The end of siloed security: reading between the lines of NZ’s cyber security strategy

In February 2026, the Department of the Prime Minister and Cabinet released New Zealand’s Cyber Security Strategy 2026–2030. This national framework outlines how the Government understands cyber risk and sets its direction for the next five years.

The strategy focuses on setting direction rather than imposing immediate mandates. New Zealand does not yet have an equivalent to Australia’s Security of Critical Infrastructure (SOCI) Act, and the Government has stopped short of introducing new legislation at this stage. Instead, the emphasis is on building capability, improving coordination, and consulting on potential future frameworks, with the public discussion document on enhancing the cyber security of critical infrastructure open until 19 April 2026.

It positions cyber security as a matter of national security, economic resilience, and continuity of essential services, requiring coordinated action across government, industry, and the wider community. The strategy consistently highlights critical infrastructure, operational disruption, and system-wide resilience, reflecting how closely digital systems and real-world operations are now linked.

For organisations across New Zealand, particularly those managing critical infrastructure and essential services, the practical implications start here. 

What the strategy is designed to do 

At its core, the strategy provides a framework for collective action. It does not prescribe specific technologies or architectures, but instead: 

• Defines the threat landscape facing New Zealand 
• Sets national priorities for cyber security  
• Establishes a coordinated approach across sectors  
• Signals areas where further policy, investment, and regulation may follow  

This reflects a broader shift. Cyber risk is no longer viewed primarily as an IT issue, but as a system-level risk affecting infrastructure, services, and economic activity.

For operators of energy assets such as fuel terminals, pipelines, electrical grids, and geothermal systems, transport hubs including air and sea ports and rail, as well as water, gas, and building management infrastructure, this highlights a broader risk environment that extends well beyond traditional IT. These environments depend on tightly connected physical and digital systems, where disruption in one domain can quickly impact operations and, in some cases, wider economic activity. 

From cyber incidents to real-world disruption 

The strategy makes clear that cyber incidents are increasingly causing operational disruption, including impacts on essential services. Examples such as the Waikato DHB ransomware attack illustrate how quickly a digital event can affect service delivery and day-to-day operations. 

The implication is straightforward: 

Cyber incidents now carry direct consequences for real-world activities, not just data or digital systems. 

The strategy also draws attention to growing interdependence, between physical and digital systems, between threats targeting operational environments rather than just IT, and between resilience and coordination across multiple stakeholders. 

What actions the government will take 

Supporting the strategy is a rolling Action Plan (starting with 2026–2027), which includes practical steps such as: 

• Developing and consulting on frameworks to improve the security and resilience of critical infrastructure
• Enhancing threat intelligence sharing between government and industry
• Supporting better preparedness, incident response, and risk management across sectors
• Strengthening coordination during incidents and recovery capabilities
• Deepening international partnerships, particularly in the Indo-Pacific  

Geopolitically, the strategy notes rising state-sponsored activity, espionage, interference, and the potential for strategic disruption of systems and services. This reinforces that cyber threats increasingly blend criminal and state-based risks. 

Nextro’s perspective: Integrated network, cyber, physical, and electronic security solutions 

At Nextro, we see the strategy as reinforcing a clear shift in expectations for organisations responsible for critical infrastructure, operations, and essential services. While it stops short of new legislation, it signals growing emphasis on critical infrastructure resilience, improved threat visibility, and coordinated response. 

This includes managing risk not just across IT systems, but across the operational technologies (OT), networks, and physical environments that underpin day-to-day operations. 

The direction points toward viewing security as an ongoing operational capability, one shaped by how effectively organisations understand interdependencies, reduce gaps between controls, and maintain continuity when disruption occurs. 

Practical implications for critical infrastructure operators include: 

• Greater focus on resilience and recovery, not just prevention
• Improved visibility across operational and digital environments
• Stronger attention to dependencies across systems, assets, and suppliers
• Aligning security more closely with business and operational risk

At Nextro, we design, implement, and manage integrated network, cyber, physical, and electronic security solutions precisely for these challenges. Our approach helps bridge traditional silos, delivering unified visibility, segmentation, and resilience a cross IT, OT, physical sites, and electronic systems such as access control, surveillance, and building management. 

Contact Nextro today to discuss the strategy and how Nextro can assist your business to enhance its cyber, physical and electronic security posture in a fast-changing geostrategic threat environment.