The voluntary era is over
New Zealand is consulting on a mandatory cyber security regime for critical infrastructure that would, for the first time, make directors personally liable for failing to govern digital risk. The proposed framework targets an estimated 200 infrastructure entities across finance, telecommunications, energy, health, water, and transport, with penalties including fines of up to $500,000 per director and 2% of annual turnover for organisations.
This is not a tightening of existing rules. It is, as Simpson Grierson describes it, “a decisive move from guidelines to enforceable obligations with director-level accountability mechanisms.” The Cyber Security Strategy 2026-2030 introduces criminal offences for illegal personal information possession and updated national security powers. For company directors, cyber security just stopped being something you delegate to the CISO and forget about.
The starting position is embarrassing
New Zealand ranks 49th in the world on the 2025 National Cyber Security Index, sitting in the third tier for preparedness. Every other Five Eyes partner sits in the first tier. GCSB Director-General Andrew Clark told Parliament bluntly that “there are pockets, including in our critical infrastructure, where that cybersecurity is barely meeting that foundational level that we would expect.”
The NCSC’s Cyber Threat Report 2025 reveals the agency has been dealing with roughly one nationally significant incident per day. And the private sector picture is no better. The Kordia NZ Business Cyber Security Report found 44% of local businesses were hit by cyberattacks in the past 12 months, with 61% of those suffering serious business disruption and a third taking more than two months to recover.
New Zealand’s current cyber strategy dates from 2019, before generative AI existed. Australia overhauled its critical infrastructure protections across 11 sectors back in 2022, after the Optus hack exposed 10 million customers. BusinessDesk has reported that New Zealand’s strategy has been criticised as the least bold in the Five Eyes, with Patrick Sharp of Aura Information Security assessing the government could have pushed harder.
We are four years behind our closest ally and still consulting on definitions.
Boardrooms are not ready
The governance numbers are damning. Only 50% of boards receive independent assurance over cyber resilience at least once a year. Twenty-eight percent treat AI-related cyber risks as an operational IT matter with ad hoc reporting. Twenty-seven percent don’t see AI as an important risk area at all.
Existing director duties under the Companies Act 1993 already theoretically cover cyber risk. Clyde & Co’s analysis notes that obligations around care, diligence, and skill under section 137 apply, and claims can be brought by shareholders, liquidators, or regulators. But the case law is underdeveloped and sector-specific obligations are patchy. The FMA mandates cyber controls for financial market participants; the RBNZ offers high-level recommendations for banks. Beyond that, it has been largely voluntary.
Patrick Sharp of Aura Information Security frames the shift directly: “Boards must now treat cyber risk as a core business risk, not a technical issue.” Several landmark breaches, including the MediMap and Manage My Health incidents in early 2026, have materially shifted the threat landscape and political appetite for enforcement.
The supply chain trap nobody is talking about
The proposed regime’s reach extends well beyond the 200 entities directly captured. Third-party data storage, cloud computing, and managed service providers serving critical infrastructure entities may also be pulled inside the regulatory perimeter. The NCSC Threat Report identifies supply chain exploitation and hidden dependencies as a key attack vector.
This means a mid-sized IT services company providing cloud hosting to a power company, or a managed services provider supporting a hospital network, could find itself subject to obligations it never anticipated. The government says thresholds will prevent disproportionate capture of smaller firms, but the details remain unresolved.
Liability without capability is just paperwork
The uncomfortable question is whether attaching director liability to a system that can barely meet foundational standards actually improves security, or just creates a compliance industry. The GCSB’s own assessment is that parts of critical infrastructure are not meeting baseline expectations. The exclusion of airlines and insurance companies from the initial scope, two sectors with enormous digital risk profiles, looks more like political convenience than principled risk assessment.
None of that changes the practical reality for directors. If your company operates in or services critical infrastructure, the regime is coming, the penalties are real, and proving you governed cyber risk properly will be a personal obligation. The boards that treat this as another compliance exercise will be the ones writing cheques when something breaks.
Sources
- Consultation open on Cyber Security Regime for critical infrastructure | Lexology
- New Zealand’s next cyber era: higher standards, harder consequences | Lexology (Simpson Grierson)
- Spy agency warns NZ’s cybersecurity barely up to scratch | RNZ News
- NCSC Cyber Threat Report 2025
- The results are in: Cyber resilience must be a boardroom issue | IoD NZ
- NZ cyber strategy criticised as least bold in Five Eyes | BusinessDesk
- Directors Responsibilities in NZ Amid Cyber Threats | Clyde & Co
- The new 2026 cyber reality: elevated risk, elevated accountability | IoD NZ