Questions are ordered by practical urgency: current legal status first, then proposed scope and duties, obligations already in force, supplier flow-down, comparison with Australia, preparation, reporting interaction and misconception control.
Does New Zealand have a critical-infrastructure security law like Australia's SOCI Act?
No enacted New Zealand equivalent of Australia's Security of Critical Infrastructure Act 2018 was identified as at 13 July 2026. New Zealand's main cyber-specific reform is DPMC's February 2026 discussion document, Enhancing the cyber security of New Zealand's critical infrastructure system. Consultation ran from 27 February to 19 April 2026 and is closed; DPMC says submissions will inform further analysis and advice to Cabinet. That is a policy consultation, not an Act, enacted regime or introduced cyber-security Bill. Separately, the Emergency Management Bill (No 2) would reform emergency-management and essential-infrastructure arrangements. Parliament recorded its second reading on 30 June 2026, with the committee of the whole House still to come, so it was not enacted at the review date and should not be described as the proposed cyber regime itself. Existing Privacy Act, TICSA, financial-sector, emergency-management and sector duties continue to apply.
- current law — No enacted SOCI-style cross-sector cyber regime was identified; apply existing privacy, telecommunications, financial and sector rules.
- DPMC cyber reform — The February 2026 document is a closed consultation whose submissions are to inform advice to Cabinet.
- Emergency Management Bill (No 2) — A separate Bill concerning emergency management and essential infrastructure; it had passed second reading but was not enacted at the review date.
We will distinguish obligations currently in force from consultations, Bills and other proposals. We will not treat the February 2026 critical-infrastructure cyber measures or the Emergency Management Bill (No 2) as enacted requirements unless and until the relevant legislation is passed, commenced and applies to us.
What sectors and entities would be in scope of the New Zealand proposals?
The February 2026 discussion document proposed a principles-based definition supported by service-specific thresholds. An initial assessment suggested approximately 200 of New Zealand's most significant infrastructure entities across seven essential services: communications and data, defence, energy, finance, health, transport, and drinking water and wastewater. An entity providing an essential service at or above a proposed threshold, with relevant components in New Zealand, would notify government of its status. The proposal also contemplated ministerial designation and exemption powers. A very small subset of components could be privately designated as critical infrastructure of national significance, or CINS, based on factors such as cascading dependencies and the severity of national harm. The document could not estimate how many CINS components there would be. All of this remains proposed: thresholds, responsible entities, exemptions and regulator design may change after consultation and Cabinet decisions.
- approximately 200 proposed entities — The estimate covers significant entities meeting draft service thresholds, not every organisation in the seven sectors.
- seven proposed essential services — Communications and data, defence, energy, finance, health, transport, and drinking water and wastewater.
- proposed CINS subset — A case-by-case, privately declared subset of nationally significant critical components.
We will monitor the final scope of any critical-infrastructure legislation and assess whether our services, New Zealand components, ownership, dependencies or ministerial designation place us within it. Draft thresholds and sector labels will not be treated as final law.
What obligations are proposed for risk management, incident reporting and resilience?
The discussion document set out six measures that could be adopted independently or as a package. They were: government collection of specified ownership, operational and dependency information; a protected voluntary information exchange; mandatory sharing of certain information between entities, likely beginning with CINS; cyber-incident reporting to the NCSC and the future critical-infrastructure regulator or regulators; a cyber risk-management programme aligned with an NCSC-endorsed or internationally recognised framework; and a last-resort ministerial power to direct management of a significant national-security cyber threat. For significant incidents, the proposed reporting model was an initial warning no later than 24 hours after detection and a full report no later than 72 hours after detection, plus periodic reporting of all incidents at a frequency to be set in regulations. The proposed risk programme would identify critical components and material risks, treat those risks as far as reasonably practicable, and involve director-level responsibility and attestation. These measures, deadlines, powers and proposed penalties are not currently in force.
- information and mapping — Proposed status notification, government information collection, voluntary exchange and selected mandatory sharing.
- incident reporting — Proposed periodic all-incident reporting and 24-hour warning plus 72-hour full reporting for significant incidents.
- risk management — Proposed framework-aligned programme, critical-component mapping, reasonable-practicability treatment and director accountability.
- national-security direction — Proposed last-resort ministerial direction power with consultation, proportionality, review and indemnity safeguards.
Until any new regime is enacted, we will treat the February 2026 measures as a preparation benchmark rather than a legal duty. We will maintain a critical-component register, cyber risk-management programme, incident log and escalation process capable of producing an initial incident assessment within 24 hours and a fuller report within 72 hours.
What existing duties already apply now under TICSA, RBNZ/FMA rules, sector regulation and the Privacy Act?
Existing obligations depend on the entity and incident. TICSA is already in force for telecommunications network operators: operators must register within three months of becoming a network operator and must notify GCSB before implementing proposed decisions, actions or network changes within section 48, subject to applicable exemptions. Lifeline utilities currently have continuity duties under section 60 of the Civil Defence Emergency Management Act 2002, including functioning to the fullest possible extent during and after an emergency and supplying plans on request. RBNZ requires registered banks, non-bank deposit takers and insurers to report material cyber incidents as soon as practicable and within 72 hours; its periodic all-incident survey is currently paused. FMA licence conditions require specified market-service licensees to maintain appropriate business-continuity plans and operationally resilient critical technology systems, with material incident notification as soon as possible and no later than 72 hours after determining materiality. The Privacy Act 2020 requires notification of a privacy breach that has caused or is likely to cause serious harm. Energy, transport, health, water and other sectors may also have safety, quality, continuity or licence duties even where they are not framed as one cross-sector cyber law.
- telecommunications network operators — TICSA registration and proposed-network-change notification duties are already in force.
- lifeline utilities — Current Civil Defence Emergency Management Act continuity and plan-production duties apply.
- regulated financial entities — RBNZ and FMA requirements depend on entity type, licence and materiality.
- Privacy Act 2020 — Serious-harm privacy breaches trigger notification regardless of critical-infrastructure status.
We maintain a current obligations register covering TICSA, emergency-management, privacy, financial-sector, safety, quality, licence and contractual requirements that apply to our entity and services. Proposed critical-infrastructure reform does not suspend or replace obligations already in force.
If I supply a critical-infrastructure operator, how might these rules reach me indirectly through contractual flow-down?
A supplier does not become subject to an unpassed statutory regime merely because its customer may fall within a consultation proposal. It can, however, be reached now through procurement terms and contracts. Operators may require security frameworks, access controls, personnel screening, audit evidence, vulnerability management, continuity and recovery targets, subcontractor controls, data-location terms and rapid incident notification. Those contractual duties can be stricter than a supplier's direct statutory duties. The February 2026 proposal also deliberately treated suppliers as possible infrastructure components and contemplated requiring suppliers or contractors with operational control over critical components to support a critical-infrastructure entity's risk programme as far as practicable. If enacted in that form, some suppliers could face direct statutory support duties as well as contractual flow-down. Final wording, thresholds, regulator powers and remedies remain unsettled.
- ordinary supplier today — Current exposure is commonly contractual, procurement-based or derived from existing sector and privacy duties.
- supplier controlling a critical component — The proposal contemplated direct support duties if the supplier has operational control over a critical component.
- supply-chain controls — Security schedules, audit rights, incident service levels, continuity targets and subcontractor clauses create practical flow-down.
Before accepting work for an essential-service or critical-infrastructure customer, we will identify all security, resilience, audit, subcontractor and incident-notification obligations in the contract. We will not promise a notification or recovery timeframe unless our people, systems and downstream suppliers can meet it.
How would the proposed New Zealand rules compare with Australia's SOCI Act?
Australia's SOCI Act is enacted and operational; New Zealand's February 2026 model is a consultation proposal. Australia regulates critical-infrastructure assets across 11 sectors and 22 asset classes. Depending on the asset and entity, Australian positive security obligations include giving operational and ownership information to the Register of Critical Infrastructure Assets, reporting cyber incidents, and adopting, maintaining and complying with a written critical-infrastructure risk-management programme. Significant-impact incidents generally require reporting within 12 hours and relevant-impact incidents within 72 hours. A small subset may be declared Systems of National Significance and face enhanced cyber-security obligations. New Zealand proposed seven essential services, approximately 200 significant entities, a government-held list informed by status notifications, a risk-management programme, and 24-hour early warning plus 72-hour full reporting for significant incidents. New Zealand's proposed CINS concept resembles Australia's focus on nationally significant assets, but the legal tests, sector coverage, reporting clocks and powers are not identical. Australia's register, CIRMP and 12/72-hour SOCI duties must not be imported into a New Zealand policy unless Australian law separately applies.
- New Zealand proposal — Seven services, approximately 200 entities, proposed risk programme and proposed 24/72-hour significant-incident process.
- Australian SOCI Act — Enacted regime across 11 sectors and 22 asset classes with register, cyber reporting, risk-management and enhanced obligations.
- cross-Tasman operator — Assess each country's legal tests separately; Australian duties may apply through Australian assets or business operations.
Australian SOCI terminology, asset classes, register duties, CIRMP requirements, Systems of National Significance and 12-hour or 72-hour reporting deadlines apply only where Australian law covers the relevant entity or asset. They are not treated as New Zealand law.
What can New Zealand operators and suppliers do now to prepare?
Prepare in ways that are useful even if the final law changes. Identify the essential services you provide; map the people, systems, operational technology, data, facilities and suppliers needed to deliver them; classify the components whose failure would stop or seriously degrade service; and document dependencies across sectors. Maintain a board-approved cyber risk-management programme aligned with a recognised framework, but scale controls to risk. Build a supplier register with security ownership, subcontractors, audit evidence, recovery objectives and incident-notification commitments. Test incident command, service continuity, restoration from clean backups and communications under realistic disruption. Keep an incident log and evidence pack capable of supporting a 24-hour initial assessment and a fuller 72-hour report without assuming those proposed timeframes are already law. Finally, monitor DPMC, Parliament, NCSC and sector regulators for Cabinet decisions, legislation, regulations and commencement dates.
- service and component mapping — Map essential services, critical components, dependencies, interdependencies and concentration risk.
- risk and governance — Use a recognised framework, board oversight, documented risk decisions and evidence of treatment.
- incident and recovery — Exercise command, notification, continuity, clean restoration and stakeholder communications.
- suppliers — Align contractual promises, downstream capabilities, access controls and recovery commitments.
We maintain and test a current map of essential services, critical components, dependencies and suppliers. At least annually, we exercise a severe cyber disruption, validate restoration from clean backups, test decision-making and communications, and record improvements with owners and due dates.
How would critical-infrastructure reporting interact with Privacy Act notification and NCSC cyber reporting?
Treat each reporting route as a separate decision. Today, any organisation can report a cyber incident through the NCSC's single pathway at https://www.ncsc.govt.nz/report/. General NCSC reporting is primarily a support, disruption and threat-sharing route; no universal law requiring every SME to report every cyber incident to NCSC was identified. The CERT NZ and NCSC public-facing integration was completed on 23 July 2025, so the NCSC pathway is now the correct national route. Privacy Act notification is different and mandatory when a privacy breach has caused or is likely to cause serious harm: notify the Privacy Commissioner and affected people as soon as practicable. OPC says notification should ideally occur within 72 hours after awareness of a notifiable breach, but that is guidance around the statutory 'as soon as practicable' test. RBNZ, FMA, TICSA, Police, insurers and contracts may add parallel notices. The DPMC proposal would add reporting to NCSC and future critical-infrastructure regulator or regulators, including proposed 24-hour and 72-hour significant-incident steps, but that additional regime was not in force at the review date. One report should never be assumed to satisfy all other routes.
- NCSC reporting — Current national cyber-support and threat-sharing pathway, with no-wrong-door referrals.
- Privacy Act notification — Mandatory for serious-harm privacy breaches, separately from NCSC reporting.
- proposed critical-infrastructure reporting — Would add NCSC and regulator reporting if enacted; it was not current law at the review date.
- regulated or contracted organisations — Sector regulators, Police, insurers, customers and contracts may require parallel notices.
For every incident, the incident lead will separately assess notification to the NCSC, Privacy Commissioner and affected people, Police, sector regulators, insurers, customers and contractual parties. Making one report does not discharge another obligation unless the applicable law or regulator expressly confirms that it does.
What are the common misconceptions about New Zealand critical-infrastructure obligations?
The biggest error is treating policy direction as current law. The February 2026 paper is a discussion document, its sector thresholds are drafts, its approximately 200-entity estimate is not a final register, and its proposed 24-hour and 72-hour reporting clocks are not yet general legal deadlines. The Emergency Management Bill (No 2) is separate emergency-management legislation and was not enacted at the review date. Australia's 11 sectors, 22 asset classes, CIRMP, Register of Critical Infrastructure Assets, 12-hour and 72-hour reporting and Systems of National Significance are Australian rules, not New Zealand rules. Existing New Zealand duties have narrower triggers: TICSA applies to network operators, financial requirements depend on regulator and licence, and Privacy Act notification depends on serious harm. Suppliers can still face demanding contracts and could be captured more directly under a future regime. Finally, neither a voluntary NCSC report nor a proposed future critical-infrastructure report should be assumed to replace privacy, sector, insurance or contractual notices.
- proposal versus law — Consultations, draft thresholds and illustrative penalties are not current obligations.
- New Zealand versus Australia — SOCI terminology and deadlines remain Australian unless Australian law separately applies.
- scope and triggers — TICSA, financial, privacy and supplier duties each depend on their own legal or contractual test.
Our compliance register records each requirement as enacted, commenced, proposed, contractual or voluntary. No control, deadline, regulator or penalty will be labelled mandatory without a current source showing that it applies to our entity, service or incident.
What's my next step?
Common misconceptions
- New Zealand already has an enacted equivalent of Australia's SOCI Act. DPMC's 2026 cyber work remained a closed consultation feeding further analysis and advice to Cabinet. INFERRED
- The February 2026 discussion document is a Bill or Act. DPMC classifies it as a consultation publication. VERIFIED
- The Emergency Management Bill (No 2) was already enacted by 13 July 2026. Parliament's history showed second reading completed, with later legislative stages still outstanding. VERIFIED
- The Emergency Management Bill (No 2) is the same instrument as DPMC's proposed cyber-security regime. They are separate reform streams, although the cyber discussion document refers to alignment with some Bill definitions. INFERRED
- The seven proposed services and approximately 200 entities are final scope. They were an initial estimate based on draft thresholds open to refinement. VERIFIED
- New Zealand critical-infrastructure entities already have a general 24-hour warning and 72-hour full-report duty. Those timeframes appeared in a proposal and were not in-force general deadlines at the review date. INFERRED
- Australia's SOCI 12-hour and 72-hour reporting rules automatically apply in New Zealand. They are Australian statutory duties and apply only where the Australian regime covers the relevant entity or asset. INFERRED
- Every business using telecommunications services is a TICSA network operator. TICSA Part 3 applies to entities meeting the network-operator definition. VERIFIED
- All New Zealand financial firms have the same cyber-reporting duty. RBNZ and FMA requirements depend on entity class, licence, incident type and materiality. INFERRED
- Suppliers are irrelevant unless they are directly designated. Current contracts can create flow-down, and the proposal expressly includes suppliers among infrastructure components and contemplates support duties for entities controlling critical components. VERIFIED
- A report to NCSC automatically satisfies Privacy Act and sector-regulator obligations. Each reporting route has its own trigger and purpose. INFERRED
- New Zealand already has a public CINS register. CINS was a proposed, case-by-case designation, and the discussion document contemplated private declarations for security reasons. VERIFIED
Obligations at a glance
The obligations most relevant to this guide, with the regulator, the trigger and the timeframe. Follow the source links in the appendix for the authoritative wording.
| OBLIGATION | REGULATOR | TRIGGER | TIMEFRAME | PENALTY |
|---|---|---|---|---|
| Proposed critical-infrastructure status and information notification — NOT IN FORCE | Responsible Minister and future critical-infrastructure regulator or regulators, not yet settled | Under the February 2026 proposal, an entity would meet a final essential-service threshold or undergo a material change requiring updated information. | Proposed at entry into scope, on material change and at intervals to be set in regulations; no current statutory deadline. | |
| Proposed critical-infrastructure cyber-incident reporting — NOT IN FORCE | NCSC and future critical-infrastructure regulator or regulators, not yet settled | Under the proposal, all cyber incidents would be periodically reported and significant incidents would trigger expedited reporting. | Proposed initial warning no later than 24 hours after detection and full report no later than 72 hours after detection; periodic frequency to be set in regulations. | |
| Proposed cyber risk-management programme — NOT IN FORCE | Future critical-infrastructure regulator or regulators, not yet settled | Under the proposal, an entity would be within the final critical-infrastructure definition or designation. | No enacted deadline; the consultation contemplated staged implementation and a one-year grace period before enforcement. | |
| Proposed national-security cyber direction power — NOT IN FORCE | Responsible Minister, supported by NCSC | Under the proposal, a significant national-security cyber threat affecting a critical-infrastructure entity, with the power used as a last resort. | A direction would specify the period for compliance; no current statutory duty. | |
| TICSA network-operator registration | New Zealand Police | An organisation becomes a network operator within the Telecommunications (Interception Capability and Security) Act 2013 definition. | Within three months after becoming a network operator. | |
| TICSA notification of proposed network decisions, actions or changes | NCSC Regulatory Unit on behalf of the Director-General of GCSB | A network operator proposes a decision, course of action or change to a network within section 48, unless an exemption applies. | Before the decision, action or change is implemented. | |
| Civil Defence Emergency Management Act lifeline-utility continuity duty | Director of Civil Defence Emergency Management and applicable emergency-management authorities | The entity is a lifeline utility under the Civil Defence Emergency Management Act 2002. | Ongoing ability to function to the fullest possible extent during and after an emergency; provide the plan in writing when requested. | |
| RBNZ material cyber-incident report | Reserve Bank of New Zealand | A material cyber incident affects a registered bank, non-bank deposit taker or insurer covered by the requirement. | As soon as practicable and within 72 hours. | |
| FMA material operational or critical-technology incident report | Financial Markets Authority | A covered market-service licensee determines that an event materially affects service supply or the operational resilience of critical technology systems. | As soon as possible and no later than 72 hours after determining the event is material. | |
| Privacy Act 2020 notifiable privacy breach | Office of the Privacy Commissioner | A privacy breach has caused or is likely to cause serious harm to an affected individual. | Notify the Commissioner and affected people as soon as practicable; OPC says ideally within 72 hours after awareness of a notifiable breach. | Failure without reasonable excuse to notify the Commissioner is an offence punishable by a fine up to NZD 10,000. |
| Emergency Management Bill (No 2) proposed essential-infrastructure duties — BILL NOT IN FORCE | National Emergency Management Agency and authorities specified by the Bill if enacted | Would depend on enactment, commencement and the final Bill's essential-infrastructure definitions, designations and duties. | No current compliance deadline; second reading completed on 30 June 2026 and later legislative stages remained outstanding at the review date. |
Sources
- Critical Infrastructure primary
- Discussion document: Enhancing the cyber security of New Zealand's critical infrastructure system primary
- Enhancing the cyber security of New Zealand's critical infrastructure system — February 2026 discussion document primary
- New Zealand's Cyber Security Strategy 2026–2030 primary
- Emergency Management Bill (No 2) — progress and history primary
- Emergency Management Bill (No 2) primary
- Civil Defence Emergency Management Act 2002, section 60 primary
- Telecommunications (Interception Capability and Security) Act 2013 primary
- About TICSA primary
- TICSA notification of proposals primary
- TICSA Regulatory Strategy primary
- Cyber resilience for regulated entities primary
- FMA business continuity and critical technology standard condition primary
- Privacy Act 2020 primary
- Sorting out privacy breaches primary
- NotifyUs of a serious privacy breach primary
- Report a cyber security issue primary
- NCSC and CERT NZ integration now complete primary
- National Cyber Security Centre primary
- Security of Critical Infrastructure Act 2018 primary
- SOCI Act regulatory obligations primary
- Enhanced Cyber Security Obligations primary
- Late Cyber Incident Reports and Insider Threats primary
- r/newzealand discussion of the Waikato DHB cyber attack forum
This guide and its templates are a professionally drafted starting point, not legal advice. Your obligations depend on your industry, your contracts and your data. Have a qualified adviser review anything high stakes before you rely on it.