Home / Insights / NIS2 - New implementing regulation adopted in the EU and consultation on proposed digital security regulations in Norway

NIS2 - New implementing regulation adopted in the EU and consultation on proposed digital security regulations in Norway

On October 17, the European Commission adopted a new implementing regulation for the NIS2 Directive - the same day as the EU member states' deadline for transposing the NIS2 Directive in national law. Here in Norway, the Ministry of Justice and Public Security has proposed regulations to the Digital Security Act that will adopt requirements of the NIS1 directive, and at the same time, the Ministry has signaled the status of the Norwegian work on NIS2 implementation.
Teknologi_21

Deadline for transposing NIS2 into national law in the EU and adoption of new implementing regulation

On October 17 2024 – the same day as the deadline for transposing the NIS2 Directive into the national law of the EU Member States – the European Commission has adopted an Implementing Regulation to the NIS2 Directive regarding cybersecurity risk management and notification obligations for digital infrastructure and digital service providers. The Implementing Regulation will enter into force on the twentieth day following its publication in the Official Journal of the European Union and will be binding in its entirety and directly applicable in all EU Member States.

More specifically, the Regulation applies to DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online market places, of online search engines and of social networking services platforms, and trust service providers.

The Implementing Regulation sets out the technical and methodological requirements for the measures set out in Article 21(2) of the NIS2 Directive (cybersecurity risk-management measures), as well as further specification of instances where an incident shall be considered significant under Article 23(3) of the NIS2 Directive. In addition, the Implementing Regulation has an Annex with supplementary and more detailed provisions on the requirements for cybersecurity risk-management measures.

Proposal for regulations to the Digital Security Act – implementation of detailed requirements under NIS1

In a previous article, we have addressed the status on the implementation of the NIS1 directive in Norway through the new Digital Security Act. On September 11, the Ministry of Justice and Public Security sent out for public consultation a proposal for regulations to the Digital Security Act.

The regulations will supplement and clarify provisions in the Digital Security Act. The proposed regulations aim to implement the requirements of NIS1. However, in the proposal, the Ministry states that where appropriate, the Ministry has already aimed to approximate the requirements of the NIS2 Directive, with particular reference to the proposed section 15 on the duty to notify.

Among other things, the proposed regulations contain detailed provisions on:

  • The scope of application for providers of essential services, including which businesses are exempt from the scope of application
  • Authority to make an individual decision that other providers shall also be subject to the digital security legislation
  • Requirements for digital security for providers of essential services, including requirements for security management systems, risk assessments, risk management and organizational, technological and physical security measures.
  • Digital security requirements for digital service providers
  • Duty to notify
  • Sharing of confidential information
  • National contact point for security in networks and information systems
  • Supervision, duty of disclosure and access to premises
  • Administrative fines, including the imposition of fines of up to 25 times the National Insurance scheme basic amount or, in the case of an enterprise, up to 4 percent of the total annual turnover in the preceding financial year (the highest amount is applied)

The consultation deadline is December 11, 2024.

Status of implementation of NIS2 in Norway

In the consultation paper for the proposed Digital Security regulations, the Ministry of Justice and Public Security states that work is currently underway to prepare a draft consultation paper with the necessary regulatory changes for the implementation of the NIS2 Directive in Norwegian law. At the same time, the NIS2 Directive has not yet been formally incorporated into the EEA Agreement. Thus, it seems that for now, the focus in Norway will be on the implementation of NIS1, specifically the requirements of the Digital Security Act and the Digital Security Regulations. However, Norwegian businesses should also start preparing for the NIS2 requirements. As the Ministry signals in the consultation paper, if the NIS2 Directive is incorporated into the EEA Agreement, there will be a need to revise the Digital Security Act, the proposed new Digital Security Regulations and other relevant legislation to take into account the NIS2 Directive’s stricter requirements and expanded scope compared to the NIS1 Directive.