Home » Cybersecurity » Norwegian Digital Security Act

Norwegian Digital Security Act

The Digital Security Act, implementing EU’s NIS1 directive (now replaced by the NIS2 in the EU), imposes requirements to ensure appropriate digital security in enterprises of particular importance for the society, by preventing, detecting and counteracting unwanted incidents in network and information systems.

Category

Status

EU

Repealed and replaced by NIS2.

EEA

Incorporated into the EEA agreement on 3 February 2023.

Norway

Entered into force on 1 October 2025.

Hot topics

  • The Norwegian National Security Authority has published a guidance to the Act, available here.

Who is affected

Providers of societal important services, which includes the following categories of entities:

Providers of digital services, which includes:

Why act now?

Compliance is not a quick fix and requires a systematic approach to network and information system security, which must both be documented and operationalized. Operators of essential services are already required to notify with the National Security Authority (NSM), and the relevant sector authority.

Breaches may be sanctioned by rectification orders and fines upto 25 times the Norwegian National Insurance basic amount (currently 34MNOK) or 4% of an undertaking’s annual turnover in the preceding financial year, limited upwards to 50MNOK.

A parent company may also be held jointly liable for administrative fines imposed in respect of a subsidiary’s breach, which is relevant for group governance and M&A activities. Fines may also be imposed on individuals acting on behalf of the company.

Key obligations

Entities subject to the act will be required to conduct a risk assessment of network and information systems used in the provision of the relevant service. Based on the assessment, entities must implement technical and organizational measures to ensure an appropriate level of security.

The Norwegian regulation to the Act (digitalsikkerhetsforskriften) specifies the requirements by requiring entities in scope to establish a security management system, conduct a comprehensive risk assessment, and implement appropriate security measures. These measures include organizational, technological, physical, and personnel security measures, tailored to the entity’s size and complexity. Entities must also have an emergency plan for incident management and notification, and involve subcontractors where relevant. Furthermore, providers of critical societal services must ensure that third parties, typically subcontractors, meet the entity’s security requirements.

The act further imposes a notification obligation to supervisory authorities where a security incident significantly impacts the service delivery. An initial notification must be provided within 24 hours, and include information about the affected service, the event with possible cause and consequence, and affected users. The information should be updated within 72 hours. In addition, providers of critical societal services must submit an incident report to the supervisory authority no later than one month from when the first notification was given.

Supervisory authorities have a right to demand information and access to encompassed entities’ premises and equipment. Breaches may be sanctioned by rectification orders and/or fines, not only directed at the entity level, but also towards individuals acting on behalf of the company. An entity’s parent company may also be held jointly liable for administrative fines.   

  1. Consider whether you are in scope of the Act, and required to notify the Norwegian Security Authority.
  2. Establish a security management system, or map your existing security management system against the requirements of the act.
  3. Establish processes to enable rapid notification to the authorities in case of cyber incidents. It may be complex exercise to assess notification requirements in an emergency situation, meaning roles and criteria should be anchored in the organization.
  4. Conduct risk assessments of network and information systems used to provide societally important services. Risk assessments will serve as the basis for which technical, organizational, physical and personnel-related obligations should be implemented to ensure adequate security in accordance with the Act.

How can we assist

  • Assessing the applicability of the digital security act to your organization.
  • Reviewing commercial contracts to ensure that the obligation to flow-down security requirements are complied with.
  • Reviewing your security management system to assess whether changes needs to be made to comply with the act.
  • Establishing policies for incident response, enabling your company to comply with the notification requirements.
  • Supporting impact assessments of network and information systems.

Contact us

Andreas Gard Meyer
Senior Lawyer

a.meyer@haavind.no
+47 988 37 538

Kari Gimmingsrud
Partner

k.gimmingsrud@haavind.no
+47 922 91 006