What is Digitalsikkerhetsloven? 🇳🇴 NIS2 in Norway

Lov om digital sikkerhet (digitalsikkerhetsloven) is Norway’s national “Digital Security Act” and the country’s implementation of NIS2. It applies in Norway to providers of essential services in sectors like energy, transport, health, water supply, banking, financial market infrastructure, and digital infrastructure, plus certain digital service providers such as online marketplaces, search engines, and cloud services.

The law’s goal is to set baseline cyber risk management and incident reporting so critical services stay up and running. The act enters into force on 1 October 2025.

Read also: What are NSM ICT Security Principles? Norwegian cybersecurity recommendations

What does digitalsikkerhetsloven require?

At a high level, the act sets out clear obligations for two groups: providers of essential services and providers of digital services.

• Perform risk assessments for the network and information systems used to deliver the service.
• Implement appropriate and proportionate technical and organizational security measures that match the risk, taking account of technological development.
• Report without undue delay to the designated national authority when an incident has a significant impact on service delivery.
• Ensure continuity by preventing, detecting, and reducing consequences of incidents so services can be maintained.
• For digital service providers, cover areas such as system and equipment security, incident handling, service continuity management, monitoring, audit and testing, and use of recognized international standards.
• Appoint a representative in Norway if you offer digital services in Norway but are established outside the EEA.
• Cooperate with supervision, provide information, and allow access for inspections. Non-compliance can lead to orders, coercive fines, and administrative penalties.

How does digitalsikkerhetsloven provide security?

The law requires a risk-based security baseline and continuous improvement. It pushes organizations to run incident handling, continuity planning, monitoring, auditing, and testing, and to align with recognized standards. It also gives authorities supervisory powers and the ability to order remediation and levy penalties, which drives real follow-through.

The digitalsikkerhetsloven provides several benefits when implemented:

• Clear, practical structure for cyber risk management and incident response.
• Fewer and shorter outages for services that customers rely on.
• Stronger assurance for partners and regulators that security controls are in place.
• Easier alignment with international standards already used in audits and certifications.

How long does it take to get digitalsikkerhetsloven compliant?

It depends on your current maturity, scope, and resources.

• Starting from low maturity: typically 9–12 months.
• With some controls in place or GDPR/ISO work done: around 4–6 months.
• Already ISO 27001 certified: many controls align, expect 2–4 months to close gaps like reporting, governance, and sector-specific procedures.
• Already EU NIS2 compliant: most controls align, expect just few weeks of work.

Using a purpose-built platform like Cyberday can shorten these timelines by giving you ready-made tasks, documentation, and evidence collection.

FAQs

Is digitalsikkerhetsloven mandatory?

Yes. It is a binding Norwegian law for in-scope entities. Supervisory authorities can order fixes and issue penalties for non-compliance.

Why is digitalsikkerhetsloven important?

It raises the minimum level of cybersecurity across essential sectors and key digital services in Norway. Mandatory risk management and incident reporting make critical services more resilient and improve national oversight.

Who needs to comply with digitalsikkerhetsloven?

Providers of essential services in energy, transport, health, water supply, banking, financial market infrastructure, and digital infrastructure, plus digital service providers offering online marketplaces, search engines, or cloud services in Norway. Entities outside the EEA that offer such digital services in Norway must appoint a local representative.

When is digitalsikkerhetsloven in effect?

The act takes effect on 1 October 2025, with individual provisions allowed to start at different times if decided by the government.

Is digitalsikkerhetsloven supported in Cyberday?

Yes. Cyberday includes tasks, templates, and evidence collection mapped to digitalsikkerhetsloven.