Questions are ordered by likely decision urgency for a New Zealand SME: who regulates, where to report, which frameworks apply, sector duties, mandatory reporting, ransomware, Australian reach, proposed reforms, then an incident contact map.
Who regulates cyber security in New Zealand, and is there a single Cyber Security Act?
No. New Zealand does not have one omnibus statute called a Cyber Security Act that sets every private-sector cyber duty. The landscape is a patchwork. The NCSC, which is part of the GCSB, is the lead operational cyber security agency and provides incident support, threat information and guidance. The Privacy Act 2020 is the main cross-cutting law where cyber events involve personal information, including mandatory notification of serious-harm privacy breaches. Additional duties can arise from sector legislation, licence conditions, regulator requirements, telecommunications law, contracts and overseas laws. Government standards such as NZISM and the PSR are important reference points, but they are not automatically binding on an ordinary private SME.
- all organisations — Start with the Privacy Act 2020 whenever personal information may be affected.
- regulated entities — Add sector-specific statutes, licence conditions and regulator notification rules.
- government standards — NZISM and PSR are government-focused and may become relevant through adoption, procurement or contract.
We identify and comply with cyber obligations arising under the Privacy Act 2020, sector-specific rules, contractual commitments and any overseas laws applying to our activities. We do not assume that one statute covers every cyber risk.
NCSC and the CERT NZ merger — where do I report a cyber incident now?
Use the NCSC's single reporting pathway at https://www.ncsc.govt.nz/report/. The public-facing integration of CERT NZ into the NCSC was completed on 23 July 2025. The CERT NZ brand, website and former phone number were retired, while Own Your Online remained the NCSC's guidance platform for individuals and small-to-medium businesses. The reporting page offers a simpler route for individuals and small businesses and a technical route for IT specialists, larger organisations and government. For incident contact by phone, the NCSC lists 0800 114 115. Reporting to the NCSC does not replace a separate duty to notify the Privacy Commissioner, Police, a sector regulator, an insurer, a customer or another contractual party.
- individuals and small business — Use the NCSC online-issue reporting option.
- IT specialists and larger organisations — Use the technical-incident reporting option.
- parallel notifications — Assess privacy, Police, regulator, insurance and contract reporting separately.
All suspected cyber incidents must be escalated internally immediately. The incident lead will report through https://www.ncsc.govt.nz/report/ where external support or threat sharing is appropriate, and will separately assess Privacy Commissioner, affected-person, Police, regulator, insurer, customer and contractual notifications.
Own Your Online, NZISM and the PSR — what are they and who do they actually apply to?
Own Your Online is the practical NCSC platform for individuals and businesses, with plain-language guidance, an assessment tool, incident-response planning and policy resources. NZISM is the New Zealand Government's information assurance and information-systems security manual. It is intended for government agencies and organisations; Crown entities, local government and private organisations are encouraged to use it. The NZISM FAQ says it is mandatory for prescribed government agencies and generally not mandatory for bodies such as Crown entities and local government. The Protective Security Requirements are also government-centred: Tier 2 contains mandatory requirements for government organisations. A private SME can voluntarily use either framework, and a customer, government procurement process, contract or regulated role may make specified controls commercially or contractually binding, but the frameworks do not automatically become private-sector law merely because they are good practice.
- Own Your Online — Practical baseline guidance for individuals and businesses.
- NZISM — Government information-security manual; private-sector use is encouraged rather than automatically mandated.
- PSR — Protective-security framework with mandatory requirements for government organisations.
We use Own Your Online as baseline SME guidance. NZISM and the Protective Security Requirements are reference frameworks unless a law, government contract, procurement requirement, regulated role or approved internal standard makes a particular control binding on us.
What sector rules touch cyber security in financial services, health and telecommunications?
Sector rules sit on top of the Privacy Act. For financial services, the RBNZ publishes cyber-resilience guidance for registered banks, non-bank deposit takers, licensed insurers and designated financial market infrastructures; registered banks, non-bank deposit takers and insurers must report material cyber incidents as soon as practicable and within 72 hours. The FMA's licence conditions and notification process require covered market-service licensees to maintain operationally resilient critical technology systems and report material incidents as soon as possible, no later than 72 hours after determining materiality. In health, the Health Information Privacy Code 2020 gives extra protection to identifiable health information and applies to health agencies. In telecommunications, TICSA applies to network operators and requires, among other things, registration and notification of certain proposed network changes or developments that may intersect with national security. TICSA is not a general cyber-breach reporting law for every business that uses telecommunications services.
- RBNZ-regulated — Cyber-resilience guidance and material incident reporting apply to specified regulated entities.
- FMA-licensed — Licence conditions and incident-notification duties depend on licence type.
- health agencies — The Health Information Privacy Code adds rules for identifiable health information.
- telecommunications network operators — TICSA imposes network-security and proposal-notification duties.
Before launch and at least annually, we map each regulated service to its regulator, licence conditions, cyber and operational-resilience requirements, incident thresholds and notification deadlines. Sector obligations supplement, and do not replace, Privacy Act duties.
Mandatory vs voluntary reporting in New Zealand — what am I actually required to report?
There is no single answer for every incident. For a typical private SME, reporting a cyber incident to the NCSC is generally a voluntary support and threat-sharing step unless another law, contract or regulated role makes a report compulsory. Privacy reporting is mandatory when a breach has caused, or is likely to cause, serious harm: notify the Privacy Commissioner and affected people as soon as practicable. The OPC recommends notifying it ideally within 72 hours after becoming aware of a notifiable breach, even while investigation continues; that 72-hour target is guidance, while the statutory wording is 'as soon as practicable'. RBNZ and FMA rules create separate 72-hour duties for specified regulated entities and material incidents. TICSA creates mandatory proposal notifications for network operators, not a universal duty to report every compromise. Contracts, cyber-insurance policies and customer terms can add shorter notice periods.
- Privacy Act mandatory — Serious-harm privacy breaches trigger notification to OPC and affected people.
- NCSC generally voluntary — Report promptly for support and threat intelligence unless a separate rule makes it compulsory.
- regulated or contracted — Licence, statute, insurance and contract terms may create additional deadlines.
For every incident, the incident lead will complete a notification assessment covering the NCSC, Privacy Commissioner and affected people, Police, sector regulators, insurers, customers and contractual parties. Mandatory notices will be made within the applicable legal timeframe; voluntary reports will be considered where they support response, disruption or harm reduction.
Ransomware payments — is there a New Zealand reporting duty?
As at 13 July 2026, no universal New Zealand law was identified that requires every business to report a ransomware or cyber-extortion payment merely because a payment was made. That is different from Australia, where section 27 of the Cyber Security Act 2024 requires a covered reporting business entity to report a ransomware or cyber-extortion payment within 72 hours. The Australian threshold includes an entity carrying on business in Australia with prior-year annual turnover of at least AUD 3 million, and responsible entities for certain critical-infrastructure assets. In New Zealand, the underlying incident may still trigger mandatory Privacy Act or sector reporting, and it should usually be reported promptly to the NCSC and Police. A payment decision should be escalated to senior leadership, legal counsel and the insurer because sanctions, anti-money-laundering, criminal, insurance, contractual and overseas-law issues may arise. Reporting a payment and deciding whether payment is lawful or prudent are separate questions.
- NZ-only business — No universal payment-reporting duty identified, but incident, privacy, Police and sector reporting may still apply.
- covered Australian business — Australia requires payment reporting within 72 hours for entities meeting its statutory tests.
- payment governance — Escalate legal, sanctions, insurance and operational considerations before any payment.
No ransom or cyber-extortion payment may be offered, promised or made without approval from the Chief Executive, incident lead and legal counsel, after checking sanctions, criminal, insurance, privacy, regulatory, cross-border and reporting implications. The incident will be reported to the NCSC and Police where appropriate.
Trading across the Tasman — how can a New Zealand business still trigger Australian obligations?
Being incorporated in New Zealand does not by itself keep an organisation outside Australian law. Section 5B of Australia's Privacy Act 1988 extends the Act to certain acts and practices outside Australia where an organisation or small-business operator has an Australian link; for a non-Australian entity, carrying on business in Australia is a key statutory test. If the Australian Privacy Act covers the entity, the Notifiable Data Breaches scheme can require notice to affected individuals and the OAIC where a data breach is likely to cause serious harm. The Australian ransomware-payment regime can also reach an entity carrying on business in Australia that meets the AUD 3 million turnover threshold, or a relevant critical-infrastructure responsible entity. Australian customers, an Australian domain or Australian data may be relevant evidence, but none is a complete standalone test for every Australian law. Assess the actual business presence, conduct, turnover, privacy coverage, sector status, critical-infrastructure role and contracts.
- carries on business in Australia — Assess the Australian-link test and any applicable Privacy Act exemptions.
- Australian NDB — Covered entities must notify likely-serious-harm eligible data breaches.
- Australian ransomware reporting — Separate thresholds apply to payment reporting under the Cyber Security Act 2024.
Before carrying on business in Australia or operating Australian-facing services, we will assess Australian Privacy Act, Notifiable Data Breaches, Cyber Security Act, SOCI, sector and contractual obligations. Australian customers or data alone are not treated as a complete legal test.
Where is New Zealand heading on critical infrastructure and cyber resilience?
The direction is toward stronger and more consistent cyber resilience for critical infrastructure, but the key 2026 measures are proposals, not an enacted SOCI-style regime. The Government's Cyber Security Strategy 2026–2030 identifies critical-infrastructure security as a priority. From 27 February to 19 April 2026, DPMC consulted on potential regulatory reform intended to improve shared understanding of threats and vulnerabilities, establish a minimum level of cyber-risk management and improve management of national-security cyber threats. DPMC says submissions will inform further analysis and advice to Cabinet. As at 13 July 2026, that consultation status should not be described as a binding new Act, mandatory incident-reporting regime or minimum-standard regime. Existing Privacy Act, sector, TICSA and contractual duties continue in the meantime.
- current law — Continue complying with existing privacy, sector, telecommunications and contractual duties.
- 2026 consultation — Potential critical-infrastructure regulatory reform remains under policy development.
- critical-infrastructure operators — Track Cabinet, legislative and regulator updates because future duties may be targeted by service or asset class.
The compliance owner will review New Zealand cyber and critical-infrastructure regulatory developments at least every six months and update this policy only when proposals are enacted, commenced, incorporated into a licence or contract, or otherwise become binding on us.
What is the practical 'who do I call / who do I report to' map for a New Zealand SME?
Start with containment and internal escalation: your IT or incident-response provider, senior incident lead, privacy officer, legal adviser and cyber insurer. Contact the bank immediately if payments, credentials or accounts may be compromised. Report the cyber incident to the NCSC at https://www.ncsc.govt.nz/report/ or 0800 114 115; the NCSC uses a 'no wrong door' approach and may refer a report to a better-placed partner with consent. Use the OPC's NotifyUs process if personal information is involved and serious harm has occurred or is likely. Call 111 if an emergency response is needed or someone is in danger; use Police 105 for non-emergency Fraud/Scam/Cyber reporting. Notify the relevant sector regulator if your entity or licence requires it, and use the TICSA process if you are a network operator with a qualifying proposed change. Netsafe is the specialist route for harmful digital communications and online-safety harm. These routes can run in parallel; one report does not automatically satisfy all others.
- all SMEs — Contain, preserve evidence, escalate internally, contact NCSC and assess privacy reporting.
- financial loss or crime — Contact the bank immediately and Police through 111 or 105 as circumstances require.
- regulated or insured — Notify the regulator and insurer within their required timeframes.
- parallel reporting — Record who was notified, when, why and under which threshold.
On discovering a cyber incident, we will: contain and preserve evidence; activate the incident lead, privacy officer, legal adviser, IT responder and insurer; contact the bank immediately for payment risk; report to the NCSC at https://www.ncsc.govt.nz/report/ or 0800 114 115; assess Privacy Commissioner and affected-person notification; contact Police on 111 for emergencies or 105 for non-emergency Fraud/Scam/Cyber matters; and notify any applicable regulator, customer or contractual party.
What's my next step?
Common misconceptions
- New Zealand has one omnibus Cyber Security Act governing every organisation. It does not; the current landscape is a patchwork of privacy, sector, telecommunications, contractual and other rules. INFERRED
- CERT NZ remains a separate public incident-reporting agency. Its public-facing integration into the NCSC was completed on 23 July 2025 and reporting was consolidated. VERIFIED
- Every cyber incident must be reported to the NCSC by every private SME. NCSC reporting is generally a voluntary support and threat-sharing route unless another rule makes reporting compulsory. INFERRED
- The OPC's 72-hour target is the exact statutory deadline. The Act says 'as soon as practicable'; OPC says ideally within 72 hours. VERIFIED
- NZISM automatically applies to every private company. It is intended for government agencies and organisations, while private-sector use is encouraged. VERIFIED
- PSR Tier 2 automatically binds every private SME. The mandatory requirements are stated for government organisations; private adoption or a contract may change the practical position. VERIFIED
- TICSA applies to every business that uses phones or the internet. Its Part 3 network-security duties apply to network operators as defined by the Act. VERIFIED
- All financial firms have the same 72-hour cyber-reporting rule. RBNZ and FMA obligations depend on entity type, licence and materiality. INFERRED
- New Zealand has Australia's mandatory 72-hour ransomware-payment reporting law. The Australian rule is not New Zealand law. INFERRED
- The 2026 New Zealand critical-infrastructure consultation is already binding law. DPMC describes potential regulatory reform and further advice to Cabinet. VERIFIED
- Having one Australian customer automatically triggers every Australian cyber law. Application depends on the particular statute's tests, including carrying on business, coverage, turnover and critical-infrastructure status. INFERRED
Obligations at a glance
The obligations most relevant to this guide, with the regulator, the trigger and the timeframe. Follow the source links in the appendix for the authoritative wording.
| OBLIGATION | REGULATOR | TRIGGER | TIMEFRAME | PENALTY |
|---|---|---|---|---|
| Privacy Act 2020 notifiable privacy breach | Office of the Privacy Commissioner | A privacy breach has caused, or is likely to cause, serious harm to an affected individual. | Notify the Commissioner and affected people as soon as practicable; OPC recommends notifying it ideally within 72 hours of awareness. | Failure without reasonable excuse to notify the Commissioner is an offence punishable by a fine up to NZD 10,000. |
| General cyber incident report to NCSC | National Cyber Security Centre | A cyber incident or online-security issue where assistance, disruption, referral or threat sharing would help; no universal statutory trigger was identified for every private SME. | Report as early as practical; separate legal and contractual deadlines may apply. | |
| RBNZ material cyber incident report | Reserve Bank of New Zealand | A material cyber incident affecting a registered bank, non-bank deposit taker or licensed insurer covered by the RBNZ requirement. | As soon as practicable and within 72 hours. | |
| FMA material operational or technology incident report | Financial Markets Authority | A covered market-service licence holder determines that an event materially affects service supply or the operational resilience of critical technology systems. | As soon as possible and no later than 72 hours after determining the event is material. | |
| TICSA network-operator registration | New Zealand Police | An organisation becomes a network operator as defined by TICSA. | Register within three months after becoming a network operator. | |
| TICSA proposed network-change notification | NCSC Regulatory Unit on behalf of the Director-General of GCSB | A network operator proposes a qualifying network change or development that may intersect with national security. | Notify during the proposal process and before proceeding in a way that defeats the statutory assessment process; obtain case-specific guidance where timing is uncertain. | |
| Australian ransomware-payment report, cross-border only | Australian Government through the Australian Cyber Security Centre reporting portal | A covered entity carrying on business in Australia with prior-year turnover of at least AUD 3 million, or a relevant Part 2B critical-infrastructure responsible entity, makes or becomes aware of a ransomware or cyber-extortion payment made on its behalf. | Within 72 hours of making or becoming aware of the payment. |
Sources
- National Cyber Security Centre primary
- Report a cyber security issue primary
- NCSC and CERT NZ integration now complete primary
- Own Your Online for business primary
- Businesses facing greater online threats primary
- Privacy Act 2020 primary
- Sorting out privacy breaches primary
- NotifyUs of a serious privacy breach primary
- New Zealand Information Security Manual primary
- Protective Security Requirements framework primary
- Cyber resilience for regulated entities primary
- FMA standard condition and operational incident reporting process primary
- Health information legislation primary
- About TICSA primary
- TICSA Regulatory Strategy primary
- Critical Infrastructure primary
- New Zealand's Cyber Security Strategy 2026–2030 primary
- 105 Police Non-Emergency Online Reporting primary
- Netsafe reporting and support primary
- Privacy Act 1988, Australia, compilation dated 4 June 2026 primary
- About the Notifiable Data Breaches scheme primary
- Ransomware payment and cyber extortion payment reporting primary
- r/newzealand discussion of NCSC and CERT NZ forum
- r/newzealand discussion of cyber-breach reporting requirements forum
- Geekzone discussion of Bloom data breach forum
- Geekzone discussion of QNAP Deadbolt ransomware forum
This guide and its templates are a professionally drafted starting point, not legal advice. Your obligations depend on your industry, your contracts and your data. Have a qualified adviser review anything high stakes before you rely on it.