Looking to streamline your TPRM? Join our Product Deep Dive Webinar with live Q&A!
Register Now
Blog
Resources
Blog
Breaches
eBooks, reports, & more
Events
News
Compliance and Regulations
Categories
Attack Surface Management
Company News
Compliance and Regulations
Cybersecurity
Data Breaches
DevOps
Human Cyber Risk
Risks and Vulnerabilities
Third-Party Risk Management
Vendor Risk Management
A Guide to New Zealand’s Cybersecurity Standards
Last updated
December 2, 2025
{x} minute read

A Guide to New Zealand’s Cybersecurity Standards

Get a demo
Free trial
Download the PDF guide
Free trial
Written by
Leah Sadoian
Content Writer
Leah is an experienced cybersecurity writer. Her work is read by leaders in security, tech, education, healthcare, and government.
Reviewed by
Cindy Ruan
Lead GRC specialist
Cindy combines degrees in Computer Science and Law with expertise in GRC, and she has presented her insights at the Australian Cyber Conference.
Table of contents

In an age of increasingly complex cyber threats, New Zealand has implemented robust cybersecurity standards to secure the online environment for individuals, businesses, and government entities. New Zealand's cybersecurity approach is unique and effective, from the overarching strategies laid out by national cybersecurity policies to specific regulatory requirements that impact sectors like healthcare and finance.

This blog provides a comprehensive overview of New Zealand’s cybersecurity standards, including which specific sectors different regulations apply to and whether compliance is mandatory for New Zealand businesses. Whether you're aiming to adhere to national standards or simply interested in enhancing your cybersecurity knowledge, this article offers valuable insights into the protections and protocols that New Zealand implements to uphold cybersecurity integrity and resilience.

The New Zealand Cyber Security Strategy

The New Zealand Cyber Security Strategy is a baseline national framework designed to enhance the country's cybersecurity, ensure safe and secure cyberspace, and protect against cyber threats. The strategy outlines New Zealand's approach to cybersecurity, emphasizing resilience, responsiveness, and proactive measures.

Key components of the New Zealand Cyber Security Strategy include:

  • Cyber resilience: Enhancing the security and robustness of New Zealand’s cyber infrastructure across all sectors to ensure critical services remain operational and resilient against cyber incidents
  • Cyber capability: Focusing on developing a skilled cybersecurity workforce through education, training, and R&D, ensuring professionals are equipped to protect networks and respond to threats effectively
  • Addressing cybercrime: Enhancing legal frameworks and collaborating with law enforcement and international partners to combat cybercrime, aiming for a safer cyberspace for both individuals and businesses
  • International cooperation: Strengthening global partnerships to share intelligence and best practices and collaborate on international cybersecurity initiatives to bolster defenses and address global cyber threats
  • Partnerships and collaboration: Promoting collaboration across government, private sector, and academia to share information, manage risks, and coordinate responses to strengthen cybersecurity
  • Public awareness and participation: Increasing public and business awareness of cybersecurity through educational campaigns, emphasizing the importance of online protection and cybersecurity awareness in everyday life

The New Zealand Cyber Security Strategy represents a holistic approach to managing cyber risks and promoting a secure, resilient, and trusted cyber environment. It acknowledges the complex and evolving nature of cyber threats and emphasizes a coordinated national response to secure New Zealand’s digital future.

Which industries does the New Zealand Cyber Security Strategy apply to?

The New Zealand Cyber Security Strategy applies broadly across all sectors of the economy and society, including (but not limited to):

  • Government
  • Critical infrastructure
  • Healthcare
  • Education
  • Financial services
  • Retail and e-commerce
  • Small and medium enterprises (SMEs)

Is the New Zealand Cyber Security Strategy mandatory for New Zealand businesses?

The New Zealand Cyber Security Strategy is not mandatory for businesses. It is a framework to guide and enhance national cybersecurity without imposing specific legal requirements. The strategy aims to create a collaborative environment for government, businesses, and individuals to adopt stronger information systems, supporting New Zealand's economic growth and protecting national interests.

How UpGuard can help you comply with the New Zealand Cyber Security strategy

Organizations can streamline the implementation of the New Zealand Cyber Security Strategy by utilizing an attack surface management tool, like UpGuard Breach Risk.

UpGuard Breach Risk allows organizations to manage their external attack surface with confidence. By understanding the risks impacting their external security posture, organizations can know their assets are always monitored and protected.

The Privacy Act 2020

The Privacy Act 2020 in New Zealand is a key legislation designed to protect personal information handled by businesses and organizations. The Act updated and replaced the Privacy Act of 1993, reflecting changes in technology and the importance of privacy in the digital age.

The main components of the Privacy Act 2020 include:

  • Privacy principles: Establishes twelve privacy principles to safeguard the collection, use, storage, and disclosure of personal information, ensuring quality, security, and access rights
  • Mandatory breach notification: Requires organizations to notify the Privacy Commissioner and affected individuals of breaches that risk harm, enhancing transparency and damage mitigation
  • Compliance notices: The Privacy Commissioner can issue notices to enforce compliance, rectifying violations of the Act
  • Access directions: Empowers the Privacy Commissioner to direct organizations to provide or correct an individual's data, ensuring meaningful access
  • Cross-border data flow protections: Sets restrictions on transferring personal information abroad, requiring protections akin to New Zealand’s standards unless consented otherwise by the individual
  • New criminal offenses: Introduces offenses for misleading actions to access personal information and destroying requested personal data.
  • Strengthened oversight powers: Enhances the Privacy Commissioner’s authority to investigate and decide on information access complaints.

The Privacy Act 2020 significantly impacts how organizations manage personal information, emphasizing accountability, transparency, and the importance of protecting individuals' privacy rights in a rapidly evolving digital landscape.

Which industries does the Privacy Act 2020 apply to?

The Privacy Act 2020 applies universally across all sectors and industries in New Zealand that handle personal information. Any private or public sector entity that collects, uses, or discloses personal information must comply with the Privacy Act 2020, including:

  • Healthcare
  • Education
  • Financial services
  • Retail and e-commerce
  • Telecommunications
  • Real estate
  • Government agencies
  • Non-profit organizations

Is the Privacy Act 2020 mandatory for New Zealand businesses?

New Zealand businesses and organizations must comply with the Privacy Act 2020 when handling personal information. Organizations must follow privacy principles for collecting, using, storing, and disclosing personal information and report breaches. Non-compliance can result in fines and damage to reputation.

How UpGuard can help you comply with the Privacy Act 2020

UpGuard’s Data Leak Detection protects your organization’s brand, intellectual property, and customer data by detecting data leaks in a timely manner to avoid costly data breaches. UpGuard combines world-class expertise with our proprietary data leak detection engine to detect exposed, sensitive data.

The Health Information Security Framework

The Health Information Security Framework (HISF) in New Zealand is a set of standards and guidelines designed to ensure the secure handling of health information across the health and disability sector. The framework provides a structured approach to managing security risks associated with personal health information, which is particularly sensitive and requires stringent protections.

The main components of the HISF include:

  • Governance: Stresses the need for clear governance structures within healthcare organizations to set roles and responsibilities while ensuring accountability in managing health information security
  • Information risk management: Requires healthcare organizations to regularly perform risk assessments to identify and mitigate risks to health information, protecting information assets
  • Information security controls: Involves the implementation of physical, technical, and administrative controls, such as access controls and data encryption, to protect health information based on best practices
  • Incident management and response: Details procedures for managing and responding to security incidents, including detection, reporting, investigation, containment, and recovery, with a focus on learning to prevent future issues
  • Business continuity and disaster recovery: Mandates that healthcare organizations develop plans to maintain critical health information and services during and after disruptions, identifying and preparing for threats to information security
  • Compliance and assurance: Requires adherence to legal, regulatory, and contractual standards in health information security, with regular audits to ensure compliance and measure the effectiveness of security measures
  • Training and awareness: Ensures all healthcare staff and stakeholders are trained and aware of their roles in maintaining information security, promoting regular training, and a culture of security

The Health Information Security Framework is designed to be flexible and scalable, accommodating the diverse needs and capabilities of different organizations within New Zealand’s health and disability sector.

Which industries does the Health Information Security Framework apply to?

The Health Information Security Framework (HISF) specifically applies to industries within New Zealand's health and disability sector, focusing on organizations that handle sensitive health information and thus need robust security measures to protect this data. Organizations under the Health Information Security Framework include:

  • Public hospitals
  • Private healthcare providers
  • Primary care providers
  • Aged care facilities
  • Pharmacies
  • Mental health services
  • Health insurers

Is the Health Information Security Framework mandatory for New Zealand businesses?

The Health Information Security Framework (HISF) is not legally mandatory for all New Zealand businesses, but it is highly recommended for organizations in the health and disability sector. Compliance may be required for organizations in the public health system or those contracting with government bodies. While not legally mandated, implementing HISF is crucial for meeting regulatory requirements and maintaining public trust in health information management.

How UpGuard can help you comply with the Health Information Security Framework

Risk assessments are a critical part of the Health Information Security Framework, and UpGuard simplifies the process of completing assessments for your organization and your vendors.

UpGuard’s fast and accurate risk assessments easily replace length, error-prone, spreadsheet-based manual assessments and reduce the time it takes to assess a new or existing vendor by more than half.

The Protective Security Requirements (PSR)

The Protective Security Requirements (PSR) framework in New Zealand provides comprehensive guidelines and best practices for managing security across government agencies. The PSR ensures these agencies protect their people, information, and assets from security threats.

The Government Protective Security administers the framework and includes the New Zealand Information Security Manual (NZISM), which explains processes and controls for protecting New Zealand Government information and systems. The PSR is designed to help agencies apply a consistent approach to security risk management and includes:

  • Security governance: Enforces strong leadership and clear security management roles within agencies, integrating security into governance and policy development
  • Information security: Protects sensitive and classified information through secure handling, storage, disposal, and measures to prevent unauthorized access
  • Personnel security: Requires security vetting and continuous management of personnel to ensure reliability and security awareness, including conflict of interest checks
  • Physical security: Requires protections for physical assets and premises with secure access controls and building protection, also covering assets outside official premises
  • Security risk management: Demands a systematic approach to identifying, assessing, and mitigating security risks, with ongoing monitoring and review
  • Business continuity and emergency management: Mandates the creation and maintenance of business continuity plans to ensure operational resilience and quick recovery from disruptions
  • Outsourcing and contracting: Sets guidelines for managing security risks in outsourcing and contracting, ensuring external partners across the supply chain meet agency security standards
  • Security culture: Promotes a proactive security culture through regular training and awareness, engaging all staff in best security practices.

Which industries does the PSR apply to?

The Protective Security Requirements (PSR) framework applies specifically to New Zealand government agencies. It also pertains to contractors and private sector businesses that work directly with government agencies, particularly when handling government information or participating in projects that require specific security standards. Examples of these organizations include:

  • Central government departments and ministries
  • Local government organizations
  • Public service agencies
  • Certain government-controlled entities

Is the PSR mandatory for New Zealand businesses?

The PSR is not mandatory for most New Zealand businesses unless they operate within or in partnership with government agencies. However, compliance with the PSR is required for government agencies and private sector companies that are contractors or service providers to government agencies, as adherence to PSR guidelines may be mandated through contract requirements. Therefore, the PSR influences security practices in the private sector through contractual obligations with the government.

How UpGuard can help you comply with the PSR

The PSR emphasizes managing security risks across contracted vendors and service providers, ensuring that external partners prioritise security standards. UpGuard Vendor Risk is a third-party risk management tool that delivers instant vendor insights, 360-degree assessments, and time-saving workflows in a centralized place.

Vendor Risk also includes vendor tiering, which allows you to classify your vendors based on the inherent risk they pose to your organization and adjust the level of assessment you do on each vendor as a result.

Government agencies enhancing cybersecurity in New Zealand

Alongside the cybersecurity regulations and frameworks outlined above, New Zealand has established several key government agencies to strengthen its cybersecurity framework and protect national digital infrastructure.

Two major agencies include the National Cyber Security Centre (NCSC) and the Computer Emergency Response Team New Zealand (CERT NZ). These agencies are crucial in maintaining New Zealand’s cyber resilience and security.

The National Cyber Security Centre (NCSC)

The National Cyber Security Centre (NCSC) of New Zealand, a specialized unit within the Government Communications Security Bureau (GCSB), is pivotal in protecting the nation's critical infrastructure and national security from cyber threats. The NCSC's primary functions include threat identification and mitigation, offering intelligence and advice tailored to New Zealand’s specific security needs, and incident response coordination with various entities and cybersecurity organizations.

The NCSC further supports national cybersecurity resilience by advising on best practices, developing relevant security standards and framework templates, and facilitating information sharing across government agencies and international partners. It also enhances the country's cybersecurity capabilities through ongoing training, research and development, and workforce development efforts, all aimed at fortifying New Zealand against significant cyber threats and ensuring the robustness of its critical infrastructure.

The Computer Emergency Response Team New Zealand (CERT NZ)

The Computer Emergency Response Team New Zealand (CERT NZ) is a key agency under the Ministry of Business, Innovation, and Employment tasked with enhancing cybersecurity across New Zealand. As a central point for businesses, organizations, and individuals, CERT NZ facilitates the reporting and response to cyber attacks and gathers critical data on the types and frequencies of cyber threats nationwide.

CERT NZ's operations encompass providing tailored advice and support to address cybersecurity issues and raising awareness through alerts and advisories about emerging threats. The agency collaborates nationally and internationally to coordinate responses to cybersecurity incidents while offering tools like best practice guides and checklists to strengthen cybersecurity resilience. Through various outreach and educational initiatives, CERT NZ actively promotes better cybersecurity practices among the general public and businesses, bolstering the nation's cybersecurity framework.

Prioritize your organization’s cybersecurity with UpGuard

One of the best ways to stay ahead of cybersecurity risk in your organization is to utilize a comprehensive cybersecurity management tool. UpGuard offers attack surface management and third-party risk management programs, providing your organization with robust monitoring, compliance management, mitigation workflows, and more.

UpGuard Breach Risk illuminates your organization’s external attack surface, allowing you to discover and remediate risks ten times faster with continuous monitoring capabilities. Additional features include:

  • Real-time scanning: Don’t accept an incomplete or lagging picture of your attack surface. Protect yours with real-time scans of your domains, IP, and external assets.
  • Instant alerts: Be alerted the moment a vulnerability is detected. Receive notifications where your team works, whether Jira, Service Now, or another platform like Slack.
  • Detect stolen credentials: Know when your data or credentials are circulating online. UpGuard combines proprietary sources and dark web scanning to spot leaked data faster.

UpGuard Vendor Risk provides complete visibility of your third-party risk, helping you identify vendor risks sooner and complete risk assessments twice as fast. Additional Vendor Risk features include:

  • Constant vendor monitoring: Get alerted whenever the security posture of a third or fourth party changes. Continuous monitoring ensures you’re always the first to know.
  • 360° risk assessments: See your vendor risks from all angles. Automated scanning, evidence analysis, and insights from industry questionnaires (NIST, GDPR, ISO 27001) give you the complete picture.
  • End-to-end workflows: Forget spreadsheets and stale data. Transform your processes with a single platform for identifying, managing, and remediating risks.

Related posts

Learn more about the latest issues in cybersecurity.
Compliance and Regulations

NIST compliance in 2025: A complete implementation guide

NIST compliance ensures alignment with leading cybersecurity frameworks. Explore how the NIST standards can safeguard sensitive data and manage third-party
Edward Kost
Edward Kost
December 2, 2025
Compliance and Regulations

Introducing UpGuard’s DPDP Act Security Questionnaire

Discover the latest addition to UpGuard's industry-leading Questionnaire Library and learn how to achieve comprehensive DPDP compliance.
Nicholas Sollitto
Nicholas Sollitto
November 18, 2024
Compliance and Regulations

From NIS to NIS2: What Your Organization Needs to Know

Understanding the transition from NIS to NIS2 is crucial for protecting your organization. Explore the key changes and compliance steps in this blog.
Leah Sadoian
Leah Sadoian
July 3, 2025
Compliance and Regulations

How to Prepare for a Cyber Essentials Plus Audit

Learn more about the Cyber Essentials Plus independent assessment process, and steps your organization can take to prepare.
Leah Sadoian
Leah Sadoian
July 3, 2025
Compliance and Regulations

PSPF 001-2024: Safeguarding GovTech from Foreign Influence

Explore Australia’s new PSPF Direction, including key components and strategies to help government entities prevent foreign influence over tech assets.
Leah Sadoian
Leah Sadoian
July 3, 2025
Compliance and Regulations

GDPR's Influence on Indian Data Protection Practices

Explore the impact of the GDPR on India's cyber regulations, comparing pre-GDPR and post-GDPR data protection laws.
Leah Sadoian
Leah Sadoian
July 10, 2025
All posts