This week, the government quietly confirmed what many in the cyber security community have long anticipated, CERT NZ has been formally merged into the National Cyber Security Centre (NCSC), creating a single point for incident reporting and cyber advice.
You’d be forgiven for missing the announcement. The change came with little fanfare, but it marks a major shift in how cyber security will be delivered and communicated in Aotearoa New Zealand.
The move brings together two of New Zealand’s core public cyber agencies under one umbrella, with a new single reporting point for cyber security incidents:- www.ncsc.govt.nz/report
- 0800 114 115
The CERT NZ brand and website have now been retired. In their place, the NCSC has assumed responsibility for handling cyber reports from individuals, small businesses, corporates, and critical infrastructure operators alike.
This structural shift is intended to streamline support and provide better visibility of the threat landscape across the economy.
Why the change?
For years, New Zealand’s cyber security ecosystem has been described as fragmented. Victims of cyber attacks — from SMEs to enterprise — often found themselves navigating a “merry-go-round” of agencies: CERT NZ, NCSC, Police, the Privacy Commissioner, and more.
A Cabinet-commissioned report in 2022 from the Cyber Security Advisory Committee (CSAC) highlighted this confusion and recommended a “single front door” for cyber security — a one-stop place to report incidents, get advice, and access recovery support. The report stressed:
-
Victims were unsure who to contact
-
Multiple agencies often duplicated efforts or failed to coordinate
-
Reporting and triage functions were inconsistent
-
Support was generic and lacked tailored, actionable advice
The new integrated model aims to resolve these issues by creating a consolidated national capability inside NCSC.
What’s different now?
- One website and phone number for all incident reports
All reports now go to the NCSC — regardless of whether you're an individual, a school, a business, or a government agency. - Updated website experience
The new NCSC site includes more accessible content for both the public and private sectors, and continues to link to OwnYourOnline.govt.nz for simplified guidance aimed at everyday users and SMEs. - More consistent triage and advice
The centralisation of CERT’s operational team into NCSC is expected to improve case handling, reduce delays, and deliver advice with greater clarity and technical accuracy. - Enhanced visibility of cyber threats across the economy
With one reporting platform, the government can now better analyse threat trends and prioritise support across sectors.
What’s still at stake?
While the merged structure ticks the “single front door” box, the success of this model depends on more than just architecture. It must work in practice for those who need it most — the local retailer hit by ransomware, the community trust managing sensitive data, the school dealing with phishing attacks.
The original CSAC report called for a front door that was:
-
Victim-centric — offering proactive, human-centred case management
-
Inclusive — capable of supporting iwi/Māori, underserved communities, and regional organisations
-
Trustworthy — seen as independent, transparent, and responsive
As the NCSC assumes this new public-facing role, it must evolve beyond its traditional national infrastructure and intelligence remit to deliver everyday support in a way that builds confidence and trust across the country.
Final thoughts
This integration marks a significant moment for cyber security in Aotearoa. It simplifies the map — but simplification is not the same as support.
The success of this model hinges on how well it serves real people in real moments of need. Agencies must now focus not just on visibility, but empathy. Not just on consolidation, but accessibility.
The front door is built. Now it needs to be kept open, approachable, and well-resourced.
