NSW Government Digital in 2026: What’s Changed, What’s Expected, and Where Agencies Are Still Catching Up

NSW agencies are operating in a fundamentally different digital environment than they were three years ago. The compliance floor has risen, public expectations have shifted, and AI governance is now a live question rather than a theoretical one. This is where things stand heading into 2026, and where the gaps still are.

1. The Regulatory Floor Has Risen

Over the past 18 months, the obligations sitting underneath every NSW agency’s digital presence have materially increased. Three frameworks are driving the most change.

1.1 The NSW Cyber Security Policy

The NSW Cyber Security Policy, updated in 2023 and enforced through annual attestation cycles, requires agencies to demonstrate capability across 31 mandatory requirements. Most agencies know this. What many are still working through is the gap between policy compliance on paper and operational readiness in practice.

The requirements most agencies are still catching up on include: incident response plan testing (not just documentation), third-party supplier risk management for digital vendors, and privileged access management across legacy systems that weren’t built with zero-trust architecture in mind.

1.2 Essential Eight

The Australian Government’s Essential Eight mitigation strategies are formally mandated for NSW state agencies. Mandatory Requirements 3.3 through 3.10 of the NSW Cyber Security Policy directly map to each of the eight strategies, making them binding policy requirements for all NSW Government departments and public service agencies. Maturity Level 1 is the mandatory minimum; Maturity Level 2 is the practical target most agencies are working toward. According to the NSW Audit Office, agencies met only 31% of requirements in the Protect category, which encompasses the Essential Eight controls, highlighting the gap between mandate and implementation.

The strategies with the widest implementation gaps tend to be: patch applications (particularly for citizen-facing web properties running on older CMS platforms), restricting administrative privileges, and multi-factor authentication for all remote access.

1.3 GIPA Act and Digital Disclosure

The Government Information (Public Access) Act 2009 continues to set the disclosure baseline for NSW agencies, but its application to digital content is increasingly being scrutinised. Three areas where agencies are commonly underprepared:

• Proactive release obligations: digital content created for public purposes should be published proactively, not just released on request. Many agency websites do not have the information architecture to support this.
• Accessibility of disclosed information: GIPA-released documents are often PDFs that do not meet WCAG standards, creating a compliance tension between disclosure and accessibility obligations.
• Retention and searchability: digital content that may be subject to access applications needs to be retrievable. Many agencies lack the content governance infrastructure to support this reliably.

2. AI in Government: The Policy Reality

NSW agencies are navigating AI adoption in the context of four overlapping frameworks: the NSW AI Strategy (2020), the NSW Generative AI Policy (2024), the Commonwealth AI Ethics Principles, and emerging whole-of-government guidance from the Department of Customer Service. The picture is not as complicated as it appears, but the gaps between policy intent and operational implementation are significant.

2.1 What the NSW AI Policy Actually Requires

The NSW Generative AI Policy (DCS-2024-04, effective 1 July 2024) applies to all NSW Government agencies and sets requirements for responsible AI use using the NSW AI Assessment Framework (AIAF), which defines multiple risk levels: low, medium, high, very high, and critical. Generative AI is automatically classified as elevated risk under the AIAF. Key practical implications:

• Agencies must conduct a risk assessment before deploying generative AI tools, including tools used by staff (not just citizen-facing systems)
• High-risk and very-high-risk uses, defined as those with significant impact on individual rights, safety, or significant public interests, must be submitted to the NSW AI Review Committee (AIRC) for assessment before deployment
• Agencies must maintain records of AI tools in use and be able to explain AI-assisted decisions to affected individuals
• Staff must not enter personal, sensitive, or confidential information as prompts into publicly available AI tools. This is an absolute prohibition for open-access tools. For enterprise AI tools, agencies must complete a risk assessment using the NSW AI Assessment Framework (AIAF) before any use involving such data

Many agencies are using AI tools, in particular productivity tools like Microsoft Copilot and Google Workspace AI, without having completed the required risk assessments. The gap between adoption speed and governance completeness is widening.

2.2 AI and the Privacy Act

NSW agencies are governed by the Privacy and Personal Information Protection Act 1998 (PPIPA) rather than the Commonwealth Privacy Act. PPIPA’s Information Protection Principles apply to personal information held by agencies, including information that is processed by third-party AI systems. Where an AI tool processes personal information on behalf of an agency, the agency retains the obligation to ensure that processing complies with PPIPA, including obligations around purpose limitation, data minimisation, and security.

The practical implication: before any AI tool processes citizen data, agencies need a data processing agreement that explicitly addresses PPIPA obligations. Most commercial AI vendors have Commonwealth-focused agreements; NSW-specific PPIPA coverage is worth verifying explicitly.

2.3 The AI Safe Redaction Problem

GIPA and FOI applications require agencies to redact sensitive personal and commercial information before releasing documents. This process is manual in most agencies: time-consuming, inconsistent, and a source of disclosure errors in both directions (under-redaction and over-redaction). AI-assisted redaction tools are now commercially available and can materially reduce the burden, but most agencies have not yet assessed or deployed them. The barrier is rarely budget. It is governance: who owns the assessment process, which framework applies, and who has authority to approve the tool.

3. The Digital Presence Gap

Beyond compliance, NSW agency websites and digital properties are underperforming against a public that has adjusted its expectations upward. Three trends are widening the gap.

3.1 Citizens Now Benchmark Against Commercial Experiences

The benchmark for a government digital experience is no longer other government websites. It is Uber, Xero, and MyGov. Citizens interact with sophisticated, personalised, frictionless digital products dozens of times each week. When they encounter a government service that requires them to download a PDF, print it, scan it, and email it back, the contrast is not a minor inconvenience. It is an indicator of organisational competence.

This matters beyond user satisfaction. Agencies that cannot serve citizens well digitally face higher call centre volume, higher error rates, and lower trust scores, all of which carry real operational costs.

3.2 The CMS Debt Problem

A significant proportion of NSW agency websites are running on content management systems that are three to seven years old, built on frameworks that are no longer actively maintained, and hosted on infrastructure that cannot efficiently support modern performance, security, or accessibility requirements.

The cost of CMS debt is often invisible until it becomes acute. Agencies typically discover the extent of the problem when they attempt a security patch and find that the CMS version cannot be updated without breaking core functionality, or when an accessibility audit reveals that fundamental rendering issues cannot be resolved without a platform rebuild.

The procurement reality makes this harder: CMS replacement is classified as capital expenditure in most budget frameworks, which requires a full business case cycle, typically 12–18 months. By the time approval is obtained, the urgency has often intensified and the cost estimate has increased.

3.3 Accessibility: Still Not Resolved

WCAG 2.2 AA compliance is the current mandated standard for NSW Government websites. Digital NSW updated its official guidance to WCAG 2.2 AA in 2024, superseding the earlier WCAG 2.1 AA baseline that was established under the Web Accessibility National Transition Strategy (2010–2014). WCAG 2.2 AA is also a condition of NSW Procurement digital standards. Despite this, independent audits consistently identify significant accessibility failures across agency websites.

The most common failures are: insufficient colour contrast ratios, form elements without appropriate labels, PDF documents that are not tagged for screen reader access, and video content without captions. These are not edge cases. They are baseline requirements that affect a significant proportion of the population with disability or situational limitations.

4. What Good Looks Like in 2026

The leading NSW agencies in digital maturity share a cluster of characteristics that distinguishes them from the median. None of these requires exceptional budget. They require deliberate approach and sustained commitment.

4.1 Digital Strategy Connected to Ministerial Outcomes

The best-performing agencies have a digital strategy that can be read in direct relation to their Ministerial priorities. Not “we will improve our website” but “our digital presence will reduce barriers for small businesses applying for X, which contributes to the Premier’s Priority Y in the following measurable ways.” This framing makes digital investment defensible in budget negotiations and aligns ICT and communications teams around shared objectives.

4.2 A Governance Model That Can Keep Pace

High-performing agencies have resolved the governance question: who owns digital policy, who owns digital delivery, and how do those two functions coordinate? The organisations that struggle are usually those where ICT owns the platforms, communications owns the content, and neither has authority over the other, with no mechanism for joint decision-making.

4.3 Measurable Public-Facing Outcomes

The leading agencies are measuring what matters: task completion rates, time-on-task, error rates, and accessibility scores, not just page views and unique visitors. They are publishing these metrics internally and, increasingly, externally as a transparency commitment. The metrics drive continuous improvement rather than annual website refresh cycles.

4.4 AI Readiness Without AI Theatre

The most sophisticated agencies are distinguishing between AI use that genuinely improves outcomes and AI use that is primarily performative. They are deploying AI tools in low-risk, high-value use cases first (content summarisation, data extraction, document review) while building the governance capability to responsibly expand into higher-risk applications. They are not waiting for a perfect policy framework before acting, but they are acting within their existing risk management disciplines.

5. Getting More From Your Digital Procurement

Procurement frameworks exist to protect the public interest, but they can also slow agencies down unnecessarily when they are not well understood or actively used. These are the areas where most agencies have room to move faster and get better outcomes without cutting corners.

5.1 SCM0020: Are You Using It?

Most digital services can be sourced through SCM0020 (ICT Services Scheme), the whole-of-government prequalification scheme managed by NSW Procurement. Agencies can engage pre-qualified suppliers directly without open tender for engagements within threshold values: a significant time saving for well-scoped digital projects. Many agencies default to open tender out of habit or risk aversion even when SCM0020 would be faster, lower-risk, and fully compliant. If your agency is not actively using the arrangement for digital sourcing, it is worth reviewing why.

5.2 Plan Your Procurement Lead Time Into Your Strategy

The gap between identifying a digital need and having a supplier actively engaged is typically three to six months in most NSW agencies, sometimes longer for complex engagements. Digital initiatives that are not in the procurement pipeline early enough routinely miss funding cycles, Ministerial milestones, or legislative deadlines. If your digital strategy does not have a corresponding procurement timeline, the strategy will not be delivered on time. Build procurement planning into your digital roadmap from the start, not as an afterthought when the need becomes urgent.

5.3 What to Require From Any Digital Vendor

When assessing digital suppliers, these requirements should be non-negotiable for NSW agencies:

• Australian data sovereignty: all data stored and processed in Australia, confirmed in writing. This applies to cloud platforms, AI tools, CMS infrastructure, and analytics. Verbal assurances are not sufficient; contractual confirmation is.
• NSW compliance knowledge: not just Commonwealth frameworks. Suppliers should demonstrate working knowledge of PPIPA, GIPA Act, NSW Cyber Security Policy, and WCAG obligations as they apply to state agencies specifically. Commonwealth-focused vendors often apply the wrong framework.
• Security posture: ask for evidence of security practices, not just attestations. For agencies with PROTECTED classification requirements, IRAP assessment of infrastructure should be a condition of engagement.
• Governance documentation: for any AI tool deployment, require a risk assessment aligned to the NSW Generative AI Policy and a data processing agreement that addresses PPIPA obligations explicitly.

6. A Maturity Model for NSW Agencies

Most NSW agencies sit at Stage 1 or 2. The distance to Stage 3 is shorter than most digital leaders assume. It primarily requires resolving the governance ambiguity that currently prevents momentum, not a large additional budget.

7. Where Liquid Digital Fits

Liquid Digital has worked with government and public sector organisations for over 15 years. Our work is grounded in the practical realities of how government agencies operate, including the procurement frameworks, compliance obligations, and internal governance structures that shape how digital work gets done.

• We know NSW-specific compliance. We work within IRAP-Ready frameworks, NSW Cyber Security Policy requirements, WCAG 2.2 AA, GIPA Act digital disclosure obligations, and PPIPA, not Commonwealth-only frameworks that don’t apply to state agencies.
• We have procurement experience. We have worked through SCM0020 and equivalent government standing offer arrangements. We know how to structure statements of work, navigate approval processes, and deliver within the accountability frameworks that government procurement requires.
• We keep data in Australia. Our infrastructure, tooling, and delivery model maintains Australian data sovereignty. We can confirm this to procurement panels without reservation.
• We work at agency pace. Government timelines are not a constraint to complain about. They are the operating environment. We structure engagements accordingly.

7.1 Our Government Programs

We offer structured programs specifically designed for government agencies:

• AI Safe Redaction: AI-assisted document redaction for GIPA and FOI applications, reducing manual processing time while maintaining accuracy and audit trail. Structured for NSW PPIPA compliance.
• Training & Capability: digital literacy and AI governance training for agency teams, structured for public sector learning requirements and CPD recognition.
• Digital Audit & Strategy: a structured assessment of your agency’s digital maturity against NSW compliance requirements, with a prioritised action plan that can support a business case or budget submission.