Scope

The regulation primarily imposes obligations on the respective EEA Member States, requiring them to adopt a national strategy on the security of network and information systems. While it does not directly mandate requirements for individual enterprises and public bodies, it requires member states to set national frameworks that enterprises must follow (and benefit from).

The regulation also sets out the role of ENISA (the European Union Agency for Cybersecurity) in facilitating a coordinated response to large-scale cybersecurity incidents and attacks across the EU.

A significant component of the regulation is the establishment of a European framework for ICT cybersecurity certification, providing a harmonized set of standards for ICT products, services, and processes.

On 15 December 2025, a public consultation on a proposal for new legislation implementing the regulation was launched. The Norwegian consultation proposes a flexible governance model, where different authorities may be designated for different certification schemes depending on sector expertise. A national authority will coordinate implementation and represent Norway in EU cooperation on cybersecurity certification. Implementation will require the establishment of supervisory functions, notification procedures for certification bodies, and coordination with the national accreditation body (Norsk: Akkreditering).

Relevance

The introduction of a European cybersecurity certification framework under this Regulation marks a significant step towards harmonizing the cybersecurity certification processes across the EU, potentially influencing global cybersecurity practices.

For Norway, the proposed implementation will establish a national system for managing cybersecurity certification schemes developed at EU level. Certification will enable Norwegian companies to obtain certificates that are valid across the EU/EEA, potentially reducing the need for multiple national certifications and improving market access.

Key obligations

The regulation sets out the tasks of ENISA, including in light of policy development and legislation, enhancing cybersecurity capabilities in the EU, ensuring cooperation between member states, developing cybersecurity standards and certifications. ENISA shall also acts as an EU hub for network and information security, promoting best practices and initiatives across the EU, provide guidance and best practices for the security of critical infrastructure and digital service providers and create reports after significant incidents to guide organizations and citizens.

The regulation further establishes a European framework for cybersecurity certification of ICT products, services and processes. Certification schemes are developed at EU level and adopted by the European Commission through implementing acts.

In the Norwegian proposal, national authorities will be responsible for tasks such as:

• market surveillance of certified products, services and processes
• notification and supervision of conformity assessment bodies
• participation in EU coordination mechanisms for certification
• handling complaints and enforcement actions related to certification

Certification will initially be voluntary, but the European Commission may introduce mandatory certification requirements in certain areas through future EU legislation or sector-specific rules.