Cyber threats to New Zealand are increasingly borderless, persistent and systemic. Recent high‑profile cyber incidents have highlighted the growing scale and interconnected nature of cyber risk across both public and private sectors. Taken together, these events suggest that New Zealand’s existing regulatory framework may need to evolve to keep pace with the speed, sophistication and systemic impact of contemporary cyber threats, and in line with overseas developments in this space.

The Government’s release of New Zealand’s Cyber Security Strategy 2026 to 2030 is certainly timely, and indicates that change is firmly on the horizon. The message is clear: greater regulatory requirements - and enforcement powers - are needed to address cyber security risks. These developments include:

  • The long-awaited introduction of significant financial penalties for breaches of the Privacy Act.
  • New mandatory cybersecurity obligations for critical infrastructure providers (such as those operating in the finance, telco and energy sectors), together with hefty penalties for failures to meet them and potential personal criminal liability for directors.
  • Increased cybersecurity standards for government agencies.

What’s the Plan?

The real significance of the strategy lies not in its immediate effect, but in the regulatory direction it signals. It comes equipped with a Cyber Security Action Plan which explains how the Government intends to turn its high‑level intent into near‑term action. The Government’s two year Action Plan includes the following initiatives: 

  • Privacy penalties: Consideration of a new penalty regime under the Privacy Act 2020. This is a development long called for by the Office of the Privacy Commissioner, which has pointed out that the comparatively hands off approach to enforcement under the Privacy Act is out of step with comparable jurisdictions.
  • Cyber-resilience requirements for critical infrastructure: The introduction of mandatory requirements for critical infrastructure operators to strengthen cyber resilience.
  • Higher cyber-standards for government: The strengthening of cyber security standards across government digital procurement and design, with an explicit aim of reducing duplication and lifting baseline security expectations.
  • New national security powers: The updating of legislative powers to enable New Zealand’s security sector agencies to use cyber capabilities and tools to advance our national security interests. 
  • Criminal offences: The potential introduction of a new offence targeted at people who view, possess, or disseminate personal information when they are aware it has been illegally obtained.

Consultation on Cyber Security of Critical Infrastructure

Alongside the Strategy and the Action Plan, the Government has released a discussion document which proposes the introduction of new mandatory cybersecurity requirements for “critical infrastructure”.

The discussion document seeks feedback on two key issues:

  • What should be deemed critical infrastructure? Seven essential services are identified - telecommunications and data, defence, energy, finance, health, transport and drinking water and wastewater.
  • What requirements should apply? The document proposes a mix of voluntary and mandatory measures. The latter include a range of tools, from monitoring and supervision to compliance and enforcement. This includes fines, enforceable undertakings, and civil and criminal penalties for non-conformance. At the most serious end, directors could face personal criminal liability of up to $100,000 for a serious breach, or up to $500,000 for a critical breach. 

A public consultation on the discussion document is underway until 19 April 2026

What’s next?

While it is early days, these developments signal a clear regulatory focus on higher data security standards across both private and public sectors. Organisations should be preparing by applying increased focus on these issues in their board rooms. These issues should already be front of mind at board level, given rising tide of cyber attacks and the existing legal risks for failing to take adequate measures to prevent them. For more information on the risks for both organisations and their directors, see our Cyber Risks Report.

Given the significant impact the new mandatory cyber requirements may have for critical infrastructure, providers in those affected sectors should consider engaging in the consultation. 

Get in touch

If you have any questions about the implications of the Cyber Security Strategy, or would like assistance preparing a submission on the consultation, please contact one of our experts.

Special thanks to James Burnett and Tom Hammond for assistance in writing this article.

Contacts

Related Articles

Legal Updates

2026 Outlook for AI regulation

February 16, 2026·5 min read
Legal Updates

Open Banking unlocked: Banking’s role in New Zealand’s Customer Data Right

November 28, 2025·3 min read
Legal Updates

Cyber-catastrophe: Business fined A$5.8m following privacy breach

October 17, 2025·3 min read
Legal Updates

Regulating AI in New Zealand and abroad: mind the (legal) gap

October 07, 2025
Legal Updates

Privacy Amendment Act passes into law: What does this mean for you?

September 29, 2025·3 min read