Critical infrastructure connects our citizens, underpins our prosperity and sustains our everyday lives. It is vital to our economy and the health of our communities that this infrastructure continues to function, even when under stress. In today’s hyper connected world, the cyber threats to critical infrastructure have never been more acute or complex.
New Zealand’s critical infrastructure system encompasses everything from the electricity grid and telecommunications networks to health services and financial systems.
In February 2026, the New Zealand Government published our new New Zealand Cyber Security Strategy 2026 – 2030 – a blueprint for collective action against the cyber threats impacting all levels of New Zealand’s economy and society.
Improving the cyber security of New Zealand’s critical infrastructure is a key initiative of the new strategy, and essential to our national security and economic stability.
Enhancing the cyber security of critical infrastructure
From February to April 2026, the Government consulted on measures to enhance the cyber security of New Zealand’s critical infrastructure system.
Feedback was primarily sought from industry - owners and operators of New Zealand’s critical infrastructure who would be directly affected by potential regulatory reform. Input was also received from individuals, businesses and communities who are directly affected by the security and resilience of our critical infrastructure.
Submissions will be shared in due course and will be used to inform further analysis and advice to Cabinet.
Consultation has now closed. The consultation period ran from 27 February to 11.59pm on 19 April 2026.
Access the discussion document and supporting documents below:
You can also contact [email protected]
The discussion document asked for feedback on two key questions:
- What are the essential infrastructure services most critical to our economy and communities that they should be safeguard against harm?
- What should the depth of the cyber defences of these infrastructure services be?
Measures are designed to deliver three outcomes:- an improved understanding of threats and vulnerabilities by critical infrastructure entities and government
- a minimum level of cyber risk management by all critical infrastructure entities
- effective management of cyber threats impacting national security by critical infrastructure entities
Consultation meetings were held in March 2026 with infrastructure asset owners and operators:
- Wellington: 19 March, 7:30-9am
- Online: 20 March, 12-1:30pm
- Auckland: 23 March, 7:30-9am
- Hamilton: 24 March, 12-1:30pm
- Christchurch: 25 March, 7:30-9am
- Queenstown: 26 March, 12-1:30pm
- Dunedin: 27 March, 12-1:30pm
- Online: 30 March, 12-1:30pm
Submissions will be made public and are official information
- Submissions you make become official information, and the content of submissions can be asked for under the Official Information Act 1982 (OIA). Under the OIA, we must make information available unless there is good reason for withholding it.
- Additionally, we intend to publish all submissions in PDF format on the DPMC website.
- If you think there are grounds to withhold specific information from publication (for example, that it discloses commercially sensitive or personal information), please make this clear in your submission or contact us.
Measures have been informed by feedback to-date
In December 2024, the Government took the decision to focus this work programme exclusively on cyber security, rather than all hazards and threats, which was the initial scope of the programme and consulted on by DPMC in 2023.
The measures in the discussion document leverage feedback received in 2023, reflecting that the majority of submitters agreed that:
- there is a case for change as existing regulatory settings and market forces are not sufficient to drive the level of investment in critical infrastructure security required, or to manage the systemic risks generated by interdependencies within and between critical infrastructure entities, and
- partnership between industry and government is key to developing a formal approach to critical infrastructure security, including developing and implementing the type of regime set out in this document.