Cybersecurity - New Zealand

There is no single horizontal cybersecurity statute (NIS2-equivalent) in force; the regime is a patchwork of sector rules. The DPMC's February 2026 discussion document confirms cyber risks 'are generally not well understood or collectively managed to a consistent level' across critical infrastructure.

Since 1 December 2020 the Privacy Act 2020 (s 114) requires agencies to notify the Privacy Commissioner and affected individuals 'as soon as practicable' of any notifiable privacy breach (one likely to cause serious harm); the OPC expects notification within ~72 hours via the NotifyUs tool, with fines up to NZ$10,000 for non-compliance.

From 8 April 2024 registered banks, non-bank deposit takers and insurers must report material cyber incidents to the Reserve Bank within 72 hours, report all incidents periodically (six-monthly for large entities, annually for others), and submit cyber-resilience self-assessments against RBNZ guidance; requirements were developed jointly with the FMA.

The RBNZ's FMI Standard 17C imposes cyber-resilience requirements on designated financial market infrastructures, while the New Zealand Information Security Manual (NZISM), maintained by the GCSB/NCSC, sets baseline information-security controls for government systems.

The NCSC has issued Minimum Cyber Security Standards for public-service agencies, establishing a mandated baseline of controls that agencies must meet, with implementation deadlines in 2026.

A DPMC discussion document (consulted 27 Feb–19 Apr 2026) proposes a mandatory regime for ~200 entities across seven sectors (communications/data, defence, energy, finance, health, transport, water): risk-management programmes aligned to NIST CSF or ISO/IEC 27001, and mandatory NCSC incident reporting—24-hour early warning and 72-hour full report for significant incidents. Not yet enacted.