The New Zealand Government has released a discussion document proposing mandatory cyber security obligations for operators of critical infrastructure, including enforceable minimum standards, incident reporting requirements, and director-level accountability.

Published in February 2026 by the Department of the Prime Minister and Cabinet (DPMC), the document warns that cyber risks "are generally not well understood or collectively managed to a consistent level across New Zealand's critical infrastructure system" (Prime Minister Christopher Luxon).

The consultation document is available at: https://www.dpmc.govt.nz/our-programmes/national-security/critical-infrastructure.

The proposals follow growing international concern about state-sponsored cyber threats. In October 2025, New Zealand's National Cyber Security Centre (NCSC) joined international counterparts in alerting organisations to Salt Typhoon - a People's Republic of China (PRC)-affiliated threat group. The document states that "Salt Typhoon activity has been observed in New Zealand", targeting critical infrastructure for espionage and potential sabotage.

New Zealand currently ranks 49th on the National Cyber Security Index - the lowest of all Five Eyes partners - and sits in the third tier of the Global Cybersecurity Index, while partner nations occupy the first tier.

The document states New Zealand "stands out from other advanced economies in not using dedicated legislative mechanisms to protect critical infrastructure from cyber harm."

Scope of the Proposed Regime

The proposed regime would apply to approximately 200 entities across seven essential service sectors: communications and data, defence, energy, finance, health, transport, and drinking water and wastewater.

Thresholds defining which entities are captured include electricity generators with capacity at or above 30 megawatts, registered banks identified as domestically systemically important, hospitals with intensive care units, telecommunications operators serving at least 10,000 customers, and maritime ports handling more than 4 million tonnes of freight annually.

A smaller subset - designated as critical infrastructure of national significance (CINS) - would face additional obligations. Designations would be made privately, not disclosed publicly, for security reasons.

Six Proposed Measures

The document proposes six measures, which can be adopted individually or as a package.

Measure 1 would grant the responsible Minister power to require critical infrastructure entities to provide operational information to government, including details of critical components, ownership and control structures, and mapping of dependencies.

Measure 2 would establish a voluntary cross-sector information exchange to connect critical infrastructure entities with each other and with government, enabling coordinated cyber security responses.

Measure 3 would require entities - initially those designated as critical infrastructure of national significance - to share specified information with each other, such as projected restoration times.

Measure 4 would introduce mandatory cyber incident reporting to the NCSC, including an initial early warning within 24 hours and a full report within 72 hours for significant incidents. Significant incidents are defined as those having, or likely to have, serious impact on the confidentiality, integrity or availability of information, or on the delivery of essential services.

Measure 5 - the centrepiece for compliance managers - would require entities to develop, implement and maintain a risk management programme aligned with an internationally recognised cyber security framework, such as the NIST Cybersecurity Framework or ISO/IEC 27001:2022. The programme must identify critical components, assess material risks, and treat those risks as far as reasonably practicable.

Measure 6 would grant the Minister a last-resort power to direct a critical infrastructure entity to take - or refrain from - specified actions to manage a cyber threat for national security reasons. The document states this power would only be used where "the national security threat is significant" and "there is no alternative to the proposed action that would satisfactorily address the national security threat."

Director Accountability and Penalties

Directors of critical infrastructure entities would bear personal responsibility for compliance with minimum requirements. The document proposes making cyber security a core element of directors' fiduciary duty.

Penalties for the most serious breaches would include criminal fines of up to $NZ5 million, or 2 per cent of annual turnover (whichever is greater), for entities, and up to $NZ500,000 for individual directors. Minor breaches may attract administrative fines starting at $NZ50,000.

A staged compliance approach is proposed, with a one-year grace period before enforcement action is considered. Third-party audits are considered unlikely in the medium term, due to cost and limited market capacity.

Supply Chain and Third-Party Obligations

The proposals extend obligations to suppliers and contractors that have operational control over critical components. Third-party vendors would be required to support critical infrastructure entities in meeting their risk management obligations, as far as reasonably practicable.

This has significant implications for managed service providers, cloud computing vendors, and data centre operators serving the critical infrastructure sectors. The document proposes that data centres and managed service providers integral to the delivery of essential services by a critical infrastructure entity would themselves be designated as critical infrastructure.

The supply chain risk was highlighted by the 2024 CrowdStrike software update incident, which caused widespread IT outages across finance, healthcare and transport sectors globally, and the Manage My Health breach that compromised personal data of up to 126,000 New Zealanders. https://www.ncsc.govt.nz/news/rise-in-financial-losses-reported-to-the-ncsc

International Context

The proposed regime draws heavily on Australia's Security of Critical Infrastructure Act 2018, which requires asset registration, risk management plans, incident reporting, and compliance with government assistance powers. New Zealand's proposals also align with the European Union's NIS2 Directive, Singapore's Cybersecurity Act 2018, and Canada's recently introduced Bill C-8.

The Australian Government's modelling, cited in the document, found that benefits of avoiding or mitigating disruptions outweigh the costs of implementing enhanced security requirements.

Consultation Open Until 19 April 2026

The consultation period runs from 27 February to 19 April 2026. Submissions can be made online, by email to criticalinfrastructure@dpmc.govt.nz, or by post to the National Security and Resilience Group, Department of the Prime Minister and Cabinet, Wellington.

The full discussion document and supplementary materials are available at: https://www.dpmc.govt.nz/our-programmes/national-security/critical-infrastructure.