What New Zealand’s New Cyber Security Strategy Means for Organisations

The New Zealand Government recently released its Cyber Security Strategy 2026-2030, a refreshingly concise document at just 15 pages, accompanied by a one-page action plan for 2026-27. 

For organisations operating in New Zealand - particularly those delivering essential services - the strategy offers valuable insights into future policy, regulatory expectations, and cybersecurity best practices.

A Clear Focus on Critical Infrastructure Protection

One of the most significant signals in the strategy is the government’s intention to develop a regulatory regime to strengthen the protection of critical infrastructure. New Zealand appears to be closely observing international approaches, including Australia’s Security of Critical Infrastructure Act 2018 and its subsequent amendments. As part of the action plan, the Government, led by the Department of Prime Minister and Cabinet, has committed to develop any regulations through public consultation. This is already moving beyond strategy into action, with a public consultation underway on the proposed regulatory framework. 

This marks a shift from New Zealand’s traditionally light-touch approach toward a more structured model, with the potential for clearer requirements on how critical infrastructure operators manage cyber risk.

For organisations across sectors such as telecommunications, finance, energy, and transport - and their technology partners - the direction is clear: cyber resilience is becoming an operational and regulatory expectation.

Preparing for this shift means organisations must strengthen visibility, access control, and risk management across cloud-first and distributed environments, which are increasingly central to how critical services are delivered.

Strengthening Public–Private Cyber Collaboration

The strategy strengthens the role of New Zealand’s National Cyber Security Centre (NCSC) in coordinating with industry. A key element of this is enabling the NCSC to share more information with industry partners to improve prevention, detection, and response to malicious cyber activity. In addition, the NCSC will establish a single national reporting channel for cyber incidents, making it easier for organisations and individuals to report cyber events and receive support.

For organisations, this represents an opportunity to engage more closely with national cyber authorities, participate in information sharing, and strengthen collective defenses across sectors.

Raising the Security Bar Across Government

The strategy places a strong emphasis on secure digital government, calling for higher and more consistent security standards in government digital procurement and system design, while strengthening the mandate of the Government Chief Digital Officer to ensure digital services are secure and resilient. This reinforces an important principle: security must be built into digital systems from the outset, not added later.

Importantly, the strategy commits the government to managing the use of high-risk vendors, services, and products across the public sector to reduce risks to government-held data. As cloud services and generative AI tools become more widely used, this will become increasingly critical. Many AI applications are accessed directly via the internet, often outside traditional IT oversight, creating risks around unauthorised data sharing.

Addressing these risks requires clear visibility into how applications, cloud services, and AI tools are being used across government environments, enabling organisations to identify unsanctioned services and protect sensitive data.

Expanding Cyber Capabilities for National Security

Finally, the strategy proposes updating legislative powers to enable New Zealand’s security agencies to use cyber capabilities and tools to advance national security interests. This reflects the growing role cyber operations play in protecting national interests and responding to evolving threats.

Preparing for the Next Phase of Cyber Resilience

Taken together, the strategy and its action plan signal a clear direction of travel: stronger national coordination, deeper public-private collaboration, and increasing expectations for cyber resilience across critical sectors.

At the same time, organisations are navigating a rapidly changing technology environment. Supercharged AI adoption and the continued move to the cloud, distributed workforces, and increasingly sophisticated threats are challenging traditional network-centric security models.

How Zscaler Can Help

Zscaler’s cloud-native security platform helps organisations modernise their security architecture for this new environment and new regulatory requirements. By securely connecting users, devices, and applications without exposing networks to the internet, organisations can improve visibility, strengthen access controls, and reduce risk across distributed environments.

As New Zealand implements its Cyber Security Strategy, Zscaler looks forward to working with organisations across government and critical industries to support the secure delivery of digital services and strengthen national cyber resilience.