Consultation open on Cyber Security Regime for critical infrastructure

The New Zealand Government is currently consulting on a new regulatory framework aimed at enhancing the cyber security of New Zealand's critical infrastructure.

The reforms follow the 2025 publication of the National Cyber Security Index, which ranks New Zealand 49th in the world and "third tier" on its approach to cyber preparedness (being the lowest ranking of the Five Eyes partners, who all rank in the first tier).

While dates for legislation are yet to be specified, the recently released Cyber Security Strategy signals that cyber regulation for critical infrastructure is an early implementation priority.

Government has cited the current largely voluntary and non-regulatory approach to the management of cyber risk in New Zealand (considered out of step with other jurisdictions), the often-cascading impact of cyber incidents, as well as the "higher risk profile" of critical infrastructure and corresponding potential "debilitating effect" of cyber incidents affecting them as key drivers for this prioritised framework.

The proposed changes aim to achieve digitally resilient critical infrastructure in New Zealand to protect the lives and livelihoods of New Zealanders, support economic growth, preserve New Zealand's sovereignty and keep pace with international approaches.

Who is in Scope?

The Government's proposed changes affect "critical infrastructure entities" (CIEs), to be defined in legislation using the principles-based definitions of essential services contained in the Emergency Management Bill released last year, with more detailed thresholds to be contained in regulations giving effect to them.

Government estimates that approximately 200 infrastructure entities will be affected. Certain in-scope categories have the potential to affect a much larger number of entities (such as CIEs' third-party data storage, cloud computing and managed service providers), but indications are that thresholds (such as the number of CIEs served) are intended to be used to prevent a disproportionately large number of smaller entities being caught.

Notably, airlines, insurance companies and managed funds are currently all proposed to be excluded from scope.

It is proposed that the Ministers responsible (yet to be determined) would have the ability to designate (or exempt) entities, with reasons tabled in Parliament.

As currently proposed, the regime would apply to service providers engaged in the following activities:

Communications and data	Retail and wholesale telecommunications services with 10,000 plus customers / wholesale connections (as applicable); Certain submarine telecommunications cables and their connections to land-based telecommunications networks; Management of New Zealand’s country code top-level domain; Data centres and other data storage facilities processing or storing data integral to CIEs' essential services; Management of IT infrastructure, devices, systems, networks and applications; and cloud computing and "on-demand" services which are, in each case, integral to the provision of essential services to a specified number of CIEs (number not yet determined); Provision of RNZ and TVNZ emergency broadcasting services; Ground-based positioning, navigation and timing services where integral to the provision of essential services by CIEs.
Defence	NZDF infrastructure identified as time critical to defence outputs (as defined in the most recent NZDF output plan).
Energy	Operation of bulk liquid fuel storage with capacity above 50 million litres and petrol transmission pipelines; Electricity generation with capacity above 30 MW where connected to a wholesale market (noting that retail functions are proposed to be excluded from scope); Operation of the national grid; Coordination of electricity supply and demand by the system operator; Operation of NZ's wholesale trading and information system for spot market electricity; Electricity distribution with more than 25,000 ICPs; Producers of natural gas; Natural gas pipeline services conveying more than 500,000 gigajoules p/a.
Finance	Registered banks identified by the Reserve Bank as domestically systemically important (currently ANZ, ASB, BNZ and Westpac); NZ-based components of systemically important domestic financial market infrastructures; NZX as the primary licensed market operator.
Health	Hospitals with intensive care units.
Transport	National and high-volume roads and M1 and M2 roads; Priority and secondary rail freight lines (as defined by KiwiRail) and corridors for MetroPort; Management, operation and maintenance of specific airport companies and services (as defined in the Commerce Act 1986); Air traffic control services at designated airports; Management, operation and maintenance of maritime ports handling more than four million tonnes of import / export freight over a five-year average; Major inland ports (currently South Auckland Freight Hub and Ruakura Inland Port); Management, operation and maintenance of ports facilitating Cook Strait freight connectivity; Operation of interisland freight ferry services; Maintenance of New Zealand Distress and Safety Radio Service NAVAREA XIV; Maritime navigation aids for critical infrastructure ports.
Drinking water and wastewater	Water and wastewater networks serving at least 25,000 connections; Designated Queenstown schemes / services.

See more detail on the proposed in-scope entities.

Additional CINS Requirements

A small subset of CIEs considered to be of national significance (CINS) are proposed to be subject to stronger minimum cyber security requirements, including more clearly defined risk treatment standards and enhanced reporting obligations.

CINS entities would be those essential services which, if disrupted, would have debilitating national consequences, such as core components of the operation of the national grid. The identify of CINS entities would remain confidential and not be made public for security reasons.

Designation of CINS entities by responsible Ministers is proposed to be on a case-by-case basis once the Government has the information necessary to map interdependencies between CIEs. Before any new designation is made, the relevant entity would be informed and given an opportunity to provide feedback. No indication has been provided as to the likely size of this cohort.

Regime Requirements

The proposed requirements for in-scope CIEs are as follows:

Improved understanding of threats and vulnerabilities	Information collection: Responsible Ministers would be empowered to require CIEs to periodically provide prescribed information about their operations, ownership and key dependencies, with detailed requirements set by regulation and failure to comply constituting an offence. Information shared with or collected by the Government would be held in strict confidence and could only be used for the purposes of enhancing critical infrastructure security or preserving national security.
	Voluntary information sharing: A voluntary legal framework and forum would be established to connect CIEs with each other and Government, enabling coordinated cyber security efforts, collective incident response, and a secure environment for sharing insights on cyber threats and risks, including protections for the information shared.
	Mandatory information sharing between entities: The Ministers responsible could require CIEs to share certain information with each other (e.g. projected restoration times). Initially, this is likely to apply to CINS entities only.
	Mandatory cyber incident reporting: CIEs would be required to regularly report all cyber incidents to the National Cyber Security Centre (NCSC), and report of significant cyber incidents "as soon as practicable", with an initial report within 24 hours and a full report within 72 hours. It is proposed that reports would be subject to information protections, and a limited use obligation would mean incident reports would not be used for immediate regulatory purposes.
Minimum level of cyber risk management	Cyber risk management programme: CIEs would be required to develop, implement and maintain a cyber risk management programme aligned with an internationally recognised cyber security framework such as NIST CSF or ISO/IEC 27001:2022, covering the identification of critical components, assessment of material cyber risks, and treatment of those risks. In addition: Suppliers or contractors with operational control over critical components may be required to support CIEs to meet their cyber risk management obligations. Directors (or equivalent) would be responsible for ensuring compliance with minimum requirements, embedding cyber security as a core element of fiduciary duty. Compliance would initially be demonstrated through formal attestations, with the potential for more detailed reporting over time. Enhanced requirements (including more prescriptive actions and accelerated reporting) may also apply to CINS entities.
Effective management of cyber threats impacting national security	Government direction powers: Responsible Ministers would have the power to direct CIEs to mandatorily take, or refrain from taking, specific actions to manage cyber threats posing a national security risk. It is intended that this power would be exercised as a last resort only and would be subject to safeguards, including requirements that the threat is significant, that adequate consultation has occurred, that the action is proportionate, and that there is no satisfactory alternative. CIEs would have the right to appeal and to statutory review.

In defining these requirements, the Government has sought to balance the principles of te Tiriti o Waitangi, the fact that critical infrastructure entities are generally best placed to understand and manage their own cyber risks, the Government's responsibility to ensure minimum standards, and a range of cost-based principles. The requirements are also intended to work alongside other sector-based regimes already in effect and reforms currently underway (such as the Reserve Bank's proposed changes to the Deposit Takers Act 2023).

Penalties

The proposed penalty regime scales with the seriousness of the breach, with penalties such as:

education measures, written warnings and administrative fines of up to $50,000 for more minor breaches;
compliance notices, enforceable undertakings, information requests and civil penalties of up to $200,000 for moderate breaches; and
criminal penalties, including fines of up to the greater of $5 million and 2% of annual turnover for entities, and up to $500,000 for directors, particularly where conduct is negligent, reckless or intentional.

Certain defences are proposed to apply, such as protection of life, health or serious damage to property, matters beyond the CIE's reasonable control that could not be foreseen or prevented, reasonable reliance on third party information, and where the contravention was not known and could not reasonably have been known.

A phased implementation is proposed, with a one-year grace period between requirements coming into effect and enforcement action being considered.

Next Steps

The Government is currently seeking industry feedback from critical infrastructure owners and operators as to who should be in-scope of the regime and the depth of cyber defence requirements that should apply.

The consultation period closes on 19 April 2026. For more information, see the Discussion Document, including information on how to participate. Further information can also be found on the Department of the Prime Minister and Cabinet's website.

We will continue to monitor developments in relation to the consultation. If you would like to discuss the potential impact on your organisation, please get in touch with one of our experts listed below.

This content is intended only to provide a summary of the subject covered. It does not purport to be comprehensive or to provide legal advice. No person should act in reliance on any statement contained in this publication without first obtaining specific professional advice. If you require any advice or further information on the subject matter, please contact a Russell McVeagh partner/solicitor.