NZ Cyber Security Strategy Smart Home: New Rules for Connected Device Owners

New Zealand’s Cyber Security Strategy 2026-2030 marks a significant shift in how the government approaches the security of internet-connected devices in homes and businesses. For the first time, the strategy includes provisions for mandatory security standards for consumer IoT devices — the smart cameras, alarm systems, locks, and sensors that millions of Kiwis rely on for home security. The NZ cyber security strategy’s smart home implications are far-reaching, and understanding what is proposed, what is already in effect, and what homeowners should do now prepares you for a more regulated connected device landscape.

The strategy recognises a fundamental reality: as New Zealand homes become increasingly connected, the cyber security of those connected devices is no longer just a personal concern — it is a matter of national infrastructure resilience. Compromised smart home devices have been weaponised in large-scale cyberattacks, used for surveillance and stalking, and exploited to bypass physical security systems. The government’s response aims to raise the baseline security of all connected devices sold in New Zealand.

What the Strategy Proposes for IoT Devices

The cyber security strategy outlines several key initiatives that directly affect smart home device manufacturers, retailers, and consumers. While some provisions are already being implemented, others are in consultation phases with implementation timelines extending through 2028.

The most significant proposal is the introduction of mandatory minimum security standards for consumer IoT devices sold in New Zealand. Drawing on frameworks developed by the UK’s Product Security and Telecommunications Infrastructure Act and the EU’s Cyber Resilience Act, the proposed NZ standards would require all connected devices to meet baseline security requirements before they can be legally sold in the country.

These baseline requirements are expected to include a ban on universal default passwords — every device must ship with a unique password or require the user to set one during initial setup. Manufacturers must provide a clear vulnerability disclosure policy, giving security researchers a channel to report flaws. And devices must include a mechanism for security updates, with manufacturers required to state a minimum support period during which updates will be provided.

• No default passwords — Devices must ship with unique credentials or require user-set passwords at setup
• Vulnerability disclosure — Manufacturers must publish a policy for receiving and addressing security reports
• Update mechanism — Devices must be capable of receiving security updates
• Minimum support period — Manufacturers must declare how long they will provide security updates
• Secure storage — Sensitive data such as credentials must be stored securely on the device
• Encrypted communications — Data transmitted by the device must use encryption

Why This Matters for Smart Home Security

For New Zealand homeowners with smart security devices, the strategy’s IoT provisions address many of the vulnerabilities that make connected devices attractive targets for hackers. The ban on default passwords alone would have prevented some of the largest IoT botnets in history, including variants of Mirai that compromised hundreds of thousands of devices using factory credentials.

The requirement for manufacturers to declare a minimum support period is equally significant. Currently, many budget smart home devices receive firmware updates for a year or two after release, then are quietly abandoned by the manufacturer. Consumers continue using these unsupported devices for years, accumulating unpatched vulnerabilities that hackers actively exploit. Under the proposed standards, consumers will know at the point of purchase exactly how long the device will be supported, enabling informed purchasing decisions.

For the smart home security industry specifically, the standards create a more level playing field. Reputable manufacturers who already invest in security practices will no longer compete against budget imports that cut corners on security to achieve lower price points. This should gradually improve the overall security posture of the devices available in the NZ market.

The strategy’s fundamental message to consumers is clear: connected devices are part of your home’s security, and they deserve the same thoughtful consideration you give to physical locks and alarm systems. Cheap is not a bargain if it comes with built-in vulnerabilities.

The International Context

New Zealand’s approach to IoT security regulation does not exist in isolation. It is part of a global trend toward mandatory connected device security standards that reflects the growing recognition that voluntary industry self-regulation has not adequately protected consumers.

The United Kingdom’s Product Security and Telecommunications Infrastructure (PSTI) Act, which came into force in 2024, was among the first laws to mandate basic security requirements for consumer IoT devices. The Act bans universal default passwords, requires manufacturers to provide security update information, and mandates a vulnerability disclosure policy. The EU’s Cyber Resilience Act, taking effect progressively through 2027, goes further with comprehensive requirements covering the entire lifecycle of connected products.

New Zealand’s proposed standards align closely with these international frameworks, which is strategically important for a small market. By adopting standards compatible with those of larger trading partners, NZ ensures that manufacturers producing compliant devices for the UK and EU markets can readily supply compliant products to New Zealand, avoiding the creation of a separate, more expensive compliance regime.

For NZ consumers, this alignment means that devices meeting UK or EU IoT security standards will likely meet NZ requirements as well. When shopping for smart home security devices, looking for UK PSTI compliance or EU Cyber Resilience Act compliance provides a useful indicator of security quality, even before NZ-specific requirements are formally enacted.

What Homeowners Should Do Now

While the strategy’s regulatory provisions work through the legislative process, homeowners can take immediate steps to align their smart home security with the direction of travel. These actions improve your security today and position you well for any future compliance requirements.

Audit your current connected devices. Make a list of every smart device in your home — cameras, alarm panels, smart locks, sensors, smart speakers, and any other internet-connected equipment. For each device, note the manufacturer, model, and when you last updated its firmware. Identify any devices that are no longer receiving manufacturer updates — these are your highest-risk items.

Replace unsupported devices. Any smart security device that no longer receives firmware updates from its manufacturer is a permanent vulnerability in your home network. Prioritise replacing these devices with current models from manufacturers who commit to multi-year support periods. While this involves upfront cost, the security improvement is immediate and significant.

• Device audit — List all connected devices with manufacturer, model, and last update date
• Update everything — Apply all available firmware updates to every device
• Replace unsupported devices — Remove devices that no longer receive security updates
• Check credentials — Ensure every device has a unique, strong password
• Review network security — Segment IoT devices onto a separate network where possible
• Choose reputable brands — For new purchases, prioritise manufacturers with clear security policies

Impact on the NZ Security Industry

The strategy’s IoT provisions will have notable effects on the New Zealand security industry. Installers and integrators will need to ensure that the devices they specify and install meet the mandatory standards once enacted. This may affect product sourcing, particularly for businesses that currently import devices directly from overseas manufacturers who may not comply with NZ requirements.

For consumers, the practical impact should be positive. Working with established security providers like The Security Company, which offers professional security solutions built on products from reputable manufacturers, ensures that your security system meets both current best practices and anticipated regulatory requirements. Professional security providers already prioritise device security in their product selection, making compliance with new standards a natural extension of existing practices.

The monitoring industry may also see changes. As IoT security standards improve the reliability and trustworthiness of connected alarm systems, monitoring centres can offer more sophisticated services — remote video verification, real-time system health monitoring, and automated firmware management — with greater confidence in the underlying device security.

Looking Ahead: The Connected Home of 2030

The Cyber Security Strategy 2026-2030 is designed to evolve over its five-year span, with regular reviews and updates as the technology landscape changes. The initial focus on baseline device security is expected to expand into areas such as mandatory security labelling (similar to energy efficiency ratings), standardised vulnerability severity ratings, and potentially requirements around end-of-life device decommissioning.

For homeowners, the trajectory is toward a market where connected device security is visible, comparable, and guaranteed. Just as you can compare the energy efficiency of appliances through standardised ratings, you will be able to compare the cyber security posture of smart home devices through standardised labels and certifications. This transparency empowers informed purchasing decisions and drives manufacturers to compete on security as well as features and price.

The NZ Cyber Security Strategy 2026-2030 represents the government’s commitment to ensuring that the smart home revolution enhances New Zealanders’ safety rather than undermining it. For homeowners who take proactive steps now — auditing devices, updating firmware, choosing reputable products, and working with professional security providers — the transition to a more regulated environment will be seamless. The standards are coming because they are needed, and the connected home of 2030 will be more secure because of them.