The Norwegian act on digital security lags far behind the EU – but soon the time will come

Just before Christmas, the new act on digital security was announced. The law implements the NIS1 directive and the Cyber Security Act, setting fundamental requirements for digital security in business sectors that are particularly important to society. The law mandates compliance with these requirements for entities providing "essential services" in sectors such as energy, transport, health, water supply, banking, financial market infrastructure, and digital infrastructure. What constitutes essential services is further defined in the law. The law also imposes requirements on "digital service providers", meaning businesses that offer online marketplaces, online search engines, or cloud services.

What requirements does the act on digital security impose?

For businesses that are not already subject to equivalent or stricter obligations, the act on digital security introduces new requirements for:

• risk assessments of network and information systems
• implementation of appropriate and proportionate security measures, so that the level of security is adapted to the risk
• implementation of proportionate measures to prevent, detect and reduce the consequences of incidents, so that service delivery can be maintained
• notification of events that have a significant impact on service delivery

A provider of digital services in Norway with no head office here or in another EEA state must also appoint a representative in Norway.

The Ministry of Justice and Public Security has stated that essential services that already complies with the NSM's basic principles for ICT security are compliant with the requirements for security measures in the act on digital security.

Although the EU no longer considers the NIS1 directive sufficient and has adopted NIS2, which will significantly expand requirements and scope, the implementation of NIS1 in Norway through the act on digital security will strengthen the regulation of digital security in Norwegian companies.
Regarding the implementation of the Cyber Security Act, the act on digital security provides for the establishment of security certification schemes for ICT products, services and processes at a later stage.

Violations of the act on digital security may result in fines. The exact parameters for the fines have not yet been set. However, potential board liability for non-compliance with the law's requirements should be of greater concern.

The Way Forward

Even though the government is lagging far behind in implementing the NIS1 directive, it has not set a date for when the act on digital security will go into effect. In addition, much is yet to be decided in regulation to the act. However, businesses may already evaluate whether the regulations apply to them. For relevant businesses, now is the time to start preparing by:

• establishing a security management system and implementing security measures
• systematically assessing risks related to their systems
• establishing procedures to fulfill the notice obligation

Many companies providing services in EU countries have also begun preparing for the NIS2 requirements, which is supposed to go into effect in EU countries by 17th October 2024.

The article is also published at digi.no