There is a number that should stop any operations director mid-scroll: 417%.
That is how much regulatory fines increased in the first half of 2025 compared to the same period in 2024. Not in one jurisdiction. Not in one domain. Across the board, privacy, workplace safety, environmental, food safety, and employment law, enforcement bodies around the world are pursuing non-compliance more aggressively, with higher penalties, than at any point in recent history.
For large multinationals with dedicated legal and compliance teams, this is a significant cost. For a NZ manufacturer with 80 staff, a food producer preparing for export season, or a mid-market business running compliance on the side of someone's desk, it is a different kind of risk entirely.
The average annual cost of non-compliance, combining penalties, legal fees, remediation costs, and reputational damage, is $15 million globally. For smaller businesses without the reserves to absorb a major enforcement action, the consequences are not just financial. They are existential.
The Enforcement Shift Is Real and It Is Accelerating
For most of the past decade, regulators in New Zealand and Australia operated on a model that emphasised education and improvement over punishment. The first visit from WorkSafe was likely to result in a notice and a timeline for remediation. Privacy breaches were handled with guidance. Environmental incidents generated correspondence.
That model is changing.
WorkSafe NZ has significantly increased its use of infringement notices and prosecutions following the Health and Safety at Work Act reforms. The Privacy Commissioner now has broader powers to investigate and issue compliance notices following the Privacy Act 2020. MPI enforcement of export standards has tightened as trading partners impose stricter import verification requirements.
The pattern is consistent globally. Regulators that previously focused on awareness are now focused on accountability. The tolerance for "we were working on it" as a response to an audit finding is shrinking.
What the Numbers Look Like Closer to Home
The global figure of 417% is striking, but it is worth understanding what enforcement actually looks like in the domains most relevant to NZ mid-market businesses.
Workplace safety carries some of the most significant penalties available to NZ regulators. Under the Health and Safety at Work Act 2015, a company found guilty of a Category 1 offence, conduct that exposes a person to a risk of death or serious injury, faces fines of up to $3 million. A senior officer found personally liable faces up to $600,000 and potential imprisonment. WorkSafe completed 109 prosecutions in the 2022/23 year, with total fines exceeding $12 million. That figure has grown in each of the three subsequent years.
Food safety enforcement through MPI carries both domestic and international consequences. A domestic prosecution for food safety violations under the Food Act 2014 can result in fines up to $500,000 for a body corporate. But the more damaging outcome for exporters is the suspension or revocation of export eligibility, a consequence that can cost a business its primary market overnight with no appeals process that operates quickly enough to prevent the loss.
Privacy enforcement is accelerating following the Privacy Act 2020 reforms. The Office of the Privacy Commissioner can now issue compliance notices directly and refer serious breaches to the Human Rights Review Tribunal, where damages awards have no upper cap. The average cost of a notifiable privacy breach in Australia, the closest comparable jurisdiction, reached AUD $4.3 million in 2024.
Employment law penalties have increased following amendments to the Employment Relations Act. Wage theft prosecutions, holiday pay underpayment recoveries, and unjustified dismissal awards have all trended upward, with the Labour Inspectorate significantly increasing its investigation activity since 2023.
The Compounding Effect Nobody Budgets For
When businesses think about compliance risk, they typically think about the fine. That is the visible number. It is also, in most cases, the smallest part of the total cost.
WorkSafe prosecutions are a useful example. The fine itself might be $180,000 for a serious harm incident. But the total cost to the business typically includes legal representation throughout the investigation and prosecution process, often running 18 to 24 months, remediation of the hazard and any associated systems, internal management time across that period, potential civil liability from the injured worker, increased ACC levies, and reputational damage with customers, insurers, and prospective employees.
A realistic total for a serious harm incident at an NZ manufacturer, including all downstream costs, is rarely below $500,000 and frequently exceeds $1 million. For a business turning over $8 to $12 million a year, that is not a compliance problem. That is a survival problem.
The same compounding applies in food safety. A critical nonconformance at a BRC audit does not just result in a failed audit. It triggers a suspension of certification, which triggers a loss of supply agreements with customers who require BRC as a condition of purchase, which triggers a revenue gap while recertification is pursued, which takes between three and six months in most cases.
The fine is the beginning of the cost, not the end of it. Most businesses that experience a serious compliance enforcement action underestimate the total exposure by a factor of three to five.
The Businesses Most at Risk
Enforcement data consistently shows that the businesses most likely to face regulatory action share a recognisable profile. They are not the businesses that are knowingly cutting corners. They are the businesses that have compliance on someone's to-do list but have never had the time, the system, or the budget to get fully organised.
They look like this:
- Between 25 and 200 employees, managing compliance alongside other operational responsibilities
- Compliance spread across multiple domains with no single person owning the full picture
- Evidence and documentation held across a combination of spreadsheets, shared drives, and filing cabinets
- Audit preparation that begins when the audit is scheduled rather than running continuously
- Awareness that there are gaps, but no clear map of where those gaps are or how serious they are
This is not a description of negligent businesses. It is a description of busy ones. Businesses where the quality manager is also the food safety manager and occasionally covers HR when someone is on leave. Businesses where the last compliance review happened 18 months ago and was thorough at the time but has not been updated since.
The regulatory environment of 2025 is less forgiving of that reality than it was five years ago.
The Sectors Facing the Most Pressure Right Now
Not all compliance domains are accelerating at the same rate. Three in particular are seeing the sharpest increase in enforcement activity relevant to NZ mid-market businesses.
Food safety and export compliance is being driven by tightening import standards in NZ's key export markets. The EU's EUDR (deforestation regulation) is creating new traceability obligations for exporters. Japanese and Korean import verification requirements have been strengthened. MPI's own audit frequency has increased for registered exporters. Businesses that have not updated their food safety documentation to reflect current requirements are carrying more exposure than they realise.
Workplace mental health and psychosocial risk is an emerging enforcement priority that most NZ businesses have not yet addressed formally. WorkSafe NZ published its first specific guidance on psychosocial hazards in 2023. The expectation that businesses will have documented processes for identifying and managing psychosocial risk, workload, workplace relationships, role clarity, traumatic events, is moving from guidance to enforcement expectation.
Privacy and data governance is accelerating following two years of high-profile breach notifications. The Privacy Commissioner has signalled that repeat breaches and systemic failures to implement basic security controls will be treated more seriously than one-off incidents. Businesses that have not reviewed their privacy programme since the 2020 Act came into force are likely operating with material gaps.
What Good Looks Like - and What It Costs
The natural response to an increasingly punitive enforcement environment is to invest more in compliance. That is the right instinct, but the investment needs to go into the right things.
The traditional model, a dedicated compliance manager, supported by a consultant for each domain, using separate tools for each framework, is expensive, slow, and structurally prone to the gaps that trigger enforcement. A business spending $180,000 a year on compliance in this model is often less well-protected than it thinks, because the investment is spread across silos that do not communicate.
What actually reduces enforcement risk is not more spending. It is better visibility. Knowing exactly which obligations apply to your business, which evidence you have, which evidence is missing or expired, and where your highest-risk gaps are, continuously, not just at audit time, is the difference between compliance that protects the business and compliance that creates a false sense of security.
Continuous visibility is also what enables a proportionate response. A business with a clear gap analysis can prioritise the highest-risk items first. A business without one spends time and money on low-risk items while serious gaps remain unaddressed.
The goal is not a perfect compliance programme. It is a defensible one, one where, if a regulator does come knocking, the business can demonstrate that it had a systematic approach, identified its risks, prioritised its response, and acted in good faith.
In NZ's current enforcement environment, good faith and a documented system matter. They do not eliminate liability, but they significantly affect outcome.
Three Things Worth Doing This Quarter
The 417% figure is a useful alarm. Alarm is only useful if it produces action. For NZ mid-market businesses, three things are worth prioritising before the end of the quarter.
First, map your actual compliance obligations. Not the ones you think you have, the ones that actually apply to your business given your industry, your size, your locations, and your customer requirements. Most businesses that have done this exercise find at least two or three obligations they had not formally accounted for.
Second, review the currency of your documentation. Policies and procedures that were written in 2021 may not reflect the current regulatory requirements in your domain. WorkSafe guidance has been updated. The Privacy Act has been in force for four years and enforcement expectations have matured. BRC Issue 9 introduced changes that not every business has fully incorporated. A document review is not glamorous, but it is the fastest way to identify the gaps most likely to surface in an audit.
Third, establish who owns compliance in your business and what their remit actually covers. The most common finding in enforcement investigations is not the specific failure that triggered the investigation. It is the systemic absence of accountability, nobody clearly responsible, nobody with the authority and resource to act, nobody monitoring the status on an ongoing basis.
None of this requires a large budget or a specialist hire. It requires a decision that compliance is a continuous operational responsibility, not a periodic project.
The regulatory environment of 2025 is pricing in that decision for you. The question is whether you make it before the audit, or after.