HSWA Amendment Bill 2026: What Changes for NZ Businesses

Critical risk is no longer just implied. Here’s what the Health and Safety at Work Amendment Bill means in practice.

Key takeaway: The Health and Safety at Work Amendment Bill doesn’t create entirely new obligations – it removes the ambiguity that allowed boards to be comfortable with less. “Critical risk” is getting a legal definition, and officer verification duties are being made explicit. If your governance isn’t already built around those standards, now is the time to change that.

Key dates

• Bill introduced to Parliament: early 2026
• Expected Royal Assent: before 24 September 2026
• Changes take effect: the day after Royal Assent
• Action required now: conduct a formal critical risk assessment; review officer governance processes

For the past decade, “critical risk” has been a phrase that everyone in health and safety uses and nobody has been required to define. WorkSafe has published guidance on it, industry bodies have built frameworks around it, and boards have asked about it in annual reports. But in the Health and Safety at Work Act 2015 itself, the term has never formally existed – which has meant that what counts as a critical risk, and what adequate governance of one looks like, has always been somewhat in the eye of the beholder.

That’s about to change.

The Health and Safety at Work Amendment Bill, introduced to Parliament in early 2026 and expected to pass before the House rises in September, will for the first time give “critical risk” a statutory definition. It’s the most significant reform to New Zealand’s health and safety framework since the 2015 Act came into force – and for organisations in high-risk industries, the implications go well beyond compliance.

What the Bill actually says

The Bill defines a critical risk as a risk associated with a hazard that is likely to result in death, a notifiable injury or illness, a notifiable incident, or an occupational disease. In determining whether a risk meets that threshold, a PCBU must base its assessment on what it knows – or ought reasonably to know – about its business and the hazard in question.

That phrase “ought reasonably to know” matters. It means ignorance isn’t a defence. If the nature of your operations creates exposure to hazards that could kill or seriously harm someone, you’re expected to have identified them, whether you’ve formally done so or not.

Once a risk is identified as critical, the Bill requires PCBUs to prioritise it in a specific way: managing critical risks before other risks, monitoring and reviewing controls for them more frequently than for other risks, and directing a higher proportion of resources toward them. The word the Bill uses is “prioritise” – and it means something precise, not just “pay attention to.”

What’s changing: current Act versus the Amendment Bill

What changes for officers

For boards and executives, the most significant change is in how officer due diligence is defined.

Under the current Act, the list of what due diligence requires is open-ended – a set of examples rather than a complete picture. The Bill makes it exhaustive. What’s expected of an officer is now a fixed, defined set of obligations rather than a floor that courts can interpret upward or downward depending on the circumstances.

Those obligations include three things that are especially relevant given the direction case law has been moving:

• Understanding the nature of the organisation’s operations and the hazards they create
• Ensuring the organisation has the right resources and processes in place to manage those hazards
• Verifying that those resources and processes are actually being used

That last requirement is the one that carries the most weight. It’s also the one that the Port of Auckland conviction turned on. Tony Gibson wasn’t found to have failed because Port of Auckland lacked systems. He was found to have failed because he hadn’t verified that those systems were functioning in practice. The Bill is now writing that standard into law – not as a principle that courts can invoke, but as a named, explicit officer obligation.

Why the timing matters

There’s a temptation to treat legislative reform as a long runway – something to prepare for eventually, once the Bill passes and guidance is issued and industry practice catches up. That’s probably the wrong frame here, for two reasons.

The first is speed. The Bill is expected to receive Royal Assent before September 2026, with changes taking effect the day after. That’s a short window, and organisations that haven’t already done a formal critical risk assessment will need to move quickly. Identifying which risks in your operations meet the new definition, reviewing whether your current controls are being monitored at the right frequency, and checking that your governance processes reflect what officers are now explicitly required to do – none of that happens overnight.

The second reason is that the Bill doesn’t actually create new obligations so much as it clarifies and sharpens existing ones. The expectation that officers would prioritise critical risks, verify controls, and maintain genuine visibility into operations – that expectation was already there. The Port of Auckland conviction demonstrated that courts were already applying it. What the Bill does is remove any remaining ambiguity about what’s required, and make it harder for organisations to argue they didn’t know the standard they were being held to.

In practice, that means the question isn’t “do we need to change what we do when the Bill passes?” It’s “are we already doing what the Bill describes – and can we demonstrate it?”

The practical questions worth asking now

If you’re an H&S manager or risk lead, the Bill gives you a concrete framework for the conversations you need to be having internally right now. A few starting points:

Have you formally identified your critical risks? Not assumed them, not inherited them from a previous risk register – actually assessed which hazards in your current operations are likely to result in death or serious harm, based on what you know about how work is actually done. The Bill requires this assessment to reflect reality, not aspiration.

Are your controls being monitored at the right frequency? The Bill requires critical risk controls to be reviewed more often than controls for other risks. If your current monitoring schedule doesn’t distinguish between the two, that’s a gap worth closing before the Bill passes – not after.

Can your officers verify, not just receive? There’s a difference between an executive who receives a monthly H&S report and an executive who has genuine visibility into whether critical controls are working on the ground. The Bill names verification as an explicit officer duty. The question for your governance process is whether your current reporting gives officers what they’d need to actually meet that standard.

What does “work as done” look like in your organisation? The Port of Auckland judgment drew a sharp distinction between work as planned and work as actually carried out. If your critical risk data is built primarily on what workers are supposed to do rather than what they’re observed doing, there’s a gap between your documented controls and your real exposure.

A shift in what boards are accountable for

The deeper significance of the Amendment Bill isn’t the specific changes it makes – it’s the shift in accountability it reflects. For years, the implicit standard for boards and executives was something like “did we have appropriate systems?” The question that courts, regulators, and now Parliament are converging on is different: “did we know our systems were working?”

That’s a harder question to answer. It requires more than a well-maintained management system or a clean audit report. It requires a continuous, verified picture of whether critical controls are in place and functioning – not a snapshot from last quarter, but an ongoing view.

The organisations that will navigate this period most confidently aren’t the ones scrambling to respond to the Bill. They’re the ones that have already built that kind of visibility into how they operate.

Frequently asked questions

What is the new definition of critical risk under the Amendment Bill?
A critical risk is defined as a risk associated with a hazard that is likely to result in death, a notifiable injury or illness, a notifiable incident, or an occupational disease listed in Schedule 2 of the Accident Compensation Act 2001. PCBUs must assess this based on what they know – or ought reasonably to know – about their operations and the hazards they create.

When does the Health and Safety at Work Amendment Bill come into force?
The Bill is expected to receive Royal Assent before Parliament rises on 24 September 2026. Changes take effect the day after Royal Assent. Organisations should begin preparing now rather than waiting for the Bill to pass.

What does the new verification obligation mean for officers?
Officers must verify – not just document or review – that the resources and processes they’re responsible for are actually being provided and used. This means having genuine evidence that critical controls are functioning, not just records that they were planned or agreed to.

Does the Bill apply to contractors and supply chains?
Yes. The duty to prioritise and verify critical risk controls extends to work carried out by contractors on a principal’s behalf. Having the right contracts in place is not sufficient – principals need reasonable confidence that their contractors’ critical controls are actually functioning.

What should organisations do before the Bill passes?
At a minimum: conduct a formal critical risk assessment against the new definition; review whether controls for critical risks are being monitored more frequently than other risks; and check that officer governance processes include genuine verification, not just receipt of reports.

Critter is built by IMPAC – 27 years of health and safety expertise, purpose-built for the critical risk governance challenge. Learn more about IMPAC.