The Digital Security Act and the Digital Security Regulations

The Digital Security Act and the Digital Security Regulations entered into force on 1 October 2025. The legislation establishes fundamental requirements for digital security in enterprises of societal importance and for providers of digital services. Through the Act and the Regulations, Directive (EU) 2016/1148 (the NIS Directive) is implemented into Norwegian law.

Purpose: The purpose of the Act is to ensure an adequate level of digital security in entities that are essential to the functioning of society. This is achieved by preventing, detecting and mitigating unwanted incidents in the entities’ network and information systems.

Scope: The legislation applies to providers of essential services in the sectors of energy, transport, health, water supply, banking and financial market infrastructure, as well as digital infrastructure. It also applies to providers of digital services, including online marketplaces, cloud computing services and search engines. The Regulations further specify the scope of application through 28 service categories and certain exemptions.

Core obligations: Providers of essential services must establish and maintain a management system for digital security and implement organisational, technical and physical security measures proportionate to the risks faced by the enterprise. Such entities are required to register with the Norwegian National Security Authority (NSM) and the relevant sectoral supervisory authority. In the event of serious incidents affecting service delivery, the entity must notify the competent authority without undue delay. Providers of digital services are also under security and incident notification obligations.