Local and international telcos and network providers in New Zealand are now required to comply with strict and complex new communications interception and security legislation.

The new law will apply to Australian businesses and providers operating in the country, such as Vocus which runs data centres and networks in New Zealand.

Known as the Telecommunications (Interception Capability and Security) Act (TICSA), the new law requires network operators to register with the NZ Police. Similary, suppliers of a wholesale or retail telecommunications service must provide their information to the police registry.

Registrants must tell the police their total number of connections, customers and size of their geographic coverage, and ensure that law enforcement agencies have access to customer data and connections when needed.

As part of the new law - which requires the country's main signals intelligence agency, the Government Communications Security Bureau (GCSB) to play a prime role in network and systems security - providers are now dutybound to notify the state about any design and procurement decisions before implementation, according to government guidance [PDF].

Prior to TICSA, network operators were free to design their infrastructure according to their wishes and to meet commercial demands, and to buy equipment and software from any supplier.

From this month, the GCSB has to be notified of and approve proposed changes to a provider's network operations centre, core network including gateways and interconnects as well customer databases and authentication systems.

GCSB network security vetting process schematic

Providers will also be required to have their staff vetted for security clearance. However, the GCSB will not run the security clearance process itself, and warns that this "may take a significant length of time."

Neverthless, there are certain things that network operators are permitted to do without notifying the GCSB.

Network providers can patch and update software and firmware, and make changes to power, air conditioning and fire suppression systems.

They are also not required to inform the spy agency of emergency changes to networks, at least not immediately. Nor will providers have to notify the GCSB about home routers, servers and databases sold to customers.

Failure to comply with the new legislation, GCSB, or ministerial direction on network design and equipment, could land providers with hefty fines.

These can be as steep as NZ$50,000 (A$46,000) to NZ$500,000 a day.

The new law was slammed by web giants Google, Facebook and Microsoft last year as being from the 19th century and incompatible with international privacy legislation.

Despite this, the New Zealand government declined to exempt overseas operators from the new law.