Cybersecurity - Norway

The Digital Security Act (Act of 20 Dec 2023 no. 108) and the Digital Security Regulation (Regulation of 20 Jun 2025 no. 1131) entered into force on 1 October 2025, transposing the EU NIS1 directive as an overarching framework law with detail in regulation.

Applies to operators of essential services and digital service providers across sectors including energy, transport, health, water supply, banking, financial market infrastructure and digital infrastructure; covered entities must register their services with NSM and the relevant sectoral authority.

Covered entities must notify significant incidents to NSM and the sectoral authority without undue delay — reporting within 24 hours, an update within 72 hours, and a full incident report to NSM within one month of the first notification.

The National Security Authority (NSM) is the supervisory authority and national incident-response environment; it hosts the Norwegian National Cyber Security Centre (NCSC), home to the national CERT (NorCERT).

NSM may impose administrative fines for non-compliance, up to 25 times the National Insurance base amount or 4% of the prior year's turnover, whichever is higher, capped at NOK 50 million.

As of May 2026 the EU NIS2 directive (2022/2555) and the CER directive have not yet been transposed into Norwegian law; a new act expected during 2026 is set to replace the current Digital Security Act and significantly broaden the regime's scope.