Norway implements NIS1 from 2016 in extended version – in effect from 1 October 2025
When we wrote the article in May: “The Norwegian act on digital security lags far behind the EU – but soon the time will come”, the regulations for the Norwegian Digital Security Act were still being developed. Now the wait is over.
The Digital Security Act with its accompanying regulations comes into force on 1 October 2025. This marks a clear shift in what Norwegian companies must do to secure their digital services and systems, and responsibility is now clearly placed with senior management.
From proposal to adoption
The act primarily implements the first NIS directive from 2016 into Norwegian law, whilst the regulations specify how the obligations are to be fulfilled. This is precisely why many have waited eagerly for the final formulations in the regulations.
The 2024 consultation document proposed relatively detailed minimum requirements in several areas. In the final regulations, the ministry has chosen a more function and risk-based approach. Companies must now document their own risk assessments and describe which measures are suitable for protecting services and systems. This flexibility may provide scope to adapt the requirements to the company's size and risk but simultaneously creates a need for thorough documentation to demonstrate that requirements are met.
Another area that has received clearer regulation is notification and collaboration with national response environments (CSIRT). The requirements are designed to ensure faster and more coordinated incident handling. The regulations also specify how information shared in connection with incident management must be limited to what is necessary and should be secured specifically. This reflects the interplay between digital security and data protection.
Several stakeholders called for transitional provisions during the consultation. These were not included. According to section 25, the regulations therefore apply in full from 1 October 2025, without gradual implementation.
Who will the regulations apply to?
The regulations apply to providers of essential services, including those in energy, transport, banking and health, as well as providers of digital services such as cloud services, marketplaces and search engines. In addition, the rules may have significant impact in supply chains. Even if a supplier or subcontractor is not directly regulated, it may face new requirements through contracts when customers must impose requirements on and document security in the value chain.
This means that even companies that do not see themselves as subject to the act may face practical consequences in the form of changed contractual terms, stricter requirements for risk assessments and expectations regarding contingency plans.
Practical consequences
Companies that are covered should quickly gain an overview of where they stand. A natural first step is to clarify whether one is actually subject to the new law. Current security levels should then be compared with the requirements in the regulations. Many may discover that there is a need to establish or update management systems, conduct regular risk assessments and adapt contingency plans.
The law places responsibility with the company's senior management. The board and top management can no longer leave digital security to the technology departments alone. Resources must be allocated, and management must have insight into how risk is handled. At the same time, companies must review their supplier agreements. The requirement for security in the supply chain means that contracts should be revised to ensure that suppliers and subcontractors also meet the regulations' requirements.
The regulations also assume that companies establish routines for notification and collaboration with national responders in the event of serious incidents. For some, this may be an entirely new part of security work.
Finally, it is important to coordinate the new obligations with data protection legislation. The requirements for digital security and the General Data Protection Regulation (GDPR) intersect, and poor coordination can create both inefficiency and regulatory breaches.
Bull has one of the country's leading legal teams in technology, IT, and AI. If you have questions about this or anything else, you can find us here.
Supervision and sanctions
The Norwegian National Security Authority (NSM) is designated in the regulation as the national single point of contact for security in networks and information systems.
Supervision of the Digital Security Act and regulations is divided between NKOM and any designated sectoral supervisors. According to section 21, this is distributed such that the responsible ministry may designate authorities to supervise companies within their own sector, whilst NKOM supervises companies where such supervision has not been designated. No such sectoral supervisors have been designated to date.
In case of breaches of the act or regulations, the supervisory authority may impose penalty payments of up to 25 times the National Insurance basic amount (in excess of 250 000 Euros) or four per cent of the company's annual turnover for the preceding financial year if it concerns an enterprise. The parent company is subsidiarily liable for the penalty. The penalty can never exceed 50 million kroner (about 5 MEur), and the sanctions are considerably stricter than what NIS1 requires.
Challenges and opportunitets
There is no doubt that the regulations elevate digital security to a central management responsibility and provide guidance on how companies should work systematically. At the same time, there are challenges. Smaller companies may find that costs and resource requirements become significant.
Concepts such as "appropriate measures" provide scope for adaptation, but also an interpretive space that companies should clarify through thorough risk assessments and documentation. Not least, the time factor is a challenge. With entry into force already on 1 October, companies that have not begun to prepare have little time.
Current rules are based on NIS1, but tighten the requirements considerably compared to NIS1. The EU has introduced NIS2, which involves even more comprehensive requirements on more companies. Read more about this in the article: "NIS2: Which businesses are covered?". Companies that treat the regulations as a minimum level will be better equipped to meet requirements in NIS2.
What should companies do now?
The Digital Security Act with regulations is now a reality. For many companies, this marks the start of a new regime where digital security is no longer a voluntary ambition, but a legal obligation.
Companies that wish to be well prepared should as soon as possible:
- Take a position on whether the company is covered by the rules
- Conduct an analysis of the gap between current practice and the regulations' requirements
- Perform risk analyses
- Anchor security work with the board and management
- Update supplier agreements, and
- Establish routines for notification and cooperation with response environments
The motivation for establishing adequate security should not only be to comply, but rather:
- Operational security for one's own company
- Being ready for customer requirements, and
- Avoiding personal liability under the Companies Act section 17-1. Read more about this in the article: “NIS2: Personal liability for management and employees”.
Digital security is not just a cost. Properly handled, it is an investment in robustness, trust and competitiveness.
NIS2 – What happens next?
Whilst we in Norway are now implementing NIS1 through the Digital Security Act and regulations, the EU has already moved forward. The NIS2 directive is now implemented in a number of EU countries, but has not yet been incorporated into the EEA Agreement. This means that the directive has also not been implemented into Norwegian law. Possibly NIS2 will be implemented in parallel with CER, which concerns requirements for physical security.
You can read more about this in the article: “The CER Directive: New physical security requirements for critical entities”.
The Government has announced that work on Norwegian implementation is ongoing, but the timeline has not been clarified.
If you wish to read more about NIS2, see:
- What specific security measures does NIS2 require businesses to implement?
- NIS2: Which businesses are covered?
- NIS2: Personal liability for management and employees
If you have questions about this or anything else, you can find us here.
The CER Directive: New physical security requirements for critical entities
The EU is now introducing the CER Directive, which imposes extensive requirements for physical security and operation...
Read more
NIS2: Personal liability for management and employees
The NIS2 directive is a new EU regulation that tightens cybersecurity requirements and introduces personal liability ...
Read more
Our recognition in the market continues to increase
As Chambers and Partners release their rankings for 2024 (Europe edition) today, we are delighted to note the continued upward trend for Bull.
Read more
How can we help?
In need of legal assistance? Call or email us, and we'll figure out how we can help.
Expertise
- Auditing and accounting
- Climate, environment, waste and sustainability
- Company law and transactions
- Competition law, state aid and EU/EEA
- Construction
- Employment law
- Energy
- Familiy law, guardianship and divorce
- Inheritance, probate and succession planning
- Insurance and liability
- Intellectual property and marketing law
- Investigation and compliance
- Life sciences and health technology
- Litigation and dispute resolution
- Logistics and transport law
- Manufacturing, retail and services
- Media, entertainment and culture
- Parental disputes and child custody
- Privacy
- Procurement
- Real estate
- Restructuring, insolvency and bankruptcy
- Space
- Taxes and duties
- Technology, IT and AI