Cyber Law in Asia

New Zealand

Government Structure


Do they designate a lead cyber security agency within the government?

Yes. The National Cyber Security Centre (NCSC), which is part of the Government Communications Security Bureau (GCSB).

Is oversight provided on a centralized or sectoral basis?

Sectoral. The agency head endorses and is accountable for information security within their agency.

See Section  3.1.1., New Zealand Information Security Manual (NZISM).

Designation of Critical Infrastructure

Which sectors do they designate as critical information infrastructure?


How do they designate within these sectors?


Security Measures

Are there mandatory security measure requirements for CI, other than privacy/data protection laws?

Generally no. New Zealand has a voluntary framework, with guidance such as the New Zealand Information Security Manual (NZISM). See NCSC Guidance (last visited Dec. 22, 2019).

However, the Telecommunications (Interception Capability and Security) Act 2013 (TICSA) establishes certain obligations for telecommunications network operators.  For example, TICSA creates the obligation for network operators to notify the GCSB of proposals (proposed decisions, courses of action or changes) in regard to certain parts of their network.  Section 48, TICSA (2013).

Does it take a risk-based approach?


Do the security measures enable the use of international standards?

Yes. The NZISM is consistent with a wide variety of risk management, governance, assurance and technical standards, including the ISO/IEC 2700x series, as well as IETF, OASIS, NIST and other recognized standards bodies. See NZ Information Security Manual, GCSB (last visited Dec. 12, 2019).

Are security measures NIST CSF compatible? (Possible to comply through this approach?)

Yes. See NZ Information Security Manual, GCSB (last visited Dec. 12, 2019).

Do they include prescriptive or technology-based security measures?


Incident Reporting

Are there mandatory incident reporting requirements?


Are there clear thresholds above which an incident should be reported?


How do they determine the timeline within which an incident must be reported?


Threat Information Sharing

Have they established a national threat information sharing entity?

Yes. The National Cyber Security Centre.

Does this entity share information out to industry, as well as receiving information?


Is threat information sharing mandatory for any private sector entity?

The Directors-General of the NZSIS and GCSB can only compel production of specified business records in accordance with a business records approval, granted by the Minister responsible for that agency and a Commissioner of Intelligence Warrants. An agency can only request specific information on a case-by-case basis by reference to an identified individual or thing (such as a phone number or IP address).

The regime does not permit ‘bulk’ data access. See Fact Sheet No. 13: The Intelligence and Security Act 2017: Information sharing, Department of Prime Minister and the Cabinet.

Government Access Requirements

Are there requirements to provide government officials physical access to facilities?



Are there requirements to cede control of facilities in an emergency situation?


Are there requirements to provide source code or other decryption capabilities?


Localization Requirements

Are there requirements to establish a local presence - either officer or personnel?


Are there requirements to localize data?



Are there financial penalties outlined? If so, what for and what is the maximum penalty?


Are there criminal penalties outlined? If so, what for and what is the maximum penalty?


Effective Dates

What are the effective dates and dates of enactment of the country's key cybersecurity statutes/regulations?

The Intelligence and Security Act 2017, which sets out  the functions, powers and duties of the GCSB, went into effect on March 28, 2017.

The Telecommunications Interception Capability and Security Act (TICSA), which establishes obligations for New Zealand's telecommunications network operators in interception capability and network security, was enacted in 2013 and later updated  on November 12, 2018.

© 2023 by National Cyber Law Project Reference Site

uscc_3_color_CMYK_K100_R_Stacked transpa

Disclaimer: This material presented in the International Law Project was prepared by Wiley Rein LLP, the United States Chamber, and the National Security Institute at the Antonin Scalia Law School at George Mason Law School.  It is not legal advice.  Chamber members using this information should consult their own counsel as needed for compliance and regulatory issues in particular jurisdictions.  The information contained herein is provided as a resource, as is, based on domestic regulations and laws as of January 30, 2020. Regulations and laws change so you should consult other resources to ensure continued accuracy.