The Financial Markets Authority has strongly criticised the stock exchange for being ill prepared and slow to react to last year's cyber attacks.
Trading on the NZX was halted for four days last August after heavy cyber attacks disrupted its website.
A report by the Authority says the NZX did not have adequate technology, systems or trained staff to cope with the denial of service attacks which overwhelmed the NZX site.
"NZX did not have adequate technology capability across its people, processes and platform to comply with market operator obligations and especially in the context of its systemic importance."
It said the NZX did not meet its obligations to ensure a properly functioning market.
The FMA said the NZX already knew its systems were not coping with a large increase in trading.
It said cyber attacks were foreseeable and should have been planned for.
"The feedback from market participants mirrors our own observations and is a major concern that needs to be addressed by the NZX board and executive," FMA chief executive Rob Everett said.
"The failure to properly consider the broader ecosystem in which the exchange operates, and to fully engage with industry feedback and concerns, were contributing factors to the volume-related issues."
The NZX has already started work to upgrade its IT systems but is being formally required to develop a plan to fix the problems.