On 30 July 2025, the Budapest Convention and Related Matters Legislation Amendment Act 2025 (the Act) received Royal Assent. The amendments introduced by the Act align New Zealand’s legal framework with the Council of Europe Convention on Cybercrime (commonly referred to as the Budapest Convention), paving the way for New Zealand’s accession. This follows the Government’s declaration of intent to accede to the Convention on 18 February 2021.
Among other changes, the Act expands law enforcement’s powers under the Search and Surveillance Act 2012 by introducing the ability to issue ‘preservation directions’ to individuals and organisations. This introduces new legal obligations that will require organisations to act swiftly and securely upon receipt of a preservation direction. A preservation direction can be used by enforcement officers to require a person to preserve specified documents or data that may be evidential material in relation to a suspected offence.
Applications for directions require reasonable grounds to suspect an offence has occurred or will occur, and that there is a risk that the relevant documents could be lost, modified, or deleted before a production order can be obtained. A direction may compel the recipient to maintain the integrity of the documents, disclose their location if not in possession, and, where necessary, produce “pathway information” (traffic data that identifies the path of a telecommunication) to assist investigations. Preservation orders are time-limited, generally lasting up to 20 days. Failure to comply is a criminal offence, carrying penalties of up to one year’s imprisonment for individuals, and fines of up to NZ$40,000 for organisation.
The legislation comes as cybercrime continues to pose a significant threat in New Zealand, affecting both public and private sectors. According to the National Cyber Security Centre (NCSC), New Zealanders lost an estimated NZ$1.6 billion to online threats in 2024.
Understanding the Budapest Convention
Adopted by the Council of Europe in 2001 and entering into force in 2004, the Budapest Convention is the leading international treaty aimed at tackling cybercrime. It seeks to align national laws, enhance investigative powers, and foster international co-operation.
Eighty countries are currently parties to the Budapest Convention, with a further 15 (including New Zealand) formally invited to accede.
The Budapest Convention focuses on three key pillars:
- Criminalisation of cybercrime: Including unauthorised access to systems, data interference, and computer-related fraud;
- Procedural powers: Enabling the investigation of cybercrime and the collection of electronic evidence, with appropriate safeguards for human rights and due process; and
- International co-operation: Facilitating timely and effective cross-border collaboration on cybercrime investigations and prosecutions.
By aligning its domestic legislation with the Convention, New Zealand has taken a significant step towards accession and strengthens its ability to respond to transnational cyber threats in line with international standards.
Other Amendments Introduced by the 2025 Act
The Act introduces targeted amendments across several pieces of legislation, including the Search and Surveillance Act 2012 discussed above.
Other amendments include:
- Enhanced international co-operation: Updates to the Mutual Assistance in Criminal Matters Act 1992 make it easier for New Zealand to seek and provide assistance in cross-border cybercrime matters. The Act introduces new measures to ensure that human rights are upheld and affirmed, including requiring that people affected by a search are notified when seized material is sent out of New Zealand. This ensures judicial review is possible if the affected people believe the search is unreasonable.
- Clarified data collection obligations: Changes to the Telecommunications (Interception Capability and Security) Act 2013 clarify the requirements under which network operators must collect traffic data over public telecommunications networks.
- New cybercrime offences: Among other minor updates to the Crimes Act 1961, two offences have been established to align with the Budapest Convention. It is now an offence to design, write, or adapt software with the intent that it be used to commit cybercrimes such as unauthorised access, interference, or data theft, carrying a penalty of up to two years' imprisonment. Similarly, dealing in or possessing software or information intended to facilitate unauthorised access to computer systems, whether by promoting, supplying, or intending its criminal use, is also criminalised with the same maximum penalty.
The adoption of this Act reflects the Government’s recognition of the persistent and serious threat posed by cybercrime. The new obligations may require organisations to review their internal systems, policies, and incident response frameworks. In particular, organisations should ensure that their Data Retention Policies include appropriate provisions for retaining data that is subject to a preservation direction or is otherwise relevant to a criminal investigation.
Please get in touch with the contacts listed or your usual Bell Gully adviser if you would like further information about the Act or advice on what changes your organisation may need to consider in response.
Disclaimer: This publication is necessarily brief and general in nature. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.
