For NZ critical infrastructure

Cyber risk for the systems New Zealand depends on.

Utilities, telcos, transport, and water infrastructure operators. Build a structured cyber security programme before the mandatory requirements arrive, and demonstrate improvement to your board and future regulators.

Last updated: May 2026

Get a demoSee how it works

Where it hurts

Where things break down.

Mandatory cyber security requirements are coming. Nobody knows exactly what they will ask for.

The NZ government is developing mandatory cyber security obligations for critical infrastructure operators. Most are hoping their existing programme will cover it. Some of it will. Some of it won't.

Security investment doesn't speak the same language as operational risk.

Your board and exec team manage operational risk in one framework and cyber risk in another. Getting security investment approved means bridging that gap without a manual translation every time.

Security is a cost. Until an outage proves it wasn't.

Operations protects the asset that pays the bills. Getting security investment approved means speaking a language that ops, security, and your exec team all read.

How Speculo fits

What changes when you use Speculo.

Build your programme now. Map it to the requirements as they land.

Start a structured cyber security assessment in a framework that can absorb mandatory requirements when they arrive. No rebuilding when the regime is confirmed.

Show your board a risk position, not a control list.

Turn your assessment into board-grade reporting that connects cyber risk to business impact. The same data that runs your assessment runs your board report.

Track improvement over time. Show regulators you're moving.

Re-run your assessment as your controls improve. Same inputs, same model, a measurably different result. Your regulator sees progress. Your board sees investment paying off.

Compliance map

Frameworks and regulations Speculo helps with.

Score once against a unified control library. Speculo maps the same evidence onto each framework, so you're not re-running the work for each new audit.

  • NZ Government mandatory cyber security requirements (in development)
  • NCSC Voluntary Cyber Security Standards
  • MCSS
  • NZISM
  • NIST CSF
  • ISO 27001
  • Telecommunications (Interception Capability and Security) Act

Also relevant for

Government

MCSS native, NZISM ready. The funding case your Chief Executive will sign.

Finance

Quantitative cyber risk and compliance for FMA- and RBNZ-regulated entities.

See Speculo against your critical infrastructure situation.

Book a 30-minute walkthrough. No pitch, no procurement process. Just a clear look at whether the platform fits your team.

Get a demoAll sectors