O nFriday, 20 June, the Norwegian government decided in a Council of State meeting that the Digital Security Act will enter into force on 1 October 2025. At the same time, the Digital Security Regulation was adopted, entering into force concurrently with the Act.

‍

‍

TheDigital Security Act is the final piece of Norway’s implementation of the EU’s NIS 1 Directive. It applies to the sectors of energy, transport, healthcare, water supply, banking, financial markets, and digital infrastructure. The purpose of the Act is to ensure that organizations of importance to Norwegian society maintain sound, systematic, and risk-based management of digital security.

TheRegulation provides clear guidance on what constitutes a minimum level of measures required to achieve adequate security.

Is Your Organization Ready?

The main focus of the Act is the obligation for organizations to ensure an adequate level of security. This responsibility is placed particularly on senior management, who must ensure that clear instructions, routines, and procedures are in place for managing digital security.

Many of the sectors now subject to the Digital Security Act have undergone significant digital transformation. Drinking water supply is a good example.Today, control systems and production equipment are largely digital and interconnected within organizational networks. These digital systems are critical to the delivery of clean drinking water to the population.

While such systems have always been subject to requirements for safe and reliable operation, industry standards for digital security measures have historically been vague and voluntary.

With the new Digital Security Regulation, these systems are now subject to specific and enforceable requirements for digital security.

Where to Begin?

The first step is to assess whether your organization falls within the scope of the Act. The Digital Security Regulation provides detailed guidance with clear, quantitative threshold values. For many organizations, it will be unambiguous whether they are covered or not.

Inaddition, the regulation allows the responsible sector authority or theNorwegian National Security Authority (NSM) to decide that the Act shall also apply to organizations outside the formal scope.

Ifan organization determines that it is covered by the Act, it must promptly report relevant information to NSM and the appropriate supervisory authority.

Step two is to conduct a gap analysis to assess how the organization currently complies with the requirements of theRegulation. Any identified gaps must be addressed—and time will pass quickly leading up to implementation.

Prevention and a Risk-Based Approach

Inaddition to emphasizing the ability to manage security incidents, theRegulation highlights the importance of prevention through a risk-based approach. By continuously identifying and addressing risk areas, organizations can prioritize resources effectively and reduce their vulnerability to potential threats.

This approach enables organizations to stay ahead of developments rather than merely reacting to incidents after they occur. It should also be noted that theRegulation imposes notification requirements for incidents, along with a corresponding sanctions regime for organizations that fail to comply with the law.

Norway must build a strong security culture across sectors to meet an increasingly serious and complex threat landscape.

Structure of the Regulation

The requirements of the Regulation for providers of critical services are broadly divided into the following categories:

• Requirements for security management systems and risk management systems
• Requirements for specific security measures
• Requirements for incident handling and preparedness
• Requirements for supplier and third-party follow-up

The specific security measures are further divided into four categories:

• Organizational measures
• Technological measures
• Physical measures
• Personnel-related measures

For technological and physical measures, the Regulation specifies a list of minimum requirements to protect networks and information systems. While such concrete technical requirements may risk becoming outdated as technology evolves, the benefit is that they establish a clear baseline level of security that organizations can adhere to.

SecurityMonitoring Is a Mandatory Requirement

Among the key requirements of the proposed Regulation is the need for security monitoring of networks and information systems for the purpose of detecting incidents. This is a minimum requirement to enable early detection and effective handling of security incidents.

To ensure that unwanted events are managed in time, monitoring should be continuous and directly linked to the incident management process, enabling organizations to respond to threats in near real time.

Security monitoring is not optional—it is mandatory.

The Way Forward

The proposed Digital Security Regulation represents a significant advancement in the protection of Norway’s digital infrastructure. However, many Norwegian organizations outside the sectors specified in the Digital Security Act face an equally strong need to protect their services against digital risk.

Examples include:

• Actors within relevant sectors but outside the scope of the EEA Agreement—for example, organizations operating on theNorwegian continental shelf
• Organizations subject to the Security Act
• Organizations operating in sectors covered by the NIS2 Directive
• Companies in other sectors that consider their networks and information systems critical to their operations

These organizations should also view the Regulation’s clear requirements for both preventive measures and incident response capabilities as a strong signal of the security level Norwegian organizations should aim to achieve.

Sectors subject to the EU’s NIS2Directive should prepare for the fact that this regulatory framework is likely to apply to them in the future.

For us at Secure-NOK, this underscores the importance of network and information system monitoring as an indispensable component of a comprehensive security strategy.