Under the existing Security Act, the acquirer of at least 1/3 control over certain businesses (“Targets”) is obliged to notify the relevant ministry under which the Target is regulated. Targets falling under the current scope are those who (according to a translation of the Security Act published by the ministry of Justice):
Such entities may include sub-suppliers and any other parties who, "have insight into information sensitive to contingency preparedness, vital infrastructure, political decision making processes, or in any other manner come in a position to perform actions threatening security."
The Ministries have found that this scope is too limited and as such, the proposal is to amend the wording in sub-paragraphs b) and c) from "vital" importance to "material" (Norw: vesentlig) importance. Under the existing Security Act, the Ministries have an obligation to "identify and maintain an overview of undertakings of material importance to fundamental national functions". Such overview lists 250-300 businesses. Note that any "suppliers of goods or services in connection with classified procurements" are in addition to and not included in the 250-300 listed businesses.
The Security Act does not contain a definition on what "fundamental national functions" are, but guidance may be found in the definition of "national security interest", which lists, in section 1-5, "Norway’s sovereignty, territorial integrity and democratic system of government, and general political security interests related to a) the activities, security and freedom of action of the highest state bodies; b) defence, security and contingency preparedness; c) relations with other states and international organisations; d) economic stability and freedom of action; e) fundamental societal functions and the basic security of the population."
Further guidance on what sort of companies could fall under the new legislation may be found in Article 4.1 of the EU Regulation, which provides examples of factors that affect "security or public order". Among those relevant to the TMT industries are:
"a) critical infrastructure, whether physical or virtual, including […] health, communications, media, data processing or storage, aerospace, […] financial infrastructure, and sensitive facilities, as well as land and real estate crucial for the use of such infrastructure; (b) critical technologies and dual use items as defined in [Regulation 428/2009], including artificial intelligence, robotics, semiconductors, cybersecurity, aerospace, defence, energy storage, quantum and nuclear technologies as well as nanotechnologies and biotechnologies; (c) supply of critical inputs, including energy or raw materials, as well as food security; (d) access to sensitive information, including personal data, or the ability to control such information; or (e) the freedom and pluralism of the media."
In view of these broad categories and the number of activities that are likely to be considered as "influencing national security", the number of Norwegian businesses affected by the proposed change of control provisions will grow considerably. This will be due not only to changes in the security climate, but also the increased focus on the role the Security Act plays in transactions. The Ministries have provided no guidance other than to state that it is "uncertain" how many businesses would fall under the extended scope. Note that any companies falling under the Security Act will have knowledge of this fact, as they should be provided with prior notice of any decision to bring them under the act.