{"id":7277,"date":"2024-10-04T08:15:43","date_gmt":"2024-10-04T08:15:43","guid":{"rendered":"https:\/\/haavind.no\/techinsight-new\/?post_type=tech-insight&p=7277"},"modified":"2026-03-10T11:38:39","modified_gmt":"2026-03-10T11:38:39","slug":"cybersecurity-regulation","status":"publish","type":"tech-insight","link":"https:\/\/haavind.no\/techinsight\/tech-insight\/cybersecurity-regulation\/","title":{"rendered":"Cybersecurity Regulation"},"content":{"rendered":"\t
\n\t\t
\n\t\t\t
\n\t\t\t\t\n

Cybersecurity Regulation<\/h1>\n\n

Regulation (2019\/881) on ENISA and on ICT cybersecurity certification<\/em><\/p>\n\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t

\n\t\t\t\t\t\t\t\"\"\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\n\n
\n\t\t\t
\n\t\t\t\t

Category<\/h4>\n\t\t\t\t\n\t\t\t
Cybersecurity<\/a><\/div>\n\t\t\t<\/div>\n
\n

Status<\/h3>\n\n\n\n

EU<\/strong><\/h4>\n\n\n\n

Date of application 27 June 2019.<\/p>\n\n\n\n

EEA<\/strong><\/h4>\n\n\n\n

Deadline for implementation was 1 August 2024.<\/p>\n\n\n\n

Norway<\/strong><\/h4>\n\n\n\n

Public consultation for legislative proposal initiated 15 December 2025.<\/p>\n<\/div>\n<\/div>\n\n\n

Scope<\/h2>\n\n\n\n

The regulation primarily imposes obligations on the respective EEA Member States, requiring them to adopt a national strategy on the security of network and information systems. While it does not directly mandate requirements for individual enterprises and public bodies, it requires member states to set national frameworks that enterprises must follow (and benefit from).

The regulation also sets out the role of ENISA (the European Union Agency for Cybersecurity) in facilitating a coordinated response to large-scale cybersecurity incidents and attacks across the EU.

A significant component of the regulation is the establishment of a European framework for ICT cybersecurity certification, providing a harmonized set of standards for ICT products, services, and processes.

On 15 December 2025, a public consultation on a proposal for new legislation implementing the regulation was launched. The Norwegian consultation proposes a flexible governance model, where different authorities may be designated for different certification schemes depending on sector expertise. A national authority will coordinate implementation and represent Norway in EU cooperation on cybersecurity certification. Implementation will require the establishment of supervisory functions, notification procedures for certification bodies, and coordination with the national accreditation body (Norsk: Akkreditering).<\/p>\n\n\n\n

Relevance<\/h2>\n\n\n\n

The introduction of a European cybersecurity certification framework under this Regulation marks a significant step towards harmonizing the cybersecurity certification processes across the EU, potentially influencing global cybersecurity practices.

For Norway, the proposed implementation will establish a national system for managing cybersecurity certification schemes developed at EU level. Certification will enable Norwegian companies to obtain certificates that are valid across the EU\/EEA, potentially reducing the need for multiple national certifications and improving market access.<\/p>\n\n\n\n

Key obligations<\/h2>\n\n\n\n

The regulation sets out the tasks of ENISA, including in light of policy development and legislation, enhancing cybersecurity capabilities in the EU, ensuring cooperation between member states, developing cybersecurity standards and certifications. ENISA shall also acts as an EU hub for network and information security, promoting best practices and initiatives across the EU, provide guidance and best practices for the security of critical infrastructure and digital service providers and create reports after significant incidents to guide organizations and citizens.

The regulation further establishes a European framework for cybersecurity certification of ICT products, services and processes. Certification schemes are developed at EU level and adopted by the European Commission through implementing acts.

In the Norwegian proposal, national authorities will be responsible for tasks such as:<\/p>\n\n\n\n

    \n
  • market surveillance of certified products, services and processes<\/li>\n\n\n\n
  • notification and supervision of conformity assessment bodies<\/li>\n\n\n\n
  • participation in EU coordination mechanisms for certification<\/li>\n\n\n\n
  • handling complaints and enforcement actions related to certification<\/li>\n<\/ul>\n\n\n\n

    Certification will initially be voluntary, but the European Commission may introduce mandatory certification requirements in certain areas through future EU legislation or sector-specific rules.<\/p>\n","protected":false},"excerpt":{"rendered":"

    Norwegian legislative proposal. <\/p>\n","protected":false},"featured_media":7668,"menu_order":0,"template":"","meta":{"tech-insight-date":"2025-12-15T10:12:32","footnotes":""},"tech-insight-category":[92],"tech-insight-jurisdiction":[83,84],"tech-insight-status":[86,87,88,97],"acf":[],"yoast_head":"\nCybersecurity Regulation - Haavind Tech Insight<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/haavind.no\/techinsight\/tech-insight\/cybersecurity-regulation\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Cybersecurity Regulation\" \/>\n<meta property=\"og:description\" content=\"Norwegian legislative proposal.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/haavind.no\/techinsight\/tech-insight\/cybersecurity-regulation\/\" \/>\n<meta property=\"og:site_name\" content=\"Haavind Tech Insight\" \/>\n<meta property=\"article:modified_time\" content=\"2026-03-10T11:38:39+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/haavind.no\/content\/uploads\/sites\/5\/2024\/10\/Cybersecurity-Regulation-460x352-1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"460\" \/>\n\t<meta property=\"og:image:height\" content=\"352\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/haavind.no\/techinsight\/tech-insight\/cybersecurity-regulation\/\",\"url\":\"https:\/\/haavind.no\/techinsight\/tech-insight\/cybersecurity-regulation\/\",\"name\":\"Cybersecurity Regulation - Haavind Tech Insight\",\"isPartOf\":{\"@id\":\"https:\/\/haavind.no\/techinsight\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/haavind.no\/techinsight\/tech-insight\/cybersecurity-regulation\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/haavind.no\/techinsight\/tech-insight\/cybersecurity-regulation\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/haavind.no\/content\/uploads\/sites\/5\/2024\/10\/Cybersecurity-Regulation-460x352-1.jpg\",\"datePublished\":\"2024-10-04T08:15:43+00:00\",\"dateModified\":\"2026-03-10T11:38:39+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/haavind.no\/techinsight\/tech-insight\/cybersecurity-regulation\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/haavind.no\/techinsight\/tech-insight\/cybersecurity-regulation\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/haavind.no\/techinsight\/tech-insight\/cybersecurity-regulation\/#primaryimage\",\"url\":\"https:\/\/haavind.no\/content\/uploads\/sites\/5\/2024\/10\/Cybersecurity-Regulation-460x352-1.jpg\",\"contentUrl\":\"https:\/\/haavind.no\/content\/uploads\/sites\/5\/2024\/10\/Cybersecurity-Regulation-460x352-1.jpg\",\"width\":460,\"height\":352,\"caption\":\"Abstract shiny dark blue wavy dotted line particle technology background\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/haavind.no\/techinsight\/tech-insight\/cybersecurity-regulation\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/haavind.no\/techinsight\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cybersecurity Regulation\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/haavind.no\/techinsight\/#website\",\"url\":\"https:\/\/haavind.no\/techinsight\/\",\"name\":\"Haavind Tech Insight\",\"description\":\"Stay ahead with our digital roadmap of EU Tech regulations\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/haavind.no\/techinsight\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Cybersecurity Regulation - Haavind Tech Insight","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/haavind.no\/techinsight\/tech-insight\/cybersecurity-regulation\/","og_locale":"en_US","og_type":"article","og_title":"Cybersecurity Regulation","og_description":"Norwegian legislative proposal.","og_url":"https:\/\/haavind.no\/techinsight\/tech-insight\/cybersecurity-regulation\/","og_site_name":"Haavind Tech Insight","article_modified_time":"2026-03-10T11:38:39+00:00","og_image":[{"width":460,"height":352,"url":"https:\/\/haavind.no\/content\/uploads\/sites\/5\/2024\/10\/Cybersecurity-Regulation-460x352-1.jpg","type":"image\/jpeg"}],"twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/haavind.no\/techinsight\/tech-insight\/cybersecurity-regulation\/","url":"https:\/\/haavind.no\/techinsight\/tech-insight\/cybersecurity-regulation\/","name":"Cybersecurity Regulation - Haavind Tech Insight","isPartOf":{"@id":"https:\/\/haavind.no\/techinsight\/#website"},"primaryImageOfPage":{"@id":"https:\/\/haavind.no\/techinsight\/tech-insight\/cybersecurity-regulation\/#primaryimage"},"image":{"@id":"https:\/\/haavind.no\/techinsight\/tech-insight\/cybersecurity-regulation\/#primaryimage"},"thumbnailUrl":"https:\/\/haavind.no\/content\/uploads\/sites\/5\/2024\/10\/Cybersecurity-Regulation-460x352-1.jpg","datePublished":"2024-10-04T08:15:43+00:00","dateModified":"2026-03-10T11:38:39+00:00","breadcrumb":{"@id":"https:\/\/haavind.no\/techinsight\/tech-insight\/cybersecurity-regulation\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/haavind.no\/techinsight\/tech-insight\/cybersecurity-regulation\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/haavind.no\/techinsight\/tech-insight\/cybersecurity-regulation\/#primaryimage","url":"https:\/\/haavind.no\/content\/uploads\/sites\/5\/2024\/10\/Cybersecurity-Regulation-460x352-1.jpg","contentUrl":"https:\/\/haavind.no\/content\/uploads\/sites\/5\/2024\/10\/Cybersecurity-Regulation-460x352-1.jpg","width":460,"height":352,"caption":"Abstract shiny dark blue wavy dotted line particle technology background"},{"@type":"BreadcrumbList","@id":"https:\/\/haavind.no\/techinsight\/tech-insight\/cybersecurity-regulation\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/haavind.no\/techinsight\/"},{"@type":"ListItem","position":2,"name":"Cybersecurity Regulation"}]},{"@type":"WebSite","@id":"https:\/\/haavind.no\/techinsight\/#website","url":"https:\/\/haavind.no\/techinsight\/","name":"Haavind Tech Insight","description":"Stay ahead with our digital roadmap of EU Tech regulations","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/haavind.no\/techinsight\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/haavind.no\/techinsight\/wp-json\/wp\/v2\/tech-insight\/7277"}],"collection":[{"href":"https:\/\/haavind.no\/techinsight\/wp-json\/wp\/v2\/tech-insight"}],"about":[{"href":"https:\/\/haavind.no\/techinsight\/wp-json\/wp\/v2\/types\/tech-insight"}],"version-history":[{"count":13,"href":"https:\/\/haavind.no\/techinsight\/wp-json\/wp\/v2\/tech-insight\/7277\/revisions"}],"predecessor-version":[{"id":8047,"href":"https:\/\/haavind.no\/techinsight\/wp-json\/wp\/v2\/tech-insight\/7277\/revisions\/8047"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/haavind.no\/techinsight\/wp-json\/wp\/v2\/media\/7668"}],"wp:attachment":[{"href":"https:\/\/haavind.no\/techinsight\/wp-json\/wp\/v2\/media?parent=7277"}],"wp:term":[{"taxonomy":"tech-insight-category","embeddable":true,"href":"https:\/\/haavind.no\/techinsight\/wp-json\/wp\/v2\/tech-insight-category?post=7277"},{"taxonomy":"tech-insight-jurisdiction","embeddable":true,"href":"https:\/\/haavind.no\/techinsight\/wp-json\/wp\/v2\/tech-insight-jurisdiction?post=7277"},{"taxonomy":"tech-insight-status","embeddable":true,"href":"https:\/\/haavind.no\/techinsight\/wp-json\/wp\/v2\/tech-insight-status?post=7277"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}