# What Norway's Digital Security Act is, and how it relates to NIS2

> If Norway counts your firm as critical, you have had legal digital-security duties since October 2025, and most boards have not noticed.

Source: https://fmcybersecurity.com/en/insights/compliance/what-norways-digital-security-act-is/
Locale: English
Other locale: https://fmcybersecurity.com/insights/compliance/hva-er-digitalsikkerhetsloven/

## Metadata

- Date: 2026-05-07
- Author: maximilian-sharoyan
- Topic: compliance
- Format: article

If Norway counts your business as critical, you have had legal digital-security duties since 1 October 2025, and most boards have not heard of the law that created them. The law is the Digital Security Act, in Norwegian "digitalsikkerhetsloven." It is short, it is in force, and it puts the duty on the company, which means the board.

In the compliance reviews I sat in this spring, the same gap kept showing up. The IT team knew the law existed. The board had never seen a paper on it. That gap is the risk.

![Digital Security Act, FM CyberSecurity](../../../assets/news/what-norways-digital-security-act-is-inline.png)

## What this costs you if you ignore it

The law lets the supervisor order you to fix security gaps and fine you if you do not. The Digital Security Act ([Lov 2023-12-20-108](https://lovdata.no/dokument/NL/lov/2023-12-20-108)) gives the authorities the power to inspect, to demand changes, and to impose a coercive fine until you comply. The exact ceiling sits in the regulation, not in headline numbers, so the figure depends on your case.

The bigger cost is not the fine. It is being told by a regulator, in writing, that your firm failed a basic security duty, while a customer or a tender committee is reading over your shoulder. For a firm that sells trust, that letter is the expensive part.

## What the law is and who it covers

The Digital Security Act is Norway's version of the EU's first network-security directive, known as NIS1 (Directive (EU) 2016/1148, adopted in 2016). NIS stands for "network and information systems." Norway is in the EEA, which is the agreement that ties Norway to most EU single-market rules, so the directive came to us through that route. The law and its companion regulation [entered into force on 1 October 2025](https://www.regjeringen.no/no/aktuelt/ny-lov-om-digital-sikkerhet-trer-i-kraft-i-dag/id3121009/). It is Norway's first standalone digital-security law.

It covers two groups. The first is providers of services Norway treats as critical to society, the Norwegian term is "tilbydere av samfunnsviktige tjenester." These sit in energy, transport, health, water supply, banking, financial market infrastructure, and digital infrastructure (§ 6). The regulation names 28 specific categories inside those sectors, so whether you are in scope is a checkable question, not a guess. The second group is digital service providers (§ 9): online marketplaces, search engines, and cloud services.

If you are in either group, the law asks for two things in plain terms. Manage your security risk in a way you can show, and report serious incidents to the authorities. The duty to manage risk and the duty to report are the spine of the whole act. Everything else is detail under those two.

This is where NIS2 enters. NIS2 is the EU's updated, wider version of the same directive. It pulls in more sectors and pushes responsibility harder onto management. Norway's incorporation of NIS2 is in progress, and the date is not yet announced, so do not plan around a deadline you have seen quoted somewhere. When it lands, it will replace and expand today's Digital Security Act. A firm that gets clean under the current law now will have far less to do when the wider rules arrive.

## The one decision the board has to make

The board has to decide, on the record, who owns digital-security risk and confirm the firm is in scope or not. That is the single yes-or-no item. Not a strategy, not a budget line, a named owner and a documented scope call, minuted.

Everything that follows, the risk work, the incident-reporting routine, the evidence file, flows from that one decision. Make it in a meeting, write down which sector category you fall under or why you fall under none, and you have started the trail a supervisor will ask for. Skip it, and the first question in any inspection has no answer.

## Make the call this quarter

See FM CyberSecurity's credentials and partner certifications at [/partners/](/en/#partners). Or book a 30-minute board-level conversation with [our compliance practice](/en/services/compliance/) to confirm whether the Digital Security Act applies to your firm and what the first 90 days should hold.

## FAQ

### Does this law apply to us?

If you deliver a service in energy, transport, health, water supply, banking, financial market infrastructure, or digital infrastructure, or you run an online marketplace, a search engine, or a cloud service, assume yes until you have checked. The regulation lists 28 categories of critical-service providers (under § 6 and § 9 of the [Digital Security Act](https://lovdata.no/dokument/NL/lov/2023-12-20-108)). Check your business against that list and write down the conclusion, in or out, and why.

### What is the penalty if we do nothing?

The supervisor can inspect you, order you to close security gaps, and impose a coercive fine that runs until you comply. The detailed amounts sit in the regulation under the Act, so the number depends on the breach and your firm. The reputational cost of a public order from a regulator usually outweighs the fine.

### How is this different from GDPR?

GDPR protects personal data and is enforced by Datatilsynet, the Norwegian Data Protection Authority. The Digital Security Act protects the availability and security of critical services and digital services, whether or not personal data is involved. One incident can trigger both. They have different supervisors, different triggers, and different reports, so your plan has to handle both at once.

### What changes when NIS2 arrives in Norway?

NIS2 is the EU's wider, stricter successor to today's rules. It covers more sectors and puts firmer duties on company management. Norway's incorporation is in progress and the date is not yet announced, so plan for the direction, not a fixed deadline. A firm that meets the current Digital Security Act will have a head start when the broader rules take effect.

### We are small, are we still in scope?

Scope follows the sector and service, not headcount. The 28 categories in the regulation decide it, and some pull in small operators where the service matters to society. A small cloud provider or a small operator inside a named critical sector can be in scope. Run the check rather than assuming size keeps you out.

---

For the full documentation index, see https://fmcybersecurity.com/llms.txt
For the complete corpus as a single document, see https://fmcybersecurity.com/llms-full.txt