Security
In a time of growing geopolitical tension evolving hybrid threats and rapid technological change, regulatory frameworks on security are expanding, with consequences for both public authorities and private enterprises operating in important societal sectors.
Haavind routinely handles security matters across the categories below. Our cross-disciplinary teams provide practical, experience-based advice on how to comply across sectors and legal frameworks.
As Norway strengthens its national resilience, the scope of the Norwegian Security Act continues to expand, increasingly covering private entities that manage critical infrastructure and information, as well as their supply chains. The Total Defence concept assumes cooperation and mutual support between the Armed Forces and the civilian sector across the full spectrum from peace to armed conflict.
Haavind assists both public and private sector organisations in understanding and fulfilling their obligations under the Security Act. We combine legal expertise with practical insight into how businesses operate within the national security framework.
We advise on
- Mapping obligations, implementing policies, and assistance with establishing governance frameworks to ensure compliance.
- Drafting and negotiating security agreements with suppliers and vendors in classified procurements.
- Assistance with obtaining authorization and clearance requirements, including the legal framework for employee vetting and advice on what clearance levels are necessary.
- Performing supply chain, country, and operational risk analyses.
- Advising and representing clients in communications, audits, and notifications to NSM and other relevant bodies.
With the introduction of new regulatory frameworks such as the NIS2 and CER Directive, cybersecurity and resilience are no longer optional ambitions but expected legal standards.
Public and private sector organisations must be prepared to prevent, manage, and recover from incidents while maintaining the continuity of essential services.
We advise on
- Supporting risk assessments, control measures, and documentation required to demonstrate compliance to supervisory authorities, including performing gap analyses.
- Contract drafting and negotiation to ensure that security and necessary obligations are reflected throughout the value chain.
- Guiding corporate bodies in their duties related to cybersecurity, resilience, and operational continuity.
- Assisting in communications with competent authorities, inspections, and enforcement processes.
As sectors become increasingly interdependent, new regulatory frameworks expand security obligations not only on the entities directly subject to the rules, but also on their suppliers and sub-suppliers.
Both the Norwegian Security Act and the upcoming EU CER and NIS2 directives require entities to identify and assess dependencies on external providers as part of their risk assessments. Similarly, the Norwegian Digital Security Act obliges operators of essential services to ensure that suppliers perform their duties in accordance with applicable security requirements, and to reflect relevant controls and obligations in supplier contracts.
The Norwegian Security Act goes even further by imposing direct obligations on suppliers participating in classified procurements. Such procurements typically require formal security agreements and, where applicable, supplier security clearances.
We advise on
- Mapping regulatory obligations affecting suppliers and sub-suppliers.
- Designing and implementing supply-chain governance, policies, and control frameworks.
- Drafting and negotiating supplier contracts incorporating requiredsecurity measures.
- Advising on supplier due diligence, qualification, and securityclearance processes.
- Supporting clients in communications with supervisory authorities, including audits and notification.
- Classified procurements, including security agreements withsuppliers.
Personnel security is an important part of organisational resilience. As regulatory frameworks evolve, requirements relating to background checks, access management, and handling of sensitive functions are becoming more stringent.
The NIS2 Directive and the CER Directive introduce increased expectations for vetting and assessing the reliability of individuals in roles critical to the security and continuity of essential and important services.
The Norwegian Security Act contains some of the strictest personnel security requirements, requiring formal authorization or clearances for individuals with access to security-graded information or classified infrastructure, or classified procurements. This may include background checks and security interviews.
We advise on
- Identifying personnel security obligations underapplicable regulatory frameworks.
- Developing personnel security frameworks, policies, and vetting procedures.
- Advising on the legal requirements for background checks, suitability assessments, and requirements for security clearances.
- Drafting and negotiating contractual provisions addressing personnel requirements for employees, consultants, and suppliers.
- Assisting in communications with supervisory authorities, including documentation disclosure, inspections, and compliance reviews.
- Navigating employment and anti-discriminationlaw in the security landscape, includingprocedures for recruitment, onboarding and offboarding of employees.
The real estate industry is experiencin changes in security status and expectations from buyers, tenants, lenders and neighbours.
Even property companies that today are outside of the regulations in the Norwegian Security Act may find that the legislation becomes relevant to them because they interact with a party, or lease to a company, that falls within the Security Act.
Leases with security clauses, access to ownership information and regulations relating to access control are examples of factors that become relevant.
Many property companies are increasingly using digital systems for the management and operation of buildings, which may also be subject to strict requirements.
We advise on
- Mapping obligations, implementing policies, and establishing governance frameworks to ensure compliance.
- Drafting and negotiating security agreements with buyers, suppliers, or lessees, such as restrictions on subletting or notifications to relevant authority when changes are made in a qualified ownership interest.
- Advising and representing clients in communications, audits, and notifications to NSM and other relevant bodies.
Financial transactions, acquisitions, leases and loans are an essential part of any business; however, it can also create new vulnerabilities.
With the Norwegian Security Act requiring notification of the acquisition of a qualifying interest, and new regulations detailing how this is to be practiced, the regulations have become more complex.
Additionally, the government plans to present a proposal for a new law on national control of foreign investments in 2026.
In some scenarios there has been examples of the use of government orders under the Security Act, to stop a planned transaction or impose conditions.
We advise on
- Mapping obligations, implementing policies, and establishing governance frameworks to ensure compliance.
- Assessing risks in financial transactions, acquisitions, leases and loans.
- Drafting and negotiating security agreements with transaction parties.
- Advising and representing clients in communications, audits, and notifications to NSM and other relevant bodies.
In recent years, there has been a significant increase in the scrutiny of foreign investments that could affect national security interests. A growing number of jurisdictions are adopting or expanding their foreign direct investment (FDI) regimes, resulting in diverging rules and a complex regulatory landscape for international transactions.
Norway is following in these footsteps and new FDI legislation is currently being drafted by the government. The new FDI regime is expected to expand the scope of notifiable transactions compared to the current regime under the Norwegian Security Act. As opposed to many other jurisdictions, the Norwegian government also holds broad discretionary powers to intervene in virtually any transaction on the grounds of national security.
Haavind’s team of experts advises on all aspects of FDI, including notification requirements and call-in risk.
We advise on
- Assessment of FDI notification requirements.
- Drafting and submission of FDI notifications.
- Assessment of national security and call-in risks.
- Contacts with relevant authorities.
- Drafting of FDI clauses in relevant transaction documents.
Businesses engaged in international trade must navigate increasingly comprehensive and complex sanctions and export control regulations. The need for expert legal advice has increased significantly in recent years and Haavind’s specialists are committed to monitoring new developments and understanding the implications for our clients’ businesses.
We advise our clients on all aspects of sanctions and export control rules, including due diligence and risk assessments, development of internal guidelines and procedures, licence applications and communication with relevant authorities, and crisis management in the event of possible violations. Our lawyers also have substantial experience advising on the relationship between Norwegian and EU sanctions rules.
We advise on
- Interpretation and handling of sanctions and exportcontrol regulations.
- Risk assessments and ongoing screening of customers,suppliers and other contractual parties.
- Crisis and incident management in the event of possibleviolations.
- Export licence applications and contacts with authorities.
- Applications for authorisations or derogations (sanctions)and contacts with authorities.
- Sanctions and export control compliance in connectionwith mergers and acquisitions.
- Assessment and drafting of sanctions provisions incontracts and standard terms.
- Dialog with public authorities.
Effective preparation for, and management of, crises and security incidents is essential for ensuring business continuity, minimising damage, and maintaining compliance with regulatory requirements.
Regulatory frameworks increasingly mandate that organisations develop and regularly test contingency plans, clearly defining roles and responsibilities and actions to be taken in the event of a crisis.
Moreover, organisations must meet obligations to notify relevant supervisory authorities and contractual partners, often within tight deadlines.
We advise on
- Supporting with risk assessments and corresponding contingency plans.
- Crisis and incident handling.
- Mapping of notification obligations related to security incidents through different legal frameworks, and assistance with assessing notification requirements towards supervisory authorities or customers.
- Flow-down of requirements to business continuity and incident notification in supplier agreements.
