Cybersecurity regulation in Norway (2026)

Norway's amendment to the Security Act to transpose the EU NIS2 Directive (2022/2555) enters its registration phase, bringing roughly 5,000 organisations into scope across expanded critical sectors; NSM will act as central CSIRT coordinator, with first audits scheduled from 1 October 2026.

Norway's Digital Security Act, implementing EU NIS1 Directive (2016/1148) into EEA law, took effect — the first cross-sector framework mandating risk assessments, technical/organisational security measures, and 24-hour initial incident notification to NSM, with penalties up to 4% of annual turnover.

The government presented a comprehensive white paper on total societal preparedness to the Storting, elevating cybersecurity alongside conventional defence and civil-emergency planning and setting direction for integrated crisis resilience.

Hackers exploited a critical CVSS-10 authentication-bypass zero-day in Ivanti EPMM to breach mobile-device management systems at 12 ministries; NSM deliberately delayed public disclosure to limit wider exploitation, later alerting CISA and partner nations.

The government submitted a landmark white paper to the Storting framing cyber resilience as a national-security imperative, addressing hybrid threats, critical-infrastructure protection, and the need for tighter foreign-ownership screening — directly shaping the subsequent Digital Security Act.

Attackers exploited the ProxyLogon zero-days (CVE-2021-26855 et al.) to exfiltrate data from Norwegian Parliament email accounts just six months after the 2020 breach; parliamentary leadership described it as more severe than the prior attack.

Russia-linked APT28/Fancy Bear used brute-force credential attacks to access a limited number of Storting email accounts; Norway's Foreign Minister publicly attributed the intrusion to Russia in December 2020, marking a rare state-level public attribution.

LockerGoga ransomware crippled Norsk Hydro's global IT across 40 countries, causing ~USD 70 million in losses; Hydro's decision not to pay the ransom and to operate in full public transparency — in close coordination with NSM and Kripos — became an international benchmark for ransomware incident response.

Norway released its fourth — and most comprehensive — national cyber security strategy, allocating ~NOK 1.6 billion to 46 measures across five priority areas, cementing NSM's cross-sector coordination role and recommending ten baseline security measures for all public and private entities.

Norway's new Lov om nasjonal sikkerhet (passed by the Storting 1 June 2018) replaced the 1998 Act, creating binding obligations for all entities handling classified information or critical national functions: mandatory risk assessments, ICT security measures, and immediate incident notification to NSM.

Norway enacted a new Personal Data Act (passed 15 June 2018) incorporating the EU GDPR, requiring mandatory 72-hour breach notification to Datatilsynet and proportionate technical-security safeguards, extending cybersecurity obligations to all personal-data controllers and processors.

Norway issued its third revision of the national cyber security strategy, adapting the national framework to an increasingly sophisticated threat landscape; the document entrenched NSM's cross-sector mandate and remained the operative policy guide until the 2019 fourth strategy.

Norway established the National Security Authority (NSM) as the state's lead protective-security and cyber coordination body, and simultaneously published its first national cyber security strategy — making Norway one of the first countries in the world to adopt such a strategy — laying the institutional foundation for the entire current framework.