Notifications must be made before any decisions, courses of action, or changes are implemented.
You must submit a notification if the proposed decision, course of action or change falls within an area of specified security interest and is not covered by an exemption.
Notifications must be sent to ticsa@ncsc.govt.nz.
Areas of specified security interest
Section 47 of the Telecommunications (Interception Capability and Security) Act (TICSA) defines areas of specified security interest in relation to a network as:
- network operations centres,
- lawful interception equipment or operations,
- any part of a public telecommunications network that manages or stores:
- aggregated information about a significant number of customers,
- aggregated authentication credentials of a significant number of customers, or
- administrative (privileged user) authentication credentials.
- any place in a public telecommunications network where data belonging to a customer or end user aggregates in large volumes, being either data in transit or stored data, or
- any area prescribed under subsection (2).
Exemptions from notification requirements
Under the Telecommunications (Interception Capability and Security) Act (TICSA), the Director-General of the Government Communications Security Bureau (GCSB) can grant exemptions to network operators’ obligations to notify of proposed decisions, courses of action, or changes to certain parts of their network.
Exemptions can only be granted if the Director-General is satisfied that the granting of an exemption will not give rise to a network security risk.
Read the notice of the exemptions that have been granted [PDF, 590 KB]
Exemptions can be granted to individual network operators or a class of network operators.
We will notify individual network operators directly in writing of any exemption applying only to them. We will not publish exemptions specific to a single operator.
Exemptions that apply to a class of network operators are published on the National Cyber Security Centre website as well as a written notification being sent to all network operators falling in that class.
Network operators can request an exemption from the GCSB at any time by completing this form.
TICSA Exemption Request template [DOCX, 112 KB]
When to notify
It doesn’t matter how many customers you have – you are still required to notify.
Some examples of when to notify include (but are not limited to):
- prior to (or at the time) of issuing a Request for Proposal (RFP) when upgrading or purchasing new equipment
- if you have an existing point of presence, before extending this further to different locations across New Zealand
- if your organisation has been acquired or has acquired another company
- if you are changing a third-party provider or contractor of functions that may affect an area of specified security interest
- if you are changing remote access service or platform and/or authentication methods.
Changes that may not need to be notified include:
- if the proposal does not fall within an area of specified security interest or is covered by an exemption.
- changes to the network that were made before the TICSA came into effect on 11 May 2014.
- if you have made changes to your network, but did not notify in advance of the change, you should contact us as soon as possible and submit a notification.
If you are unsure whether you need to notify, or have any questions about your notification proposal, you can contact the NCSC team responsible for TICSA at ticsa@ncsc.govt.nz. We can follow up with an email, call or if necessary, arrange a time to visit.
Network operators – preparing your notification
Download the TICSA Notification of Proposal template [DOCX, 107 KB]