Scope

The Act applies to operators of essential services within the sectors energy, transport, banking, health, financial market infrastructure, drinking water supply and distribution and digital infrastructure. A proposed regulation to the Act outlines 28 categories of providers of essential societal services which will be subject to the act, and threshold-values. These include, among others, entities subject to the Norwegian power preparedness regulations, air traffic control services, operators of national railway networks, major ports and shipping companies, and large municipal health and care services providers.

Providers of digital cloud computing services, online search engines and online marketplaces, except for micro- and small enterprises (less than 50 employees and annual turnover below 10MEUR) are also in scope. 

Relevance

The Digital Security Act is the first cross-sector regulation addressing cybersecurity in Norway, and is likely to have a particularly large impact on businesses that are not already subject to sector-specific digital security requirements. However, having been “tried and tested” in the EU, the Directive faced challenges including varying national implementations, insufficient scope to cover all relevant sectors, and a lack of clarity on certain obligations, leading to fragmentation and inconsistencies.

Recognizing these issues, NIS2 was introduced to provide a more comprehensive and harmonized approach. For Norway, implementing its own digital security act to implement NIS1, transitioning towards NIS2 will necessitate updates to the national act, reinforcing Norway’s commitment to enhancing cybersecurity resilience in line with evolving EU standards.

Read more about the Digital Security Act here.

Key obligations

Entities subject to the act will be required to conduct a risk assessment of network and information systems used in the provision of the relevant service. Based on the assessment, entities must implement technical and organizational measures to ensure an appropriate level of security.

A proposed regulation to the Act specifies the requirements by requiring entities in scope to establish a security management system, conduct a comprehensive risk assessment, and implement appropriate security measures. These measures include organizational, technological, physical, and personnel security measures, tailored to the entity’s size and complexity. Entities must also have an emergency plan for incident management and notification, and involve subcontractors where relevant. Furthermore, providers of critical societal services must ensure that third parties, typically subcontractors, meet the entity’s security requirements.

The act further imposes a notification obligation to supervisory authorities where a security incident significantly impacts the service delivery. An initial notification must be provided within 24 hours, and include information about the affected service, the event with possible cause and consequence, and affected users. The information should be updated within 72 hours. In addition, providers of critical societal services must submit an incident report to the supervisory authority no later than one month from when the first notification was given.

Supervisory authorities have a right to demand information and access to encompassed entities’ premises and equipment. Breaches may be sanctioned by rectification orders and/or fines, not only directed at the entity level, but also towards individuals acting on behalf of the company.