The Department of Prime Minister and Cabinet (DPMC) has recently released the Cyber Security Action Plan 2026 – 2027 (Action Plan), signalling potential change ahead for New Zealand's approach to cyber security and data protection. As New Zealand law does not specifically address cyber security outside of the Privacy Act 2020 and industry specific guidance, potential reform will be of particular interest to organisations holding data assets or managing critical infrastructure. This comes at a time when recent high-profile privacy breaches, such as the ManageMyHealth ransomware attack, have demonstrated the limitations of New Zealand's relatively high trust approach to privacy and data protection regulation.
While privacy is firmly on the agenda for many New Zealand boards, the tools available to the Office of the Privacy Commissioner (OPC) remain relatively limited. The OPC can conduct inquiries (an inquiry is underway in relation to ManageMyHealth), issue fines for procedural non-compliance of up to $10,000, issue compliance notices, or refer matters to the Human Rights Review Tribunal. As the OPC has been saying for some time (and as we have written about previously), New Zealand's Privacy Act does not necessarily incentivise compliance and is falling behind international trends, particularly in Australia, the United Kingdom and the European Union, where significant penalties for privacy breaches apply.
What does the Cyber Security Action Plan say?
The Action Plan sets out key cyber security initiatives for the New Zealand Government over the next two years. While it does not set out all current or planned actions, the following initiatives stand out:
- Critical infrastructure: The DPMC is to develop options to improve the cyber security of critical infrastructure, including through regulatory proposals. New Zealand has a relatively light touch approach to security and critical infrastructure when compared to some of our trading partners (such as Australia, the United Kingdom and the European Union). It will be worth watching how any such regulation develops and what it will require from critical infrastructure providers and who is deemed to be a provider of critical infrastructure. Related to this, DPMC has issued a discussion document regarding New Zealand's cyber security and critical infrastructure and consultation is open until 11.59pm on 19 April 2026. The discussion document proposes a tiered regime for critical infrastructure providers, who may include (for example) registered banks that have been identified as domestic systemically important banks by the Reserve Bank of New Zealand, data centre facility or data service providers, managed IT service providers, telecommunication providers, electricity generators, and networks that supply, collect or treat wastewater.
- Penalties: The Ministry of Justice (which is responsible for the Privacy Act) is tasked with providing advice on options to incentivise the protection of personal information from cyber threats, such as through a civil pecuniary penalty regime under the Privacy Act. This would represent a significant shift in the regulation of privacy in New Zealand, which currently only allows the OPC to issue fines of up to $10,000 for a small number of matters or to refer a matter to the Human Rights Review Tribunal.
- Illegally obtained information: The Ministry of Justice is to advise on a potential new offence targeted at people who view, possess, or disseminate personal information when they are aware it has been illegally obtained.
What should organisations holding data assets or managing critical infrastructure do?
Organisations with an interest in critical infrastructure should review DPMC's discussion document and consider making submissions before the 19 April deadline. We will keep a watching brief on developments in relation to the Action Plan and will provide updates as proposals progress.
Co-authored by Emily Newbury (Solicitor).
