Cybersecurity regulation in Iceland (2026)

Act No. 78/2019 on the Security of Network and Information Systems of Critical Infrastructure (Öryggi net- og upplýsingakerfa mikilvægra innviða) is the foundational cross-sector cybersecurity statute, implementing the original NIS Directive as an EEA obligation. Article 7 codifies minimum risk-management and operational preparedness requirements for operators of essential services.

The Electronic Communications Office of Iceland (ECOI/Fjarskiptastofa) is the designated national competent authority. CERT-IS, formally established in 2013 under ECOI, is the national CSIRT and the mandatory point of contact for significant cybersecurity incident reports from in-scope entities.

Under Act 78/2019, operators of essential services and digital service providers must notify ECOI/CERT-IS of significant cybersecurity incidents. Proposed NIS2-aligned amendments would tighten this to a 24-hour early warning, 72-hour detailed notification, and 30-day final report submitted via a new dedicated ECOI portal.

As a non-EU EEA state, Iceland's NIS2 obligations depend on the EEA Joint Committee formally incorporating Directive 2022/2555 into Annex XI of the EEA Agreement. The EFTA EEA-Lex factsheet confirms NIS2 has not yet been incorporated for Iceland; Iceland is notably the only EEA country yet to publish a formal legislative draft, with full transposition not expected before 2026–2027.

Currently approximately 350 critical infrastructure operators fall under Act 78/2019. Once NIS2 amendments are enacted, Iceland estimates 3,000–4,000 entities will be in scope, including medium-sized manufacturers and large municipalities, reflecting the directive's broader sector coverage.

Iceland's Ministry of Higher Education, Science and Innovation published a National Cybersecurity Strategy covering 2022–2037, establishing a long-term policy framework for resilience and directing alignment with EU/EEA cybersecurity norms including eventual NIS2 integration.