Cybersecurity · Iceland
Cybersecurity law & regulation in Iceland (2026)
Iceland shaded by its cybersecurity status
Cybersecurity in Iceland: comprehensive law, anchored by Cyber-Security Act No. 78/2019 (Öryggi net- og upplýsingakerfa mikilvægra innviða), administered by the Electronic Communications Office of Iceland (ECOI/Fjarskiptastofa) and national CSIRT CERT-IS; NIS2 transposition amendment pending.
Iceland has a comprehensive cybersecurity statute, Act No. 78/2019, which transposed the original EU NIS Directive into national law via its EEA membership, imposing cross-sector risk-management and incident-reporting duties on operators of essential services and digital service providers. The Electronic Communications Office (ECOI) and its national CSIRT, CERT-IS, are the competent enforcement bodies. As of May 2026, NIS2 transposition is still pending: Iceland plans to amend Act 78/2019 rather than enact entirely new legislation, but remains the only EEA state yet to publish a formal legislative draft.
Key points
Act No. 78/2019 on the Security of Network and Information Systems of Critical Infrastructure (Öryggi net- og upplýsingakerfa mikilvægra innviða) is the foundational cross-sector cybersecurity statute, implementing the original NIS Directive as an EEA obligation. Article 7 codifies minimum risk-management and operational preparedness requirements for operators of essential services.
The Electronic Communications Office of Iceland (ECOI/Fjarskiptastofa) is the designated national competent authority. CERT-IS, formally established in 2013 under ECOI, is the national CSIRT and the mandatory point of contact for significant cybersecurity incident reports from in-scope entities.
Under Act 78/2019, operators of essential services and digital service providers must notify ECOI/CERT-IS of significant cybersecurity incidents. Proposed NIS2-aligned amendments would tighten this to a 24-hour early warning, 72-hour detailed notification, and 30-day final report submitted via a new dedicated ECOI portal.
As a non-EU EEA state, Iceland's NIS2 obligations depend on the EEA Joint Committee formally incorporating Directive 2022/2555 into Annex XI of the EEA Agreement. The EFTA EEA-Lex factsheet confirms NIS2 has not yet been incorporated for Iceland; Iceland is notably the only EEA country yet to publish a formal legislative draft, with full transposition not expected before 2026-2027.
Currently approximately 350 critical infrastructure operators fall under Act 78/2019. Once NIS2 amendments are enacted, Iceland estimates 3,000-4,000 entities will be in scope, including medium-sized manufacturers and large municipalities, reflecting the directive's broader sector coverage.
Iceland's Ministry of Higher Education, Science and Innovation published a National Cybersecurity Strategy covering 2022-2037, establishing a long-term policy framework for resilience and directing alignment with EU/EEA cybersecurity norms including eventual NIS2 integration.
Timeline - major decisions & events
Iceland logged 5,240 cybersecurity reports in 2025 (a 26% year-on-year rise), with ransomware incidents doubling for the fourth straight year and payment-fraud losses totalling ~ISK 2 billion across 2023-2025. The trend intensified parliamentary pressure to accelerate NIS2 transposition.
Iceland Review ↗The Russian-linked Akira group encrypted Árvakur's systems, taking mbl.is offline and halting radio station K100; it was Iceland's largest known ransomware attack on a media organisation and prompted parliamentary debate on reclassifying media as critical infrastructure.
Iceland Monitor (mbl.is) ↗Following the EDPB's 2022 coordinated cloud-services enforcement action, Iceland's DPA fined Garðabær (€16,590), Hafnarfjörður (€18,580), and Reykjanesbær (€16,590) for transferring pupils' data to the US without adequate safeguards, establishing a precedent on public-sector cloud security compliance.
European Data Protection Board (EDPB) ↗Iceland launched the Eyvör NCC-IS project, its official node in the EU's European Cybersecurity Competence Centre (ECCC) network, to coordinate cyber research, education and strategic capability-building across academia, industry and government.
University of Iceland (NCC-IS project page) ↗Iceland's data protection authority issued its largest-ever GDPR fine against credit bureau Creditinfo Lánstraust hf. for processing personal financial data without a sufficient legal basis, following a complaint from the Consumers' Association of Iceland.
DataGuidance / Persónuvernd ↗The Ministry of Higher Education, Science and Innovation published a new 15-year strategy centred on digital trust, human-rights protection, and a strong security culture, designating Fjarskiptastofa (ECOI) as the principal coordination body and replacing the 2015 strategy.
Government of Iceland (Stjórnarráðið) ↗Iceland enacted Act No. 70/2022, transposing the EU European Electronic Communications Code, consolidating network-security and incident-reporting obligations for telecom operators under Fjarskiptastofa's expanded supervisory mandate.
Fjarskiptastofa / Electronic Communications Office of Iceland ↗Issued under Act 78/2019, this regulation imposed technical and organisational security requirements and mandatory incident-reporting procedures on approximately 350 critical-infrastructure operators across energy, transport, banking, and health sectors.
Baker McKenzie Global Data & Cyber Handbook (citing Government of Iceland) ↗Following the EEA Joint Committee Decision of 6 July 2018, Iceland enacted Act No. 90/2018 to implement the GDPR, empowering Persónuvernd as the independent supervisory authority and imposing GDPR-equivalent data-security, breach-notification, and data-subject rights obligations on all controllers.
Ísland.is (Official Government of Iceland Portal) ↗The Ministry of the Interior published Iceland's inaugural cybersecurity strategy with a 2015-2018 action plan targeting resilience, capacity-building, strengthened legislation, and cybercrime reduction, laying the political and institutional groundwork for the statutory framework enacted from 2018 onward.
ITU National Strategies Repository (official Icelandic government document) ↗CERT-IS was formally established under the Electronic Communications Office of Iceland as the national CERT/CSIRT, mandated to monitor threats, coordinate incident response with police, and serve as the government's single point of contact for cybersecurity incidents affecting critical infrastructure and registered telecoms operators.
CERT-IS (official national CERT) ↗Iceland - other topics
Cybersecurity in other countries
Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite · Explore the full world map →