Technology – cyber security | Norway expected to adopt rules on cyber security

While NIS2 and its strict new cybersecurity rules were to be implemented in the EU countries by 18th October, Norway is preparing to implement rules based on NIS1 from 2016. How does this affect Norwegian service providers doing business in Europe, and European service providers doing business in Norway?

Unlike the EU, Norway lacks uniform rules on how providers of essential services shall address cyber threats. Although NIS1 has been deemed insufficient and is thus being replaced in the EU, Norway’s delayed implementation has until now entailed a lighter compliance burden for providers of essential services in the Norwegian market.

The Norwegian Cyber Security Act (the “CSA”, nw: Digitalsikkerhetsloven) enacted in December 2023, has still not entered into force. The Ministry of Justice recently published a hearing for the draft regulations to the CSA, with a deadline for responses set to 11 December 2024. Through the hearing, the Ministry of Justice also revealed that work is being done to map out changes necessary to implement the NIS2 Directive in Norwegian law.

The purpose of the CSA is to ensure basic requirements for digital security directed at providers that are of particular importance. This is sought achieved through mandatory measures aimed at revealing, preventing and counteracting unwanted incidents in networks and information systems used to deliver services that are important for society.

NIS1 and the Norwegian CSA

The Network and Information Systems Directive (NIS1) was adopted by the EU in 2016. The purpose of the directive was to achieve a high common level of security of network and information systems within the EU. It required member states to identify providers of essential services and digital service providers, and ensure they implement appropriate security measures. It also mandated the reporting of significant security incidents to national authorities. NIS1 applies to ‘providers of essential services’ (nw: tilbydere av samfunnsviktige tjenester) and ‘providers of digital services’ (nw: tilbydere av digitale tjenester), which are online marketplaces, online search engines, and cloud services.

The Norwegian CSA based on NIS1 will apply to providers of digital services, and providers of essential services within the sectors energy, transport, health, water supply, banking, financial market infrastructure and digital infrastructure. In order for the CSA to apply to providers within these sectors, three cumulative requirements must be met:

The provider must provide a service that is important for maintaining critical societal or economic activities;
it must depend on networks and information systems to provide the service; and
service delivery may be significantly disrupted should an incident occur.

Risk assessment, security measures and incident reporting

The Norwegian CSA establishes that providers must perform risk assessments, implement appropriate security measures, and report incidents that affect their services. While the CSA itself only contains high-level requirements, the proposed regulations to the CSA contain further detail. Importantly, the regulations contain more detailed requirements for the providers’ governance systems (nw: styringssystem), risk assessments and categories of security measures.

What will change with NIS2?

The implementation deadline for NIS2 in the EU will have passed before the CSA enters into force in Norway. Although adopted by the EU in 2022, the deadline for actual implementation in the member states is 18 October 2024. The background for NIS2 is the recognition in the EU of the fragmented approach to the implementation of NIS1 in the various EU countries, and the intensified digital transformation of society which has created new threats. New challenges have surfaced, which require new responses.

NIS2 has significantly expanded the scope compared to NIS1. NIS2 applies to entities in ‘sectors of high criticality’ which includes the sectors mentioned above, in addition to ICT service management, public administration and space. NIS2 also identifies ‘other critical sectors’ which includes postal and courier services, waste management, manufacture, production and distribution of chemicals, production, processing and distribution of food, manufacturing, digital providers and research.

However, for NIS2 to apply, the enterprise which provides a service in either of these sectors, needs to qualify or exceed the ceilings for a “medium-sized enterprise”. This means that the enterprise must have:

More than 50 employees
An annual turnover or an annual balance sheet exceeding EUR 10 million.

The CSA does not have a similar limitation. However, the proposed regulation does exempt some of the digital security duties, such as incident handling and duty to notify the authorities, for providers with fewer than 50 employees and an annual turnover or annual total balance that does not exceed NOK 100 million. In other words, the NIS2 directive broadens the scope of sectors subject to the regulation, while the CSA will apply also to smaller enterprises.

In addition to the expanded scope, NIS2 contains more detailed material requirements compared to NIS1. It is worth noting that the Ministry of Justice has attempted to take the detailed requirements into account in the draft regulations to the CSA. This is particularly noticeable in the incident reporting rules, where the proposal is more closely aligned with NIS2. According to both the CSA and NIS2, providers must report incidents which may significantly affect the service delivery. In the event of an incident, a preliminary notification must be submitted within 24 hours, updated incident information within 72 hours, and a final report within one month. The final report must detail the incident, type of threat or root cause, applied and ongoing measures and potential cross-border impact.

Consequences of non-compliance

Norwegian authorities may impose fines for breach or infringements of the CSA and regulations, once the rules are in force. The regulations outline the factors that may be considered when determining the size of the fine, which can be up to the highest of a) 4 percent of the total annual turnover or b) 25 times the national insurance scheme basic amount (nw: Grunnbeløpet) which in total corresponds to approximately MNOK 3.1.

NIS2 has different levels of fines for ‘essential entities’ and ‘important entities’. For essential entities, administrative fines may be a maximum of EUR 10,000,000 or 2% of total worldwide annual turnover. For important entities, fines may be of a maximum of EUR 7,000,000 or 1.4% of total worldwide annual turnover.

This entails that the maximum fines available to Norwegian authorities under the CSA is lower than what is stipulated in NIS2. Furthermore, member states shall under NIS2 ensure that it is possible to hold natural persons which represent an essential entity personally liable for breach of their duties to ensure compliance with the directive. The CSA and proposal for regulation does not have a similar rule.

BAHR’s view

It remains to be seen whether the new rules will contribute to mitigating emerging cyber threats in practice. Rules and regulations do not in themselves mitigate cyber threats and could add to the burden of compliance, taking away resources better used for e.g. technical security measures. In light of Norway’s delayed implementation of NIS1 and the delays in the EU countries implementation of NIS2, practical compliance may become challenging.

Despite the risks, we believe many providers both in Norway and the EU welcome more specific and coherent guidelines on how to address such threats. For Norwegian providers doing business both in Norway and in the EU, the close alignment of the CSA and its regulations with NIS2, entails that NIS2 compliance also ensures compliance with Norwegian rules. Correspondingly, EU-based providers can rely on their NIS2 compliance efforts when doing business in Norway.