions cover the full product lifecycle – from design and development to operation and maintenance:
| Clause | Requirement |
|---|---|
| 5-1 | No universal default passwords (unique per device or mandatory change on first activation) |
| 5-2 | Implement a vulnerability disclosure policy |
| 5-3 | Keep software updated (security update mechanism) |
| 5-4 | Securely store sensitive data (credentials, cryptographic keys) |
| 5-5 | Ensure secure communication (use TLS, etc.) |
| 5-6 | Minimize exposed attack surfaces (disable unused ports, etc.) |
| 5-7 | Ensure software integrity (secure boot, etc.) |
| 5-8 | Protect personal data (privacy‑by‑design) |
| 5-9 | Make devices resilient to offline brute‑force attacks (limit failed attempts) |
| 5-10 | Monitor security anomalies (log security events) |
| 5-11 | Provide a mechanism for data cleanup (factory reset) |
| 5-12 | Consider physical security (tamper resistance) |
| 5-13 | Validate input data (prevent injection attacks) |
Dual Bridge – Best Choice for Australia & Global Market Compliance
According to industry reports, “A device already compliant with EN 303 645 will meet most Australian requirements” . Accredited testing bodies have confirmed that uating products against EN 303 645 can effectively demonstrate compliance with Australian rules . At the same time, products that meet Australian requirements are more easily accepted for EU market recognition, enabling manufacturers to reduce certification costs through standard alignment.
Ke Mei Ou Lab‘s dual accreditation for both ETSI EN 303 645 and the EN 18031 series (mandatory cybersecurity standards under the EU RED Directive) offers manufacturers a “test once, access multiple markets” solution – significantly improving export certification efficiency and reducing compliance costs for global market access.
Ke Mei Ou Lab is one of the few testing laboratories in China accredited to perform full-scope testing to ETSI EN 303 645. This capability delivers significant value to Chinese IoT manufacturers:
Professional Compliance Documentation: The laboratory can assist clients in preparing the officially required Statement of Compliance, addressing all 12 required elements to ensure smooth market entry into Australia.
Market Access Assurance: Devices already conforming to EN 303 645 are reasonably deemed to meet the vast majority of Australia‘s new cybersecurity rules, unblocking Australian market access and greatly reducing compliance time and cost.
True One‑Stop Certification: In addition to cybersecurity testing, the laboratory offers EMC, RF, safety (LVD), energy efficiency (ErP), and other testing capabilities under one roof – enabling comprehensive multi‑market certification for IoT devices.
Full EN 18031 Series Capability: As a core component of Ke Mei Ou Lab’s cybersecurity service portfolio, EN 303 645 complements the laboratory‘s existing EN 18031-1/-2/-3 series accreditation (the mandatory cybersecurity standards under the EU RED Directive for radio equipment). This combination simultaneously satisfies Australian market cybersecurity requirements and European mandatory compliance standards, offering a true “test once, access global markets” solution for manufacturers.
Devices subject to Australia‘s new cybersecurity rules include:
Smart cameras, smart locks, smart routers
Smart TVs, smart speakers, smart lighting devices
Wearables, home security alarms
VoIP phones, smart switches, wireless headsets
Testing Services:
| Service | Description |
|---|---|
| Full EN 303 645 Testing | All 13 mandatory security provisions |
| Gap Analysis | Identify security weaknesses, provide recommendations |
| Statement of Compliance | Prepare official Australia compliance documentation |
| Integrated Certification | Cybersecurity + EMC + RF + Safety + Energy Efficiency |
Exempt Products (not subject to Australia‘s cybersecurity testing requirements under the Rules, but may still be subject to other regulations – please consult Ke Mei Ou Lab for case‑by‑case compliance strategies):
Desktop computers, laptops, tablets, smartphones
Therapeutic goods and road vehicles and their core components
For specific details and requirements, please contact our KMO! ->> kmo@kmolab.com
Follow us for the latest news Working hours: 9:00-18:30, Monday to Friday
Contact:Lisa Liu
Mobile:18028790769
Email: kmo@kmolab.com
Address:Room 2013, 20th Floor, Business Center, Jiahui Xin Cheng, No 3027, Shen Nan Road, Fu Tian, Shen Zhen, Guang Dong, China
