New Zealand: National Cyber Security Centre closes consultation on Minimum Cyber Security Standards

On 4 July 2025, the National Cyber Security Centre closes its consultation on the Minimum Cyber Security Standards. The consultation, conducted in collaboration with the Public Service Commission (PSR), seeks feedback from mandated agencies and industry partners regarding the proposed standards. These standards establish minimum cybersecurity practices, require agencies to meet Capability Maturity Model level two (CMM2) for business-critical and external-facing systems, and were published on the National Cyber Security Centre (NCSC) website to support the consultation. They apply to all business-critical and externally facing systems and are designed to assist organisations in identifying, planning, and responding to security risks. CMM2 indicates that security capability is well formed in designated business units. It requires that there are security policies, capabilities, control, and practices in place and that these four are repeatable. The final standards are scheduled for publication in October 2025, with agencies expected to report on their implementation by April 2026.