New Zealand has no binding AI Act, and the EU AI Act does not apply here. What actually binds organisations is the Privacy Act 2020 plus sector rules — explained clearly, without copying an EU framework that does not apply.
dgm is an independent osFoundry integration partner — not affiliated with the company that makes osFoundry, and dgm has not yet completed any client integrations. This article describes services dgm offers, not past results.
New Zealand and the EU AI Act: different frameworks
The most important difference is simple: the EU AI Act does not apply in New Zealand, and New Zealand has no binding AI Act of its own. A New Zealand organisation that copies the EU framework wholesale risks both over-engineering and missing what actually binds it.
In 2026 New Zealand has no standalone, binding AI law — and, because New Zealand is not in the EU, the EU AI Act does not apply here either. The government’s approach is deliberately light-touch and risk-based, relying on existing law. The public-sector touchstone is the Algorithm Charter for Aotearoa New Zealand, a voluntary commitment launched in July 2020 and signed by more than 25 government agencies. In July 2025 the government released New Zealand’s first national AI strategy, ‘Investing with Confidence’ (led by MBIE, built on the OECD AI principles), together with voluntary Responsible AI Guidance for Businesses and a non-binding Public Service AI Framework (GCDO / Department of Internal Affairs). None of these is a binding Act. What actually binds an organisation using AI is the Privacy Act 2020 plus the rules of whichever sector regulator applies — not an ‘AI Act’. Check the latest guidance, because this area is moving quickly.
So what actually binds a New Zealand organisation
New Zealand’s data-protection law is the Privacy Act 2020, in force since 1 December 2020 (it replaced the Privacy Act 1993). It is built around 13 Information Privacy Principles (IPPs) and is enforced by the Office of the Privacy Commissioner (OPC / Te Mana Mātāpono Matatapu). It is New Zealand’s own law — not the GDPR. Two recent additions matter for AI: IPP 12 governs disclosing personal information to anyone outside New Zealand (you must reasonably believe the overseas recipient is subject to comparable safeguards — the OPC publishes model contract clauses), and a new IPP 3A (from the Privacy Amendment Act 2025, in force 1 May 2026) adds a notification duty when you collect someone’s personal information indirectly. There is a mandatory notifiable-breach scheme: if a privacy breach is likely to cause serious harm, you must notify the OPC and affected individuals as soon as practicable. A binding Biometric Processing Privacy Code 2025 has been in force since 3 November 2025 (existing agencies have until 3 August 2026 to comply). The OPC has also published guidance on AI and the IPPs — its expectations include leadership sign-off, a privacy impact assessment before use, transparency, consulting Māori on risks and impacts, and human review of AI outputs.
Beyond the Privacy Act there are sector rules — the Reserve Bank’s BS11 outsourcing policy and the FMA’s conduct expectations in finance, the Commerce Commission and the consumer data right, and Medsafe for AI used as a medical device — which work through policies and guidance rather than a dedicated AI law.
If you trade across borders
If you also serve customers in the EU, you may need to meet the EU AI Act for that part of your business, while in New Zealand you work to the Privacy Act and sector rules. Keep the scopes clearly separated.
How dgm can help
dgm is an independent integration partner that helps New Zealand organisations put osFoundry to work — from choosing a worthwhile first use case through to the hands-on build and connecting it to the systems you already run. dgm can help your organisation set up AI governance that reflects the Privacy Act and the sector rules that actually apply in New Zealand — not a framework that doesn’t. dgm is not affiliated with the company that makes osFoundry, and it has not yet completed any client integrations, so what is described here is the service dgm offers, not past results. If you want help scoping a realistic first project, dgm can work through it with you.