News Own Your Online External Link Report it
News Own Your Online External Link
  1. Welcome to the National Cyber Security Centre
  2. What we do
  3. Regulations and standards
  4. TICSA network security
  5. Notification of proposals

Te whakamōhio i ngā marohitanga Notification of proposals

Under section 48 of the Telecommunications (Interception Capability and Security) Act 2013 (TICSA), a network operator must notify GCSB of any proposed decisions, courses of action, or changes to any part of their network.

Notifications must be made before any decisions, courses of action, or changes are implemented.

You must submit a notification if the proposed decision, course of action or change falls within an area of specified security interest and is not covered by an exemption.

Notifications must be sent to ticsa@ncsc.govt.nz

Areas of specified security interest

Section 47 of the Telecommunications (Interception Capability and Security) Act (TICSA) defines areas of specified security interest in relation to a network as:

  • network operations centres,
  • lawful interception equipment or operations,
  • any part of a public telecommunications network that manages or stores:
    • aggregated information about a significant number of customers,
    • aggregated authentication credentials of a significant number of customers, or
    • administrative (privileged user) authentication credentials.
  • any place in a public telecommunications network where data belonging to a customer or end user aggregates in large volumes, being either data in transit or stored data, or
  • any area prescribed under subsection (2).

Exemptions from notification requirements

Under the Telecommunications (Interception Capability and Security) Act (TICSA), the Director-General of the Government Communications Security Bureau (GCSB) can grant exemptions to network operators’ obligations to notify of proposed decisions, courses of action, or changes to certain parts of their network. 

Exemptions can only be granted if the Director-General is satisfied that the granting of an exemption will not give rise to a network security risk.

Exemptions can be granted to individual network operators or a class of network operators.

We will notify individual network operators directly in writing of any exemption applying only to them. We will not publish exemptions specific to a single operator.

Exemptions that apply to a class of network operators are published on the National Cyber Security Centre website as well as a written notification being sent to all network operators falling in that class.

Network operators can request an exemption from the GCSB at any time by completing this form.

TICSA exemption form template [DOCX, 170 KB]

The exemptions listed below apply only to the notification requirements on network operators under section 48 of the Telecommunications (Interception Capability and Security) Act 2013. They apply to all network operators from 12 November 2024 and expire on 11 November 2027 and may be varied or revoked by further written notice.

Exemption 1: Routine changes to networks

Network Operators are exempt from notifying the Director-General under s 48 of the Act of any routine decision, course of action, or change to the public telecommunications network made as a part of the on-going maintenance, support, and day-to-day running of the network.

A routine decision, course of action, or change must not:

  1. alter the architecture of the network; or
  2. change the effective ownership, control, oversight, or supervision of any equipment, system, or service within an area of specified security interest; or
  3. change the overall capabilities or functions of the equipment, systems or services, or introduce new functionality that is a material addition to existing functionality (even if that new functionality is not activated or used).

Typical examples of routine changes covered by this exemption include:

  • replacement of existing equipment with the same make and model, and providing the same functionality, and to perform the same functions;
  • patching, software or firmware minor version updates;
  • changes in configuration, unless those changes are associated with or necessitated by software updates;
  • platform redeployment;
  • changes that augment or optimise existing equipment or services;
  • changes to the equipment, systems or services which supply infrastructure support such as power, air conditioning, and fire suppression systems;
  • equipment, systems or services connected to the network and used in generic office management (such as office supplies, printers, fax machines, desktop computers or thin clients, screens);
  • changes to routing within the network.

Exemption 2: Standard builds and bulk changes

Network Operators are exempt from notifying the Director-General under s 48 of the Act of any second, or later, application of a standard build or bulk change which has been previously notified to GCSB under s 48, provided:

  1. the notification expressly identified that the decision, course of action, or change was part of a standard build or bulk change, and the change is within the scope of the standard build or bulk change (including functionality and areas of deployment) previously described;
  2. no network security risk was raised by the decision, course of action, or change, or a mitigation proposal was accepted by the Director-General and will apply to proposed second or later application of the standard build or bulk change; and
  3. the equipment, system, or service is the same as that previously notified in terms of network function and functionality.

For the avoidance of doubt, any change to what was notified as a standard build or bulk change (including changes because of deploying the change/build in a different location or for a different function) must be notified to the GCSB under s 48 of the Act.

Exemption 3: Emergency changes

Network Operators are exempt from complying with s 48(2) of the Act for any accelerated business change process that, as a result of an emergency event that has caused or may cause a network outage or other compromise of network services, must be made on short notice to maintain the confidentiality, availability, or integrity of the public telecommunications network, or any service or product that operates on that network, provided:

  1. the network operator advises the GCSB of the emergency change as soon as practicable after the change is made; and
  2. the network operator notifies the Director-General in accordance with s 48(1) of the Act within 20 working days of the decision to undertake the accelerated business change process.

For the avoidance of doubt, if the Network Operator is notified under s 51 of the Act that the decision, course of action, or change raises a network security risk, the Network Operator must:

  • provide a mitigation proposal in accordance with s 51(3) of the Act as soon as practicable; and
  • implement any accepted proposal or part thereof in accordance with s 53 of the Act, or any direction made by the Minister under s 57 of the Act.

Read the notice of the exemptions that have been granted [PDF, 590 KB]

When to notify

It doesn’t matter how many customers you have – you are still required to notify.

Some examples of when to notify include (but are not limited to):

  • prior to (or at the time) of issuing a Request for Proposal (RFP) when upgrading or purchasing new equipment,
  • if you have an existing point of presence, before extending this further to different locations across New Zealand,
  • if your organisation has been acquired or has acquired another company,
  • if you are changing a third-party provider or contractor of functions that may affect an area of specified security interest, and
  • if you are changing remote access service or platform and/or authentication methods.

Changes that may not need to be notified include:

  • if the proposal does not fall within an area of specified security interest or is covered by an exemption.
  • changes to the network that were made before the TICSA came into effect on 11 May 2014.
  • if you have made changes to your network, but did not notify in advance of the change, you should contact us as soon as possible and submit a notification.

If you are unsure whether you need to notify, or have any questions about your notification proposal, you can contact the NCSC team responsible for TICSA at ticsa@ncsc.govt.nz. We can follow up with an email, call or if necessary, arrange a time to visit.

Network operators – preparing your notification

The notification process

TICSA notification of proposals template [DOCX, 170 KB]