Cybersecurity regulation in New Zealand (2026)

DPMC opened public consultation (closing 19 April 2026) proposing that ~200 critical infrastructure entities across seven sectors implement mandatory cyber risk management programmes and report significant incidents within 24 hours (full report within 72 hours), with potential personal criminal liability for directors up to NZD 100,000–500,000. This is New Zealand's most significant proposed expansion of mandatory cybersecurity obligations to date.

The government released a successor national cyber strategy with four objectives — understand, prevent and prepare, respond, and partner — accompanied by an Action Plan 2026–2027. It replaced the 2019 strategy and is the overarching policy framework governing all current cybersecurity obligations in New Zealand.

Ten Minimum Cyber Security Standards, developed by the NCSC and Government Chief Information Security Officer, took effect for all mandated public sector agencies, requiring a Capability Maturity Model level 2 baseline and compliance reporting by April 2026. This marked the first time New Zealand imposed a mandatory, auditable technical cybersecurity baseline on government agencies.

The Office of the Auditor-General found that while public sector governors take cybersecurity seriously, a significant gap persists between their risk appetite and actual risk exposure, citing inadequate board-level cyber expertise and weak oversight structures. The report applied direct pressure for improved governance ahead of the new mandatory standards.

CERT NZ — previously housed under the Ministry of Business, Innovation and Employment since 2017 — was fully merged into the NCSC under GCSB, creating a single national cyber agency. The NCSC's mandate was extended from nationally significant organisations to a whole-of-economy remit covering all businesses and individuals, consolidating incident reporting under one roof.

A ransomware attack delivered via phishing took down 600+ servers across Waikato DHB, disabled a national cancer hub (prompting a national health emergency declaration), and leaked the personal data of over 4,200 patients and staff to the dark web. Described as the largest cyberattack in New Zealand history, it became the central case study driving calls for mandatory sector-wide cybersecurity standards in health and beyond.

RBNZ disclosed that its third-party file-sharing provider Accellion FTA was compromised on 25 December 2020, exposing commercially sensitive and personal data; remediation cost ~NZD 3.5 million. The incident exposed weaknesses in third-party supply-chain risk management and prompted an independent KPMG review of RBNZ systems.

The Privacy Act 2020 replaced the 1993 Act, introducing a mandatory obligation to notify the Privacy Commissioner and affected individuals of any breach likely to cause serious harm, with criminal penalties up to NZD 10,000 for failure to notify. It also extended extraterritorial reach to overseas agencies holding New Zealand personal information, materially raising data-security obligations for all organisations.

Sustained volumetric DDoS attacks overwhelmed NZX public-facing systems, halting trading on four days in a row — unprecedented in New Zealand. A January 2021 FMA review found NZX breached its licensed market operator obligations due to inadequate IT security, no head of cybersecurity, and poor network architecture, signalling that financial market operators face regulatory liability for cyber failures.

The government released its first standalone national cyber security strategy with five priority areas for 2019–2023, establishing a formal whole-of-government approach and providing the policy framework under which NCSC and CERT NZ operated, including commitments to expand critical infrastructure protections.

The Act consolidated GCSB and NZSIS under a single legislative framework, explicitly codifying 'information assurance and cybersecurity activities' as a statutory GCSB function and providing the legal basis for NCSC operations. It strengthened oversight through a revamped Inspector-General of Intelligence and Security and expanded parliamentary accountability.

The government established CERT NZ under the Ministry of Business, Innovation and Employment to serve as the accessible civilian-facing service for cyber incident reporting and response for businesses and individuals — complementing NCSC's focus on nationally significant organisations and filling a key gap in New Zealand's cybersecurity architecture.

TICSA imposed dual obligations on network operators: maintain lawful interception capability for law enforcement, and notify GCSB of proposed network changes that could create security risks, with fines up to NZD 500,000 for non-compliance. It established NCSC's formal regulatory role over telecommunications infrastructure security — the first sector-specific cybersecurity statute in New Zealand.

The NCSC was created within GCSB to protect New Zealand's most nationally significant organisations — government agencies and critical infrastructure operators — from advanced cyber threats, providing threat intelligence, incident response, and the New Zealand Information Security Manual (NZISM). It formed the operational foundation of New Zealand's cybersecurity architecture and remains its primary cyber defence body today.