Member Article

New Law on Digital Security
Digital systems and services are playing an increasingly crucial role in society, and attacks of these can have significant consequences. Consequently, digital security has become a national concern. The Norwegian National Security Authority’s report on security advisory for 2023 indicates that Norway’s preparedness in this context has long been insufficient.

On December 12, 2023, the Parliament enacted the Digital Security Act, as the first step in addressing digital vulnerability in Norway. The law acknowledges the need for cohesive digital security across sectors and lays the foundation for implementing the NIS1-directive (Directive (EU) 2916/1148) and the Cybersecurity Regulation (Regulation (EU) No. 526/2013) into national law. Its main purpose is to enhance the digital defense capabilities of selected important entities and complement existing security requirements in already regulated sectors.

Who does the law apply to?
Companies must assess whether they qualify under the law’s two categories: operators of essential services and digital service providers.

Operators of essential services are providers crucial for maintaining critical societal or economic activities in the sectors of energy, transport, health, water supply, banking, financial market infrastructure, and digital infrastructure, relying on network and information systems to deliver their service and, as a consequence, face significant disruptions in their service delivery if subjected to an attack.

Digital service providers are defined as providers of online marketplaces, online search engines, or cloud services. The NIS1 directive provides exceptions for digital service providers who qualify as micro or small entities under the Commission Recommendation 2003/361/EC. Companies with fewer than 50 employees and an annual turnover or total balance sheet under 10 million euros are therefore exempt. While the Digital Services Act does not explicitly state a similar exception, the Ministry has deemed it more fitting to address this, along with defining micro and small enterprises, through subsequent regulation, without specifying the details of implementation.

Requirements for qualifying entities
The law requires qualifying entities to perform risk assessments of their services and implement proportional security measures to prevent, detect, and reduce the consequences of potential attacks. The specifics on the actual scope, methods for conducting risk assessments, and the criteria for deeming security measures sufficient, is not specified. In the initial round of consultations, concerns were raised, including by the Advokatforeningen, regarding the likelihood that the ambiguity of the law may lead to misunderstandings and fragmented compliance. A reasonable assumption is that more detailed guidelines will be introduced to clarify who falls under the scope of the law, how risk assessments should be conducted, as well as specific requirements for security measures and notification procedures.

The preparatory works for the Digital Security Act emphasizes that the scope of required security measures will depend on the risk assessment, with the specific sector, technological development, the provider’s characteristics, and the employed security management systems will be key considerations.  As the law is intended to align with the NIS1 directive, the guidelines from the NIS Cooperation Group could serve to support entities in understanding their obligations.

For operators of essential services, the Ministry considers the Norwegian National Security Authority’s basic principles for ICT security adequate for complying with the requirements for digital security. Nevertheless, the determination of necessary and proportionate security measures in specific cases will vary, requiring a case-by-case assessment of the principles’ application. The Ministry dose not clarify whether these principles will be formalized in regulation or retained as guidelines, but emphasize the need for clear requirements must be balanced against the need for dynamic development and flexibility. Consequently, upcoming regulations are likely to offer more guidance than specific rules.

Concerning digital service providers, the requirements are less stringent, as these entities are generally considered less critical to society. At the same time, the Ministry requires a risk-based approach in each specific case. Unlike operators of essential services, digital services are often more cross-border in nature, making the need for a harmonized regulatory framework more important. The Implementing Directive (Commission Implementing Regulation (EU) 2018/15), therefore, leaves less room for national adaptation. Harmonization will be ensured by requiring digital service providers to consider:

• Information system security and physical security
• Incident management
• Management of business continuity (maintaining service delivery)
• Monitoring, audit, and testing
• Compliance with international standards

The detailed content of these measures will be outline in regulations based on the Implementing Directive.

Notification and supervision
Companies are obligated to report incidents significantly impacting the provider’s service delivery without undue delay. While the assessment of the duty to notify is similar for operators of essential services and digital service providers, where emphasis is placed on the number of affected users and geographic area, digital services providers must additionally consider the importance of the service and its economic and/or societal activity.

The supervisory authority holds the responsibility for ensuring compliance with the law through various means, including inspections and requiring insight into necessary information, orders, fines for violations, and coercive fines. The Ministry has announced upcoming regulations concerning the relevant supervisory authority and proposes an approach where sector authorities are responsible supervisory bodies within their sectors. However, this approach requires sufficient expertise and the creation of clear general cross-sector guidelines to prevent fragmented practices across sectors.

From NIS1 to NIS2
The NIS1 directive serves as a minimum directive, allowing states to impose stricter requirements and expand the scope as desired. According to the Ministry, the law is intended as a starting point for further development of regulation in digital security. The NIS2 directive, adopted in the EU on December 14, 2022, will repeal the NIS1 directive from October 24, 2024. The new directive recognizes the NIS1 directive as a good starting point but deems it insufficient in establishing an adequate standard for digital security. In particular, the NIS2 directive underscores that the ambiguity of the NIS1 directive, especially concerning the implementation of security measures and supervision, has led to fragmented implementation in member states, thereby hindering effective protection.

As of now, the NIS2 directive is not included in the EEA Agreement. If included changes to the Digital Security Act and related regulations will be necessary.

For service providers operating in both Norway and the EU, this entails that adherence to both the Digital Security Act and the NIS2 Directive will be necessary. Consequently, it may be advisable for such entities to proactively initiate efforts to comply with the requirements of the NIS2 Directive.