The New Zealand Government has published New Zealand's Cyber Security Strategy 2026–2030 (Strategy) and an accompanying Cyber Security Action Plan 2026–2027 (Action Plan). Together, these documents establish a national framework for responding to escalating cyber threats and improving cyber security practices to enable innovation and drive economic growth.
The Strategy carries significant governance implications for organisations. It signals a clear expectation that cyber security should be treated as a core element of governance, risk management, and strategic decision-making. Industry will be expected to work collaboratively with government to strengthen New Zealand's collective response to the evolving cyber threat landscape.
It also signals that regulatory change may be on the horizon to strengthen requirements for the cyber security of critical infrastructure, better incentivise the protection of personal information, and update the legislative powers of New Zealand's security sector agencies.
Strategy at a glance
The Strategy frames cyber security as both a national security priority and an economic resilience imperative. It recognises that New Zealand's growing dependence on digital systems exposes organisations and individuals to increasing risk, and adopts a 'whole-of-society' model emphasising shared responsibility among government, industry, and individuals.
The Strategy and Action Plan are structured around four core objectives:
- Understand - improving awareness of cyber threats and lifting cyber literacy across organisations and New Zealanders.
- Prevent and Prepare - strengthening cyber risk management, resilience, and preparedness across government and industry.
- Respond - ensuring effective, coordinated responses to cyber incidents.
- Partner - deepening collaboration across government, industry, and international partners.
Action Plan
The Action Plan translates the Strategy's objectives into specific initiatives over the next two years, representing the first phase of implementation.
Key actions include:
- Critical infrastructure resilience – strengthening the cyber resilience of critical infrastructure, including through guidance on cyber risk and best practice.
- Quantum readiness - enabling New Zealand to process and manage quantum-resistant cryptographic material to protect sensitive information.
- Cyber security reporting – establishing a reporting service to enable the National Cyber Security Centre to coordinate and manage cyber incidents.
- Government cyber security – strengthening the mandate for the Government Chief Digital Officer to ensure government digital products and services are secure and resilient.
- International cooperation – bolstering cyber resilience in the Pacific and continuing to support international rules, standards, and norms relating to cyber security.
Potential areas for regulatory change
The Strategy and Action Plan signal the Government's intention to explore legislative and regulatory reform. Areas under active consideration include:
- a proposed regulatory framework to improve the cyber security of critical infrastructure;
- options to incentivise the protection of personal information, such as introducing a civil pecuniary penalty regime under the Privacy Act 2020;
- a potential new offence targeting individuals who view, possess, or disseminate personal information knowing it has been illegally obtained; and
- a review of the powers and capabilities of New Zealand's intelligence and security agencies to proactively disrupt cyber threats.
The focus on these specific areas in the Strategy and Action Plan suggests that any legislative change will be incremental and targeted, rather than a wholesale overhaul.
Key implications for boards and senior leaders
The Strategy and Action Plan represent a significant evolution in New Zealand's approach to cyber risk. For organisations, the central message is clear: cyber security is now firmly established as a matter of governance, not a back-office IT function. The Strategy places clear emphasis on proactive risk management over reactive incident response.
Organisations operating in, or providing support to, critical infrastructure should anticipate closer engagement with government and potential new regulatory requirements around cyber resilience.
Organisations that strengthen their governance capability and integrate cyber risk into strategic decision-making will be best placed to navigate the changing threat landscape and to maintain the confidence of customers, regulators, and stakeholders. Taking these steps now will help position organisations to respond constructively as the Strategy progresses from policy to implementation.
Next steps
We will continue to monitor developments in relation to the Strategy and Action Plan. If you would like to discuss the impact of the Strategy and Action Plan on your organisation, please get in touch with one of our experts listed below.