Is New Zealand Finally Getting Serious About Critical Infrastructure Cyber Security?

February 2026 marks a turning point in how New Zealand thinks about protecting the services its people and economy depend on.

After years of operating on a predominantly voluntary cyber security model, the New Zealand Government has signalled it is ready to change course. Released in February 2026, the discussion document “Enhancing the Cyber Security of New Zealand’s Critical Infrastructure System” is more than a policy consultation. It is an acknowledgement that the current approach is no longer adequate, and that the stakes are too high to leave security to good intentions alone.

For organisations that will fall within the government’s definition of critical infrastructure, the conversation has already shifted from “should we invest more in cyber security?” to “how do we prepare for mandatory obligations, and when?” That shift is significant, and this document deserves careful attention.

The Wake-Up Call New Zealand Needed

The context surrounding this document is sobering. New Zealand currently ranks 62nd in the world on the National Cyber Security Index, the lowest of all Five Eyes partners. On the Global Cybersecurity Index, we sit in the third tier (establishing), while our closest partners and regional peers across the Tasman occupy the first tier (Role-modelling). These are not abstract scores. They reflect a genuine gap in how we protect the services that power our hospitals, light our homes, move our freight, and keep our financial system functioning.

The threat is no longer theoretical. In October 2025, the NCSC (National Cyber Security Centre) confirmed that Salt Typhoon, a People’s Republic of China Government-affiliated threat group, had been observed targeting New Zealand entities. This is the same group that compromised the networks of at least nine major US telecommunications providers, enabling sweeping access to user communications as part of a broad espionage campaign.

Closer to home, New Zealanders have already experienced the consequences of inadequate defences. The 2021 Waikato District Health Board ransomware attack disrupted healthcare for roughly 400,000 people. The 2020 NZX attack brought our stock exchange to its knees. And in 2024, the Manage My Health breach exposed the personal data of up to 126,000 New Zealanders, a stark reminder that supply chain vulnerabilities inside critical infrastructure carry real-world consequences.

What this means is that market forces alone will not resolve this. The document correctly identifies that for many critical infrastructure entities, particularly monopolies and oligopolies, there is limited commercial incentive to invest beyond a minimum threshold. The costs of improving security are borne by the entity; the costs of a serious incident cascade across the entire economy. That structural imbalance creates the case for regulation.

What the Government Is Proposing

The discussion document puts forward six measures spanning two core outcomes: better information sharing, and a minimum baseline of cyber risk management across the system.

Measures 1 through 4 focus on building a shared picture of the threat environment. The first would allow government to collect operational information from critical infrastructure entities, covering ownership, critical components, and dependency mapping. The second would establish a voluntary cross-sector information exchange to break down siloed, sector-specific arrangements. The third would require entities to share information with each other, particularly around projected restoration times, to help government and industry understand cascading failure scenarios. The fourth would mandate incident reporting to the NCSC, with an early warning required within 24 hours of detection and a full report within 72 hours for significant incidents.

Measure 5 is arguably the most operationally significant: a requirement for all critical infrastructure entities to develop, implement, and maintain a risk management programme aligned with an internationally recognised framework, such as NIST CSF (the National Institute of Standards and Technology Cybersecurity Framework) or ISO/IEC 27001:2022. Critically, board directors would be made personally responsible for compliance, embedding cyber security as a core fiduciary duty rather than a technical function delegated to IT.

Measure 6 would grant the Minister a last-resort power to direct a critical infrastructure entity to take specific action in response to a cyber threat of national security significance, modelled on Australia’s Security of Critical Infrastructure Act 2018 government assistance powers.

The Benefits for New Zealanders, and Why They Are Real

For most New Zealanders, cyber security regulation sits somewhere between invisible and irrelevant, right up until the hospital’s systems go down, the ATMs stop working, or the lights go out. The proposed measures, implemented effectively, would change that.

A consistent baseline of risk management across approximately 200 of New Zealand’s most critical entities would significantly reduce the risk of cascading failures, where a single vulnerability in one sector triggers disruption across multiple others. To understand this, consider the 2023 DP World port cyber attack in Australia: one incident forced a seven-day backlog of over 30,000 shipping containers. A similar event in New Zealand, affecting our far smaller and less redundant port network, could be substantially more damaging.

Mandatory incident reporting means the NCSC will develop a far more accurate picture of the threat environment, enabling faster, better-coordinated responses. Currently, only a small proportion of cyber incidents are reported. Better data enables better defences, and the value of that improvement compounds over time.

Director accountability is also a meaningful structural advance. Placing cyber security within the fiduciary duties of directors of critical infrastructure entities should drive genuine board-level attention and investment. This is not a technology problem being handed to IT. It is a governance issue being placed where it belongs.

Is the Government Going Far Enough?

This is the right question to ask, and the honest answer is: not entirely.

The framework represents meaningful progress, and the direction is right. The proposed maximum financial penalties are $5 million or 2% of annual turnover for the most serious breaches. By comparison, the EU’s NIS2 Directive imposes penalties of up to 10 million euros or 2% of global annual turnover, with the global scope significantly amplifying the deterrent effect for multinationals. For a large utility or telecommunications provider, a $5 million cap may represent a manageable cost of doing business rather than a genuine deterrent.

The regime is also heavily weighted toward self-reporting and attestation in its early stages. Third-party audits, the gold standard for verifying genuine uplift, are acknowledged as desirable but explicitly deprioritised in the near term due to cost and limited market capacity. This creates a real risk that the first years of the regime produce compliance on paper rather than in practice.

The regulator has not been named. Without a clear regulatory home, with resourcing, capability, and authority behind it, the regime risks becoming a set of obligations with limited enforcement infrastructure. The one-year grace period before enforcement adds to that concern. In the current threat environment, with state-sponsored actors already confirmed to be active in New Zealand networks, a prolonged non-enforcement window is a long time.

None of this means the framework is wrong. It is broadly the right approach, closely modelled on Australia’s SOCI Act. The question is whether the calibration is right for the threat environment New Zealand actually faces today. The door should remain open to strengthening penalties and audit requirements as the regime matures.

What This Means for Organisations in Scope

The document proposes that approximately 200 entities across seven essential service sectors would fall within the definition of critical infrastructure:

• communications and data

• defence

• energy

• finance

• health

• transport

• drinking water and wastewater

For organisations that fall within these categories, or that provide managed services, cloud computing, or data storage integral to critical infrastructure delivery, the question is not whether obligations are coming. The question is how ready you will be.

Boards need to act now. Director liability is explicit in this framework. If you sit on the board of a critical infrastructure entity, cyber security is about to become a personal accountability, not just a management responsibility. Boards should be requesting current-state assessments, understanding their organisation’s risk profile, and ensuring investment is already in the pipeline.

A recognised cyber security framework needs to be in place. Whether you align to NIST CSF, ISO 27001:2022, or another NCSC-endorsed framework, the time to begin that journey is before the legislation passes. The risk management programme requirement is substantive, covering identification of critical components, material risk assessment, treatment of identified risks, and ongoing maintenance.

Incident detection and reporting capabilities require investment. A 24-hour initial notification and 72-hour full report timeline is achievable only if you already have the detection tooling, the playbooks, and the internal processes in place. Many organisations currently do not.

Supply chain risk also needs attention. The framework explicitly extends obligations to suppliers and contractors that have operational control over critical components. Managed service providers and technology vendors serving critical infrastructure entities should expect contractual requirements to flow downstream.

Finally, get ahead of the consultation. Submissions close on 19 April 2026. Organisations that engage now will have more influence over the final shape of the regime than those who wait for legislation to land.

The Bigger Picture

New Zealand has long prided itself on pragmatism. On critical infrastructure cyber security, though, that pragmatism has looked more like deferred action. Australia, the European Union, the United Kingdom, Singapore, and Canada have each moved to legislative frameworks that mandate minimum standards, require incident reporting, and hold organisations accountable. We have not, and the gap is visible in our international rankings.

The proposed framework, implemented with genuine ambition and a willingness to strengthen it as it matures, has the potential to deliver meaningful uplift in New Zealand’s cyber resilience. The consultation window, closing on 19 April 2026, is a rare opportunity to influence the architecture of a regime that will govern how our most essential services manage cyber risk for years to come.

For organisations likely to fall within scope, the message is clear. The era of voluntary good intentions is drawing to a close. The question is whether you will be ready.

At a minimum I encourage you to review the Governments discussion paper and consider what your organisation must do to prepare.  This can be found on the Department of the Prime Minister and Cabinet website here; Enhancing the Cyber Security of New Zealand’s Critical Infrastructure System.

If you wish to have your say, you can register to attend a Government consultation meeting here; Cyber security of critical infrastructure consultation meetings.