# What NIS2 is, and which Norwegian businesses fall under it > NIS2 obligations flow down through contracts, so you can be asked to prove security maturity even before the rule reaches Norwegian law. Source: https://fmcybersecurity.com/en/insights/compliance/what-nis2-is-and-who-it-covers-in-norway/ Locale: English Other locale: https://fmcybersecurity.com/insights/compliance/hva-er-nis2/ ## Metadata - Date: 2026-04-30 - Author: maximilian-sharoyan - Topic: compliance - Format: article You can lose a contract over NIS2 before it is even Norwegian law. A customer who falls under the rule has to vet its suppliers, so the questionnaire lands on your desk whether or not the rule covers you directly yet. Answer it weakly and you drop off the shortlist. That is the business risk, and it is here now. Across compliance projects this quarter I keep seeing the same thing: a mid-sized Norwegian firm gets a long security questionnaire from a larger customer, panics, and discovers it has no documented answers. The deal stalls. The cost is not a fine. It is the tender you do not win and the renewal that goes elsewhere. ![NIS2, FM CyberSecurity](../../../assets/news/what-nis2-is-and-who-it-covers-in-norway-inline.png) ## What NIS2 is and who it covers NIS2 is the EU's main cybersecurity law for important parts of the economy. The full name is the Network and Information Security Directive, second version, Directive [(EU) 2022/2555](https://eur-lex.europa.eu/eli/dir/2022/2555/oj). It tells covered organisations to manage their cyber risk, report serious incidents fast, and put the board on the hook for it. EU member states had to write it into national law by [17 October 2024](https://digital-strategy.ec.europa.eu/en/policies/nis2-directive). The rule sorts covered organisations into two buckets. Essential entities are the high-criticality sectors: energy, transport, banking, health, drinking water, and digital infrastructure. Important entities are the next tier: postal services, waste, chemicals, food, manufacturing, and digital providers like cloud and online marketplaces. The split mostly changes how closely a regulator watches you. Essential entities get checked in advance; important entities get checked after something goes wrong. Both have to meet the same security and reporting duties. Size decides whether you are in at all. As a rule of thumb, the directive catches medium and larger organisations: [50 or more employees, or more than 10 million euro in turnover](https://www.glocertinternational.com/resources/guides/nis2-applicability-essential-vs-important-entities/). Below that you are usually out, unless you run something a country names as critical regardless of size. So a 40-person firm is often outside the direct scope, and a 300-person manufacturer in a covered sector is inside it. Here is the part that catches Norwegian firms off guard: the duty flows down the supply chain. A covered organisation has to manage the security risk from its suppliers (NIS2 Article 21). In practice it pushes its obligations onto you through the contract. You can sit outside the direct scope and still face the same questions, because your customer needs your answers to satisfy the regulator watching them. ## How this lands in Norway Norway is in the EEA, so NIS2 does not apply here automatically the way it does inside the EU. It has to be folded into the EEA agreement first, and that incorporation is in progress. No Norwegian start date has been announced, and you should treat any specific date you see online as unconfirmed. Do not confuse this with the law Norway already has. The [digitalsikkerhetsloven](https://nsm.no/aktuelt/ny-digitalsikkerhetslov-i-norge), in force since 1 October 2025, carries over the older NIS1 directive, not NIS2. The government has said NIS2 will come through a new, broader law later, paired with the EU's resilience directive for critical entities. So the Norwegian rule that matches NIS2 is still being written. That gap is a planning window, not a reason to wait. The supply-chain pressure does not wait for Norwegian law, and the security work that NIS2 expects (risk management, incident response, supplier oversight) is the same work an ISO 27001 system already gives you. Most of what you build now counts later. ## The decision your board has to make The one question for the board this quarter is simple: do we confirm whether we are in scope, and who owns it. Name a person, give them a date, and have them write down three things: whether NIS2 reaches you directly by sector and size, which of your customers are covered and will push duties down to you, and where your current security posture has gaps against the directive's risk-management duties. That memo is the whole decision. Everything operational follows from it. If you already know you are in or near scope, the operational next step is laid out in our guide on [how Nordic SMBs prepare for NIS2](/en/insights/compliance/nis2-prep/). It covers what to do this quarter and what can wait. ## Next step See FM CyberSecurity's credentials and partner certifications at [our partners page](/en/#partners). Or talk to [our compliance practice](/en/services/compliance/) for a 30-minute board-level view on whether you are in scope and what it means for your contracts. ## FAQ ### Are we in scope of NIS2? You are likely in direct scope if you operate in a covered sector (energy, transport, banking, health, water, digital infrastructure, manufacturing, food, chemicals, waste, postal, or digital services) and have 50 or more employees or more than 10 million euro in turnover. Even if you are below that line, a covered customer can still pass NIS2 duties to you through your contract. Confirm against the sector lists in [Directive (EU) 2022/2555](https://eur-lex.europa.eu/eli/dir/2022/2555/oj) and write the conclusion down. ### When does NIS2 apply in Norway? No date is set. Norway is in the EEA, so NIS2 has to be incorporated into the EEA agreement and then written into a new Norwegian law before it applies here. That process is in progress. Treat any specific Norwegian date you see online as unconfirmed until the government announces one. ### What happens if we ignore it? The near-term cost is commercial, not regulatory: a covered customer that cannot get satisfactory security answers from you moves the contract elsewhere. Inside the EU, NIS2 also carries [fines up to 10 million euro or 2% of global turnover for essential entities](https://www.legiscope.com/blog/nis2-essential-important-entities.html). The lost-contract risk reaches Norwegian firms first, through supply-chain questionnaires. ### How is NIS2 different from GDPR? GDPR protects personal data; NIS2 protects the security and continuity of network and information systems. One incident can trigger both. They have different regulators, different reporting clocks, and different triggers, so a plan built only for GDPR breach reporting will not cover a NIS2 incident. ### How does it relate to Norway's digitalsikkerhetsloven? The digitalsikkerhetsloven, in force since 1 October 2025, implements the older NIS1 directive. It is not the Norwegian version of NIS2. The government has said NIS2 will arrive through a separate, broader law, so the current act is a related predecessor rather than the same rule. --- For the full documentation index, see https://fmcybersecurity.com/llms.txt For the complete corpus as a single document, see https://fmcybersecurity.com/llms-full.txt