Norway's Digital Security Act - Now in effect

This legislation is the first in Norway to introduce cross-sector requirements for digital security and resilience, targeting providers of both critical societal and digital services.

The Digital Security Act and Regulation implements Directive (EU) 2016/1148 (the NIS Directive, which aims to ensure a high level of security for network and information systems across the EU. While Norway aligns with this standard, most EU countries have already implemented — or are in the process of implementing — the successor to the NIS Directive, NIS2.

In recent years, Norwegian authorities have published several reports addressing digital vulnerability and cybersecurity across sectors. These reports highlight the need for coordinated national efforts and international collaboration. A government-appointed committee found existing regulations insufficient and recommended a new law focused on critical infrastructure and public administration.

Norway has multiple laws addressing digital security, but many organisations remain outside their scope. For example, the Security Act (Norw: Sikkerhetsloven) applies only to entities vital to national functions. It differs from the NIS Directive in purpose and scope: the Security Act focuses on national security and intentional threats, while the NIS Directive aims to strengthen the internal market and covers a broader range of risks.

Other legislation, such as the Personal Data Act (which implements GDPR), is also widely known. This act protects personal data and requires data controllers and processors to secure such information. Systems processing personal data require adequate protection to maintain confidentiality, integrity, and availability.

Although many organisations are subject to some form of security regulation, it is often unclear whether these rules explicitly require digital security measures or incident reporting. The Digital Security Act addresses this gap by establishing uniform requirements across sectors.

It should be noted that, if the business is subject to security and notification requirements in sector-specific legislation that at least corresponds to the Digital Security Act, the sector-specific legislation shall take precedence.

The Digital Security Act applies to two main categories of organisations. Providers of essential services include entities across key sectors, including energy, aviation, rail and road transport, healthcare, water supply, digital infrastructure, and finance. This covers entities such as hospitals, airports, internet providers, and banks, which will be subject to new digital security requirements.

Digital service providers include businesses that offer online marketplaces, online search engines, or cloud services.

The Digital Security Act establishes four key areas of compliance. However, the specific operational requirements are detailed in the accompanying Regulation—not in the Act itself. These rules provide clear expectations for providers of essential services, including measures related to organizational structure, technology, physical safeguards, and personnel. 

Firstly, providers of essential services must establish and maintain a security management system that includes digital security, with the system being documented and integrated as part of overall business management. Cybersecurity must be integrated into core business operations rather than treated as a separate function.  The aim of the security management is to prevent, detect, respond to, and recover from incidents affecting networks and information systems, while continuously ensuring these objectives are met.

The organisation's management has responsibility for ensuring the organisation maintains an appropriate security level within the scope of the Digital Security Act, with the security management system requiring approval from the organisation's management and annual review aimed at improving the organisation's security work.

Secondly, organisations must conduct comprehensive risk evaluations. Providers of essential services must develop, maintain and document risk assessments that help them identify what security measures they need for their organisation, technology, physical infrastructure, and staff. These assessments must cover different ways the organisation could be at risk, including the organisation's networks and information systems and their significance for delivery of the essential service, what incidents the organisation's networks and information systems may be exposed to, vulnerabilities connected to the organisation's networks and information systems, consequences of incidents, and the extent to which the organisation depends on other organisations to function as it should. 

Based on these risk assessments, providers of essential services must have a plan for handling risk and implement organisational, technological, physical and personnel security measures to reduce risk and maintain an appropriate security level.

In addition, the Regulation mandates specific technical and organizational safeguards that organisations must implement based on their risk profiles. 

Technology security measures must at minimum include strong authentication for access to networks and information systems and management and control of access to the organisation's networks and information systems. Additionally, organisations must ensure system resilience through measures to ensure networks and information systems can handle various types of interruptions and be restored within reasonable time without significant reduction in service quality, measures to ensure networks and information systems have sufficient capacity to withstand overload and equipment failure, and measures to ensure networks and information systems are continuously developed including quality assurance, installation and ongoing testing of updates. Companies must monitor their systems to spot security threats.

Furthermore, organizational measures include written instructions, routines, and procedures for digital security, tailored to the organization’s size, complexity, and risk profile. Providers of essential services must also maintain updated contingency plans for changes in risk or incidents. These documents must be made known to all personnel with access to the organization’s networks and information systems.

Lastly, the legislation establishes strict notification protocols for cybersecurity incidents that could impact service delivery. Notifications under the Digital Security Act must be sent to the supervisory authority no later than within 24 hours after a provider of an essential service became aware of the incident, and must contain information about the provider's name and contact information, affected service, the incident including possible causes and consequences, number of affected users, and the incident's effects in other countries. 

Information in the notification must be updated within 72 hours, and within one month from the notification being sent, the provider must give the supervisory authority an incident report containing updated information about circumstances and what remedial measures have been implemented. Organisations must also maintain preparedness capabilities, with providers required to have a preparedness plan for handling incidents and notification.

Penalties

The National Security Authority is the supervisory authority and the national response environment for handling incidents under the Digital Security Act. Furthermore, the authority may impose administrative fines under Section 17 of the Digital Security Act. For companies, the fine may be up to 25 times the National Insurance base amount or 4% of the previous year’s turnover, whichever is higher, but cannot exceed NOK 50 million. 

In assessing whether a fine should be imposed and its amount, factors such as the nature, severity, and duration of the violation, the provider’s fault, market impact, and preventive measures are considered. Fines are enforceable, but enforcement is suspended if the decision is challenged in court. 

Compliance Guidance

From 1 October 2025, companies must comply with the Digital Security Act without a grace period. The Act's preparatory works indicate that following NSM’s Basic Principles for ICT Security is a good starting point for complying with the legal and regulatory requirements. Businesses should assess whether they fall within the scope of the regulation, conduct a gap analysis against current security measures, and implement any necessary changes. For providers of essential services, the NIS Cooperation Group’s guidelines offer support in evaluating and implementing measures. The preparatory works also emphasise the importance of integrating digital security into broader governance and risk management systems.