The New Zealand Government has released two important documents on its cyber security strategy.

The Cyber Security Action Plan 2026–2027 sets out initiatives the Government will deliver over the next two years to protect New Zealanders from cyber harm and raise cyber security standards.

The Cyber Security Critical Infrastructure discussion document proposes measures to make critical infrastructure more digitally resilient through potential legislation. Consultation is open from 27 February to 19 April 2026.

Cyber Security Action Plan 2026–2027: Key privacy measures

Cyber security threats are evolving rapidly, posing a serious national security challenge. Building a cyber-secure and resilient New Zealand demands collective effort from government, businesses and individuals alike.

New Zealand's Cyber Security Strategy 2026–2030 provides a blueprint for collective action. It is structured around four objectives:

1. Understand.
2. Prevent and Prepare.
3. Respond; and
4. Partner. 

Aimed at strengthening the foundations of New Zealand's cyber security and safeguarding its long-term digital resilience.

The Cyber Security Action Plan 2026–2027 supports the Cyber Security Strategy 2026–2030 by setting out the Government’s first steps towards realising the strategy's objectives. Two of its actions stand out from a privacy perspective.

Proposed civil penalty regime 

Action 8 of the Cyber Security Action Plan 2026–2027 proposes that the Ministry of Justice advise on options to incentivise the protection of personal information from cyber threats, such as introducing a civil pecuniary penalty regime to the Privacy Act 2020. If implemented, this would mark a notable shift in New Zealand's privacy landscape, which currently has no civil penalty mechanism for breaches of the Privacy Act 2020 (the Act).

At present, the Act relies on a complaints-based enforcement model administered by the Privacy Commissioner, which can result in recommendations or, in serious cases, referral to the Human Rights Review Tribunal. However, there is no power to impose civil fines for contraventions of the Act (such as a failure to comply with the data security requirements in information privacy principle 5), unlike comparable regimes in Australia, the European Union and the United Kingdom.

The detail of any penalty regime will take the Ministry of Justice time to prepare. But any organisation that holds personal information should expect greater scrutiny of its information security practices, and should reassess the quality and strength of those practices against the backdrop of a civil penalty regime and the increased risks it may bring.

Potential new offence for handling illegally obtained personal information

Action 11 of the Cyber Security Action Plan proposes that the Ministry of Justice advise on a potential offence targeting people who view, possess or disseminate personal information when they know it has been illegally obtained.

The proposal is broad. It would extend liability beyond the organisation that suffers the breach, and could capture any recipient of stolen data who knowingly engages with unlawfully obtained personal information. The intention is to deter hackers and malicious actors from posting illegally obtained personal information online. But any organisation that receives or handles data shared by third parties could face exposure under such an offence if it knowingly uses information obtained through unauthorised means.

Together, these two actions seem to signal a clear intent: the Government plans to use both stronger Privacy Act enforcement tools and new criminal offences to create meaningful financial and legal consequences for the mishandling or exploitation of personal information after a cyber incident.

Mandatory cyber security obligations for critical infrastructure

New Zealand’s critical infrastructure encompasses everything from the electricity grid and telecommunications networks to health services and financial systems. Improving cyber security of New Zealand’s critical infrastructure is a key initiative of the Cyber Security Strategy 2026–2030, and essential to both national security and economic stability.

The Government is consulting on measures to enhance the cyber security of New Zealand’s critical infrastructure. The proposed mandatory requirements would apply to "critical infrastructure", targeting the services that matter most to the economy and communities:

• communications and data;

• defence;

• energy;

• finance;

• health;

• transport; and

• drinking water and wastewater.

To support entities who own critical infrastructure in fulfilling their risk management obligations, other entities with operational control over critical components would also be required to assist as far as practicable. The reach of the proposed obligations is therefore not limited to the critical infrastructure entity itself. It may flow down through supply chains to third-party service providers, including technology vendors and managed service providers.

The six proposed measures

The discussion document sets out six voluntary and mandatory measures that could be adopted independently or as a package. At a high level, these are:

• Measure 1: Grant the responsible Minister the power to require a critical infrastructure entity to provide information to government, with failure to provide requested information being an offence.

• Measure 2: Establish an information exchange to help connect entities across the critical infrastructure system with each other and with government to address cyber threats.

• Measure 3: Allow the responsible Minister to require critical infrastructure entities to share information with each other.

• Measure 4: Require mandatory reporting of cyber incidents, including an initial early warning not later than 24 hours after a significant incident is detected, and a full report no later than 72 hours after detection.

• Measure 5: Require critical infrastructure entities to develop, implement and maintain a mandatory cyber risk management programme (discussed in more detail below).

• Measure 6: Grant the responsible Minister the power to direct a critical infrastructure entity to do, or refrain from doing, anything necessary to manage a cyber threat for national security reasons.

Core consultation areas: What you need to know

Minimum cyber security requirements (Measure 5)

Of note, Measure 5 would require critical infrastructure entities to develop, maintain and implement a risk management programme that:

• identifies components that are critical to the delivery of essential services;

• identifies cyber risks that are material to those critical components as determined by a reasonable person in the same set of circumstances;

• develop and implement actions to reduce cyber risks as far as reasonably practicable; and

• complies with a cyber security framework that is endorsed by the NCSC or recognised internationally.

Director accountability

Directors of critical infrastructure entities (or equivalent) would be responsible for ensuring compliance with minimum requirements. 

Compliance reporting

Regulations would be used to confirm reporting requirements, which would likely strengthen over time. 

Compliance and enforcement

The proposed penalties for breaching minimum requirements are substantial. Negligently, recklessly or knowingly failing to meet minimum cyber security requirements is categorised as a critical breach, attracting a criminal penalty of up to $5 million or 2% of annual turnover (whichever is greater) for an entity, and up to $500,000 for a director.

What should you do now?

The discussion document is aimed primarily at owners and operators of critical infrastructure who would be directly affected by regulatory reform. But the Government also welcomes input from individuals, businesses and communities affected by the security of critical infrastructure.

The tiered definition of ‘critical infrastructure’ means that entities in the communications, energy, finance, health, transport, defence and water sectors (as well as key technology and managed service providers serving those sectors) should undertake a careful threshold analysis.

How we can help

Our Privacy and Cyber Security team can assist clients in understanding the impact of these proposals, including:

• Assessing whether your organisation falls within the proposed critical infrastructure definition.

• Reviewing your existing cyber security practices and risk management frameworks against the proposed minimum requirements.

• Advising on director obligations and governance frameworks to ensure board-level accountability for cyber risk.

• Advising on potential supply chain and third-party obligations under the proposed regime.

• Considering the implications of a proposed civil penalty regime under the Privacy Act 2020 for your organisation.

• Preparing and drafting submissions in response to the Government's consultation.

If you would like assistance in responding to the Government's proposed changes, or wish to discuss the implications for your organisation, please contact one of our privacy and cyber experts. Consultation closes 19 April 2026.

This article was authored by Thomas Anderson, a solicitor in our Corporate team.