Skip to content
World Watch/Iceland/Cybersecurity

Cybersecurity · Iceland

Cybersecurity law & regulation in Iceland (2026)

Comprehensive lawCyber-Security Act No. 78/2019 (Öryggi net- og upplýsingakerfa mikilvægra innviða), administered by the Electronic Communications Office of Iceland (ECOI/Fjarskiptastofa) and national CSIRT CERT-IS; NIS2 transposition amendment pendingCountry index 82 · A

Iceland shaded by its cybersecurity status

Cybersecurity in Iceland: comprehensive law, anchored by Cyber-Security Act No. 78/2019 (Öryggi net- og upplýsingakerfa mikilvægra innviða), administered by the Electronic Communications Office of Iceland (ECOI/Fjarskiptastofa) and national CSIRT CERT-IS; NIS2 transposition amendment pending.

Iceland has a comprehensive cybersecurity statute, Act No. 78/2019, which transposed the original EU NIS Directive into national law via its EEA membership, imposing cross-sector risk-management and incident-reporting duties on operators of essential services and digital service providers. The Electronic Communications Office (ECOI) and its national CSIRT, CERT-IS, are the competent enforcement bodies. As of May 2026, NIS2 transposition is still pending: Iceland plans to amend Act 78/2019 rather than enact entirely new legislation, but remains the only EEA state yet to publish a formal legislative draft.

Key points

Primary legislation

Act No. 78/2019 on the Security of Network and Information Systems of Critical Infrastructure (Öryggi net- og upplýsingakerfa mikilvægra innviða) is the foundational cross-sector cybersecurity statute, implementing the original NIS Directive as an EEA obligation. Article 7 codifies minimum risk-management and operational preparedness requirements for operators of essential services.

Competent authority & CSIRT

The Electronic Communications Office of Iceland (ECOI/Fjarskiptastofa) is the designated national competent authority. CERT-IS, formally established in 2013 under ECOI, is the national CSIRT and the mandatory point of contact for significant cybersecurity incident reports from in-scope entities.

Incident-reporting obligations

Under Act 78/2019, operators of essential services and digital service providers must notify ECOI/CERT-IS of significant cybersecurity incidents. Proposed NIS2-aligned amendments would tighten this to a 24-hour early warning, 72-hour detailed notification, and 30-day final report submitted via a new dedicated ECOI portal.

NIS2 EEA status, pending

As a non-EU EEA state, Iceland's NIS2 obligations depend on the EEA Joint Committee formally incorporating Directive 2022/2555 into Annex XI of the EEA Agreement. The EFTA EEA-Lex factsheet confirms NIS2 has not yet been incorporated for Iceland; Iceland is notably the only EEA country yet to publish a formal legislative draft, with full transposition not expected before 2026-2027.

Scope expansion under NIS2

Currently approximately 350 critical infrastructure operators fall under Act 78/2019. Once NIS2 amendments are enacted, Iceland estimates 3,000-4,000 entities will be in scope, including medium-sized manufacturers and large municipalities, reflecting the directive's broader sector coverage.

National cybersecurity strategy 2022-2037

Iceland's Ministry of Higher Education, Science and Innovation published a National Cybersecurity Strategy covering 2022-2037, establishing a long-term policy framework for resilience and directing alignment with EU/EEA cybersecurity norms including eventual NIS2 integration.

Timeline - major decisions & events

Jan 1, 2025incident
Ransomware Doubles for Fourth Consecutive Year; Cyber Reports Surge to 5,240

Iceland logged 5,240 cybersecurity reports in 2025 (a 26% year-on-year rise), with ransomware incidents doubling for the fourth straight year and payment-fraud losses totalling ~ISK 2 billion across 2023-2025. The trend intensified parliamentary pressure to accelerate NIS2 transposition.

Iceland Review
Jun 24, 2024incident
Akira Ransomware Group Attacks Árvakur Media Group

The Russian-linked Akira group encrypted Árvakur's systems, taking mbl.is offline and halting radio station K100; it was Iceland's largest known ransomware attack on a media organisation and prompted parliamentary debate on reclassifying media as critical infrastructure.

Iceland Monitor (mbl.is)
Nov 28, 2023enforcementofficial
Persónuvernd Fines Multiple Municipalities for Unlawful Google Workspace for Education Use

Following the EDPB's 2022 coordinated cloud-services enforcement action, Iceland's DPA fined Garðabær (€16,590), Hafnarfjörður (€18,580), and Reykjanesbær (€16,590) for transferring pupils' data to the US without adequate safeguards, establishing a precedent on public-sector cloud security compliance.

European Data Protection Board (EDPB)
Oct 1, 2023decision
Eyvör, Iceland's National Cybersecurity Coordination Centre (NCC-IS), Launched

Iceland launched the Eyvör NCC-IS project, its official node in the EU's European Cybersecurity Competence Centre (ECCC) network, to coordinate cyber research, education and strategic capability-building across academia, industry and government.

University of Iceland (NCC-IS project page)
Jul 1, 2023enforcement
Persónuvernd Fines Creditinfo Lánstraust €253,400 for Unlawful Credit-Data Processing

Iceland's data protection authority issued its largest-ever GDPR fine against credit bureau Creditinfo Lánstraust hf. for processing personal financial data without a sufficient legal basis, following a complaint from the Consumers' Association of Iceland.

DataGuidance / Persónuvernd
Feb 1, 2022guidanceofficial
Iceland Adopts National Cybersecurity Strategy 2022-2037

The Ministry of Higher Education, Science and Innovation published a new 15-year strategy centred on digital trust, human-rights protection, and a strong security culture, designating Fjarskiptastofa (ECOI) as the principal coordination body and replacing the 2015 strategy.

Government of Iceland (Stjórnarráðið)
Jan 1, 2022lawofficial
Electronic Communications Act No. 70/2022 Enacted

Iceland enacted Act No. 70/2022, transposing the EU European Electronic Communications Code, consolidating network-security and incident-reporting obligations for telecom operators under Fjarskiptastofa's expanded supervisory mandate.

Fjarskiptastofa / Electronic Communications Office of Iceland
Jan 1, 2020law
Regulation No. 866/2020 Sets Binding Security Rules for Essential-Service Operators

Issued under Act 78/2019, this regulation imposed technical and organisational security requirements and mandatory incident-reporting procedures on approximately 350 critical-infrastructure operators across energy, transport, banking, and health sectors.

Baker McKenzie Global Data & Cyber Handbook (citing Government of Iceland)
Jul 15, 2018lawofficial
Data Protection Act No. 90/2018 Enters Into Force, GDPR Implemented via EEA Agreement

Following the EEA Joint Committee Decision of 6 July 2018, Iceland enacted Act No. 90/2018 to implement the GDPR, empowering Persónuvernd as the independent supervisory authority and imposing GDPR-equivalent data-security, breach-notification, and data-subject rights obligations on all controllers.

Ísland.is (Official Government of Iceland Portal)
Apr 1, 2015guidanceofficial
Iceland's First National Cyber Security Strategy 2015-2026 Published

The Ministry of the Interior published Iceland's inaugural cybersecurity strategy with a 2015-2018 action plan targeting resilience, capacity-building, strengthened legislation, and cybercrime reduction, laying the political and institutional groundwork for the statutory framework enacted from 2018 onward.

ITU National Strategies Repository (official Icelandic government document)
Jan 1, 2013decisionofficial
CERT-IS Established as Iceland's National Computer Emergency Response Team

CERT-IS was formally established under the Electronic Communications Office of Iceland as the national CERT/CSIRT, mandated to monitor threats, coordinate incident response with police, and serve as the government's single point of contact for cybersecurity incidents affecting critical infrastructure and registered telecoms operators.

CERT-IS (official national CERT)

Iceland - other topics

Cybersecurity in other countries

Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite · Explore the full world map →