What is Sikkerhetsloven? 🇳🇴 Norwegian Security Act

Sikkerhetsloven, or formally the Lov om nasjonal sikkerhet (the Act relating to national security), is Norway’s national security law. It applies across Norway and covers public bodies and other undertakings that handle classified information, support fundamental national functions, or control critical information, systems, objects or infrastructure.

The law’s purpose is to protect national security interests, prevent and counter security threats, and ensure measures respect democratic principles. The National Security Authority (NSM) has cross-sector responsibility to guide, supervise and coordinate protective security work. Below is a quick overview that sets up the core Sikkerhetsloven requirements you need to know.

Read also: What are NSM ICT Security Principles? Norwegian cybersecurity recommendations

What does Sikkerhetsloven stand for?

“Sikkerhetsloven”  defines national security interests and assigns responsibility for protective security work. Ministries identify critical functions and undertakings. The National Security Authority (NSM) has cross-sector responsibility to oversee, guide and supervise compliance, and to coordinate threat information and incident response capabilities at national level.

What does Sikkerhetsloven require?

At a high level, Sikkerhetsloven compliance means running a risk-based protective security program across information, systems, objects and infrastructure, personnel, and suppliers. Key Sikkerhetsloven requirements include:

• Security management led by top management, integrated into the management system, checked regularly, with staff and suppliers aware of risks.
• Risk assessments that identify dependencies, drive measures, and are reviewed regularly.
• Implement measures and exercises to keep security proportionate to risk and cost, and test it.  
• Documentation of risks and implemented or planned measures.
• Duty to notify NSM and other authorities about threats, suspected threats, or serious security breaches.
• Information security including identifying critical national information, classifying information, granting access on need-to-know, and protecting secrecy.  
• Information system security for critical national information systems, including approval before use with classified data, continuous monitoring and logging.
• Object and infrastructure security with classification and layered physical, technical and organisational controls.  
• Personnel security clearance and authorisation before access to classified information or certain critical objects and infrastructure.
• Classified procurements with supplier security agreements and facility security clearances where needed.
• Restrictions on high-risk procurements and ownership in sensitive areas, including notice and possible prohibition or conditions.

How does Sikkerhetsloven provide security?

The act couples leadership accountability, risk assessment and proportionate controls with national capabilities. It provides a national response function and a warning system for digital infrastructure, establishes structured exchange of threat information, requires monitoring and approval of critical systems, and enables controlled testing of systems and physical protections.

What are benefits of Sikkerhetsloven?

• Clear legal basis to run protective security across IT, physical and personnel domains
• Reduced likelihood and impact of incidents through monitoring, exercises and reporting
• Better supplier and ownership risk control in sensitive areas
• Increased trust with authorities and partners by showing Sikkerhetsloven compliance
• Audit-ready documentation and defined oversight routes via NSM

How long does it take to get Sikkerhetsloven compliant?

Typical ranges:

• Starting from low maturity: 6–12 months
• With ISO 27001 or similar controls in place: 3–6 months
• Highly mature programs: 1–3 months to align specifics like clearance, approvals and reporting

Time depends on scope decisions by the responsible ministry, your role in national functions, the volume of classified information and systems, supplier exposure, and management capacity.

Using Cyberday can shorten timelines by giving you ready-made tasks, documentation templates and evidence collection mapped to Sikkerhetsloven requirements.

FAQs

Is Sikkerhetsloven mandatory?

Yes. It applies to governmental bodies, to suppliers in classified procurements, and to other undertakings when a ministry decides the act applies because of their role with classified information, critical systems, objects or infrastructure, or vital activities.

Why is Sikkerhetsloven important?

It protects sovereignty, fundamental national functions and the basic security of the population. It also standardizes how public and private actors prevent, detect and handle threats in ways that respect democratic values.

Who needs to comply with Sikkerhetsloven?

• Governmental, county and municipal bodies
• Suppliers involved in classified procurements
• Other undertakings designated by a ministry that handle classified information, control critical information, systems, objects or infrastructure, or conduct activities vital to fundamental national functions
  

When is Sikkerhetsloven in effect?

The act entered into force on 1 January 2019. There have been amendments, including 1 July 2023 updates and a 14 June 2024 update to penalties. Some amended provisions noted in the text were not yet in force at the time of that compilation.

Is Sikkerhetsloven supported in Cyberday?

Yes. Cyberday supports Sikkerhetsloven compliance with mapped tasks, documentation and evidence management.