TUANZ has called for a stronger cyber security regime in New Zealand, with more accountability for the systems and platforms used by people and small businesses.
The Tech Users Association of New Zealand makes the case in a trust and safety paper released as part of its policy programme, alongside a separate discussion paper on social media age assurance. Its central argument is that New Zealand should move away from a model that leaves users to manage digital threats on their own and instead require safer system design and clearer institutional responsibility.
TUANZ Chair Paul Littlefair said recent improvements in cyber defence had not removed the need for a broader policy shift. He pointed to stronger coordination through the National Cyber Security Centre and initiatives such as Malware Free Networks, but said the threat landscape was changing quickly.
"New Zealand has made real progress in strengthening its cyber defences," Littlefair said. "Better coordination through the National Cyber Security Centre (NCSC) and initiatives like Malware Free Networks are delivering results. But the threat environment is evolving quickly, and our response needs to keep pace."
The pressure is particularly acute for smaller organisations, which the association said face scam losses of about $200 million a year across New Zealand. It also warned that advances in generative artificial intelligence were making fraudulent attacks more convincing and harder to detect.
TUANZ said the trend is widening the gap between larger organisations with dedicated resources and small and medium-sized enterprises that may lack specialist staff or funding. A growing share of smaller organisations now consider their cyber resilience insufficient, it said.
"Expecting individuals and small businesses to carry the burden of managing these risks is no longer tenable," Littlefair said. "We need to design systems that are secure by default, not secure only for those with the time, expertise or resources to protect themselves."
Policy shift
The group is seeking four main policy actions. The first is an enforceable national cyber security framework that would move beyond voluntary guidance and include mandatory reporting for major attacks, along with stronger powers for agencies investigating and prosecuting cyber criminals targeting New Zealanders.
It also wants targeted support for smaller firms through what it describes as cyber health incentives. These would include tax rebates or direct grants to help small and medium-sized enterprises adopt measures such as multi-factor authentication and secure cloud backups.
A third proposal would place more direct obligations on telecommunications providers and social media platforms. TUANZ said regulation should require those companies to detect and block fraudulent activity and deepfakes, reducing the burden on individual users to identify AI-generated scams.
The fourth measure focuses on education. The association wants cyber safety and digital literacy treated as core life skills, with technology upskilling embedded in the school curriculum so people enter the workforce better prepared for online risks.
Age assurance
Alongside its cyber security recommendations, TUANZ also addressed the debate over social media age assurance. Rather than backing a single model, it set out what it described as guiding principles for policy makers, including proportionality, practicality, privacy and equity.
The paper presents age assurance as a difficult policy area, with trade-offs between online safety, privacy, feasibility and the risk of pushing responsibility back onto families and individual users. TUANZ said decisions should be grounded in evidence rather than driven by a search for a quick fix.
"This is a complex issue with no simple answers," Littlefair said. "What matters is that we have a clear, informed national conversation - and that we don't default to solutions that shift responsibility back onto families without addressing system-level risks."
Economic impact
TUANZ linked the trust and safety agenda to broader economic concerns, arguing that digital confidence affects uptake of online services and emerging technologies. In its view, users who do not feel protected are less likely to engage fully with digital tools, including artificial intelligence.
This places cyber security policy alongside wider questions of productivity and business adoption. For smaller businesses in particular, the cost of keeping pace with changing threats can shape decisions about whether to digitise further, especially if owners believe the risks are rising faster than their ability to manage them.
Littlefair said trust is a basic condition for wider participation in the digital economy.
"Trust is fundamental to digital adoption," he said. "If people don't feel safe online, they will not fully engage with new technologies, including AI. Getting this right supports innovation, productivity, and the long-term competitiveness of our digital economy."