Published on the 01/04/2026 | Written by Heather Wright

Cyber risk now firmly a leadership issue…

New Zealand’s new Cyber Security Strategy 2026-2030 has landed, setting a clear expectation: Cyber risk is no longer a back office issue or technical afterthought. And distance is no defence.

The long-awaited strategy and accompanying Cyber Security Action Plan 2026-2030, released earlier this month, signal that cyber resilience must now be treated as a core governance, risk-management and strategic decision-making responsibility. It also flags that regulatory change is likely on its way.

“The Strategy clearly signals that regulatory reform is being considered.”

Alongside the Strategy and the Action Plan, the Department of the Prime Minister and Cabinet also released a discussion document seeking industry feedback on a new approach to the cybersecurity of critical infrastructure.

In it together

The Strategy adopts a whole of society model, outlining shared responsibility on government, industry and individuals. Businesses sit at the centre, with the Strategy’s four national objectives – Understand, Prevent and Prepare, Respond, and Partner, defining practical expectations.

Understand is around improving cyber awareness and literacy across organisations and New Zealanders, providing improved reporting of cybersecurity and sharing of information between government and industry to better understand the threat environment. NCSC will establish a single cyber security reporting service, with processes established for other types of online harm and cyber-enabled crime and redirected to other agencies. Critical infrastructure providers garner special mention, with the strategy noting there will be tailored guidance, including assessments, strategies for risk management and guidance to implement technical controls to protect IT and OT networks, for them (more on that later).

Prevent and Prepare is about strengthening cyber risk management, resilience and preparedness across government and industry. That includes strengthening the existing mandate for the Government Chief Digital Officer to entrench a culture of security from procurement to systems operations, with the Government Chief Information Security Officer establishing and enforcing minimum cybersecurity standards and working with digital supply chain vendors to apply more consistent security controls across agencies. Industry and public consultation on core elements of the regulatory framework is also proposed, including additional non-regulatory actions the government can take to better partner and support critical infrastructure owners and operators to manage cyber risk.

The Respond section says resilience and preparedness must be strengthened across government and industry, ensuring effective, coordinated responses to cyber incidents. Victims of cybersecurity incidents will be ‘supported to remediate and recover’. Legislative frameworks will be modernised to account for the complexity and global nature of cyber threats, with work to address jurisdictional barriers to Kiwi enforcement agencies can access cyber evidence to investigate cybercrime.

Partner highlights the need for ‘strategic and targeted cooperation’, both locally and internationally, with industry and international partners.

The Action Plan, meanwhile, provides the actions required over the next two years to put the Strategy into action, detailing lead agencies for each action.

Notably, the Critical Infrastructure discussion document highlights that if accepted, critical infrastructure entities would be required to develop, implement and maintain a risk management programme aligned with an internationally recognised cybersecurity framework – either endorsed by the NCSC or recognised internationally, such as the US National Institute of Standards and Technology Cybersecurity Framework.

The discussion document also outlines requirements to allow government to collect specific information, such as (initially) a description of their operations including critical components, information on the owners and controllers of the entity, and mapping of key dependencies and interdependencies.

The establishment of a voluntary information exchanges connecting organisations across the critical infrastructure system with each other and the government to coordinate cyber security efforts, a requirement for sharing of certain information with other critical infrastructure organisations – for example information on projected restoration times – and a requirement for cyber incidents to be reported are also proposed.

Regulatory change

The Strategy clearly signals that regulatory reform is being considered across several areas including strengthened requirements for the cybersecurity of critical infrastructure, which encompasses everything from the electricity grid to telco networks, health and transport services and financial systems.

The Strategy document notes that around 120 countries have some form of critical infrastructure regulation. “As a first step, the government will consult industry and the public on the core elements of a regulatory framework, including additional non-regulatory actions the government can take to better partner and support critical infrastructure owners and operators to manage cyber risk.”

The critical infrastructure discussion document highlights that cyber risks are ‘not well understood or collectively managed to a consistent level’ across the system, and that effective protection requires understanding ‘critical components, ownership and control structures, and mapping of dependencies’.

The document suggests the reach of proposed obligations could extend beyond the core operator to include third-party service providers with operational control of critical components.

Another potential area for regulatory change is the potential introduction of a civil pecuniary penalty regime to the Privacy Act aimed at incentivising protection of personal information. The Ministry of Justice will provide advice on options to incentivise protection as part of the two-year action plan.

Thomas Anderson, MinterEllison solicitor says if implemented it would mark ‘a notable shift in New Zealand’s privacy landscape’ which currently has no civil penalties for breaches of the Privacy Act.

“At present, the Act relies on a complaints-based enforcement model administered by the Privacy Commissioner, which can result in recommendations or, in serious cases, referral to the Human Rights Review Tribunal. However, there is no power to impose civil fines for contraventions of the Act (such as a failure to comply with the data security requirements in information privacy principle 5), unlike comparable regimes in Australia, the European Union and the United Kingdom,” he says.

Also on the table is the creation of a potential new offence for handling – including disseminating – illegally obtained personal information. That’s an area the Ministry of Justice has been charged with providing potential advice on the new offence.

The proposal would extend liability beyond the breached organisation to anyone knowingly handling unlawfully obtained personal information. While the intention is to deter malicious actors from circulating stolen data, Anderson notes the wording also captures organisations or third-party recipients who are aware that the information they are accessing or using was acquired through unauthorised means.

“Together, these two actions seem to signal a clear intent: The Government plans to use both stronger Privacy Act enforcement tools and new criminal offences to create meaningful financial and legal consequences for the mishandling or exploitation of personal information after a cyber incident.”