NIS2 and Norway's Digital Security Act: Requirements for Norwegian businesses
The NIS2 Directive and updated Digital Security Act impose strict cybersecurity requirements on Norwegian businesses. Here is a complete overview of who is affected, what is required, and how your business should prepare.
NIS2 is the EU's updated directive for network and information security, replacing the original NIS Directive with significantly stricter requirements. The directive expands the range of affected organisations, introduces personal board-level liability for cybersecurity, requires incident reporting within 24 hours, and carries fines of up to EUR 10 million. Norway is implementing NIS2 through an updated Digital Security Act, with expected entry into force in 2026.
In this article, we provide a thorough review of what NIS2 means for Norwegian businesses, which sectors are affected, and concrete steps you should take now.
What is NIS2?
NIS2 (Network and Information Security Directive 2) is the EU's revised cybersecurity directive, adopted in January 2023. It sets out ten concrete minimum security requirements — from risk analysis and incident handling to supply chain security and multi-factor authentication. The directive covers far more sectors and organisations than its predecessor and gives supervisory authorities stronger enforcement tools. For Norwegian businesses, this means cybersecurity is no longer just an IT concern, but a board-level responsibility with legal consequences.
Background: From NIS1 to NIS2
Norway's first Digital Security Act, based on the original NIS Directive (NIS1), took effect in October 2024. The law established a foundation for security requirements in selected sectors, but covered only a limited number of businesses and had weaknesses in its enforcement mechanisms.
The EU adopted the NIS2 Directive in January 2023 as a significant expansion. The directive dramatically broadens its scope, tightens risk management requirements, introduces stricter sanctions, and imposes supply chain security obligations. Norway is now working to implement NIS2 into national law, with expected entry into force during 2026.
NIS2 timeline in Norway
- January 2023: EU adopts the NIS2 Directive
- October 2024: NIS1-based Digital Security Act takes effect in Norway
- October 2024: EU deadline for national transposition of NIS2 in member states
- 2025: Norwegian authorities draft legislation for NIS2 implementation
- 2026: Expected entry into force of updated Digital Security Act with NIS2 requirements
- 2026–2027: Transition period for businesses that need to adapt to new requirements
Who is affected? Essential and important entities
The most significant change with NIS2 is that far more businesses are covered. The directive distinguishes between two categories: essential entities and important entities. Both must meet the same security requirements, but the supervisory regime differs.
Affected sectors
| Category | Sectors | Examples |
|---|---|---|
| Essential entities | Energy | Power producers, grid operators, district heating |
| Transport | Airlines, shipping companies, railways, ports | |
| Banking and finance | Banks, investment firms, trading venues | |
| Health | Hospitals, laboratories, pharmaceutical manufacturers | |
| Drinking water and wastewater | Water utilities, wastewater treatment plants | |
| Digital infrastructure | DNS services, cloud services, data centres, CDN providers | |
| Public administration | Central government agencies, regional bodies | |
| Space | Satellite operators | |
| Important entities | Postal and courier services | Postal companies, courier firms |
| Waste management | Waste collection and recycling companies | |
| Chemical industry | Chemical manufacturers and distributors | |
| Food production | Food processing, wholesale distributors | |
| ICT services | Managed service providers (MSPs), managed security service providers (MSSPs) | |
| Manufacturing | Medical devices, electronics, machinery, motor vehicles | |
| Research | Research institutions |
Size threshold
As a general rule, NIS2 applies to organisations with at least 50 employees or more than EUR 10 million in turnover. However, for certain sectors — such as DNS services, cloud services, and electronic communications providers — the requirements apply regardless of size.
The core of NIS2: Ten security requirements
NIS2 sets out ten concrete minimum cybersecurity requirements that all covered organisations must meet:
| No. | Requirement | Description |
|---|---|---|
| 1 | Risk analysis and security policies | Documented policies for risk analysis and information security |
| 2 | Incident handling | Procedures for prevention, detection, and response to security incidents |
| 3 | Business continuity | Contingency plans, backup management, and crisis management |
| 4 | Supply chain security | Security requirements for suppliers and service providers |
| 5 | Security in procurement and development | Vulnerability management in network and information systems |
| 6 | Assessment of security measures | Procedures for evaluating the effectiveness of security measures |
| 7 | Cyber hygiene and training | Basic cyber hygiene practices and security awareness training |
| 8 | Cryptography | Policies on the use of cryptography and, where appropriate, encryption |
| 9 | Personnel security and access control | HR security, access control, and asset management |
| 10 | Multi-factor authentication | Use of MFA, secured communications, and emergency communications |
Personal liability for boards and management
One of the most significant changes in NIS2 is that boards and senior management are held personally accountable for the organisation's cybersecurity. This means:
- Approval obligation: The board must formally approve risk management measures and ensure they are implemented
- Training obligation: Board members and senior management must undergo cybersecurity training to make informed decisions
- Personal liability: In cases of gross negligence, board members can be held personally liable for breaches of security requirements
- Oversight duty: Management must actively monitor the implementation of security measures and ensure adequate resources
For many Norwegian boards, this represents a fundamentally new situation. Cybersecurity can no longer be fully delegated to the IT department — it is a strategic leadership responsibility that requires competence, engagement, and active follow-up.
Incident reporting: 24 hours
NIS2 introduces a strict regime for reporting security incidents:
Early warning (24 hours): Within 24 hours of detecting a significant incident, the organisation must submit a preliminary report to the national supervisory authority. The report must indicate whether the incident is suspected to be caused by an unlawful act and whether it could have cross-border consequences.
Incident assessment (72 hours): Within 72 hours, an updated report must be submitted with an initial assessment of the incident's severity and impact, along with indicators of compromise (IoCs).
Final report (one month): Within one month of the incident report, a detailed final report must be delivered containing root cause analysis, mitigation measures, and cross-border consequences.
In Norway, the National Security Authority (NSM) through the National Cyber Security Centre (NCSC) will be central to receiving and handling incident reports.
Supply chain security: Your responsibility extends beyond your business
NIS2 sets explicit requirements for supply chain security. This means you must not only secure your own business — you must also assess and impose requirements on your suppliers:
- Supplier risk assessment: Map all critical suppliers and evaluate their security posture
- Contractual requirements: Incorporate specific security requirements into agreements with suppliers and service providers
- Continuous monitoring: Conduct regular audits and assessments of supplier security practices
- Incident handling: Establish procedures for notification and cooperation during security incidents in the supply chain
For businesses using cloud services and infrastructure from third parties, this is particularly relevant. Responsibility for security remains with your organisation, even when the service is delivered by an external provider.
Penalties and fines
NIS2 has a significant penalty regime that varies by entity category:
| Category | Maximum fine | Alternative calculation |
|---|---|---|
| Essential entities | EUR 10 million | 2% of global turnover (whichever is higher) |
| Important entities | EUR 7 million | 1.4% of global turnover (whichever is higher) |
In addition to fines, supervisory authorities can:
- Order corrective measures with binding deadlines
- Impose periodic penalty payments for non-compliance
- Suspend certifications or authorisations
- Temporarily prohibit management personnel from exercising management functions (for essential entities)
Norwegian authorities have signalled that NIS2 enforcement will be significantly stricter than what we have seen under NIS1.
Practical steps: How to prepare your business
Whether your organisation is already subject to the Digital Security Act or NIS2 brings new requirements, you should start preparing now:
Phase 1: Assessment (0–3 months)
- Determine whether your organisation falls under NIS2 (sector, size, services)
- Conduct a gap analysis against the ten security requirements
- Map critical network and information systems
- Identify and assess all suppliers in the supply chain
- Evaluate current capacity for incident handling and reporting
Phase 2: Implementation (3–9 months)
- Develop or update security policies and risk management framework
- Implement incident handling procedures with 24-hour notification capability
- Establish or strengthen business continuity and contingency plans
- Incorporate security requirements into supplier agreements
- Implement technical measures: MFA, encryption, logging, access control
- Conduct cybersecurity training for the board and senior management
Phase 3: Maintenance and improvement (ongoing)
- Conduct regular risk assessments and security testing
- Practise incident handling through tabletop exercises
- Maintain security awareness training for all employees
- Conduct periodic supplier audits
- Update policies and procedures based on threat assessments and lessons learned
Supervisory authorities in Norway
Several Norwegian authorities will play roles in NIS2 supervision:
- National Security Authority (NSM): Coordinating role for national cybersecurity, operates the National Cyber Security Centre (NCSC)
- Norwegian Communications Authority (Nkom): Supervision of electronic communications and digital service providers
- Sector regulators: The Financial Supervisory Authority (Finanstilsynet), Norwegian Water Resources and Energy Directorate (NVE), Civil Aviation Authority, and other sector authorities will have supervisory responsibility within their areas
- Ministry of Justice and Public Security: Overall responsibility for national cybersecurity strategy
How we can help
At UNOS SOFTWARE AS, we understand that NIS2 compliance can seem overwhelming, especially for businesses that have not previously faced comprehensive regulatory cybersecurity requirements. We help Norwegian businesses with:
- Secure cloud infrastructure that meets NIS2 requirements — through our cloud and infrastructure service, we build robust, monitored, and documented environments with built-in security
- Technical consulting on NIS2 compliance — our consulting service helps you with gap analyses, risk management, and implementation of technical security measures
- Secure software development — we build solutions with security integrated from the start, with logging, access control, and incident handling built into the architecture through our development service
NIS2 is not just a regulation you must comply with — it is an opportunity to strengthen your organisation's digital resilience and build trust with customers, partners, and authorities.
Is your business ready for NIS2? Get in touch for an informal conversation about how we can help you meet the new requirements.
Sources and further reading
- European Parliament (2023). "Directive (EU) 2022/2555 — NIS2 Directive." eur-lex.europa.eu
- Ministry of Justice and Public Security (2025). "Implementation of the NIS2 Directive in Norwegian law." regjeringen.no
- National Security Authority (2025). "Guidance on NIS2 for Norwegian businesses." nsm.no
- ENISA (2025). "NIS2 Directive Implementation Guidance." enisa.europa.eu
- Norwegian Communications Authority (2025). "The Digital Security Act and NIS2." nkom.no
- NSM (2025). "National Digital Risk Assessment 2025." nsm.no