NIS2 and the Norwegian Digital Security Act: what Norwegian businesses must do in 2026
25 May 2026 · Skarpix
The Digital Security Act (Digitalsikkerhetsloven) has been in force in Norway since 1 October 2025. The act transposes the original NIS Directive into Norwegian law, with selected NIS2 requirements integrated. Full NIS2 transposition is on the way, but it arrives through a separate new act rather than by amending Digitalsikkerhetsloven. NSM expects the new act to enter into force during 2026, depending on how quickly NIS2 is incorporated into the EEA Agreement.
That puts Norwegian businesses in a particular spot right now. You are already subject to a Norwegian digital security act with real obligations. You also know a stricter act is coming. "Wait and see" is not a safe place to stand.
Who is in scope
Since 1 October 2025, the Digital Security Act has set baseline requirements for organisations delivering essential services in sectors including energy, transport, healthcare, water supply, banking, financial infrastructure, digital infrastructure, and certain digital services. The headline threshold has been 50+ employees or over EUR 10 million turnover, but exceptions exist.
When full NIS2 transposition lands, the scope expands significantly. NSM estimates that between 5,000 and 8,000 Norwegian organisations will fall in scope under the NIS2 baseline. NIS1 covered a few hundred. This is a dramatic widening.
New sectors entering scope under NIS2 include public administration, waste management, postal and courier services, food production, and manufacturers of critical technology. If you supply an organisation in scope, you are often pulled in indirectly via supply-chain requirements regardless of your own size.
The four requirements, in plain terms
NSM summarises the requirements in four words: assess, secure, maintain, report. That sounds simple. Each word hides real obligations on policies, procedures, and documentation.
Assess. You must conduct risk assessments of the network and information systems that deliver your services. There is no "one size fits all". The act calls for security measures proportionate to the risk. Each organisation does its own assessments.
Secure. Implement technical and organisational security measures that respond to the risks you identified. NIS2 specifies a concrete minimum list in Article 21: risk management, incident handling, supply-chain security, encryption, access control, and multi-factor authentication, among others.
Maintain. Measures must be maintained and updated. Security is not a one-off project. You must be able to document that measures actually work over time.
Report. When a significant incident occurs, you must report on the 24-72-30 cadence: an early warning within 24 hours, an incident notification within 72 hours, and a final report within one month. That is a concrete operational capability. It must exist before the incident, not after.
Personal liability at the management level
An important point in NIS2 is that management can be held personally liable for security governance failures. The preparatory work for Digitalsikkerhetsloven already opens for individuals to be issued administrative fines "where necessary in the specific case". The direction of travel is clear: this is not something the board or executive can delegate away entirely.
In practice, this means the board must understand the risk picture, approve the security strategy, and be able to document that they did so. Many Norwegian boards are not there yet.
Penalties
For essential entities, administrative fines can reach up to EUR 10 million or 2% of global turnover, whichever is higher. For important entities the cap is EUR 7 million or 1.4% of global turnover. For comparison, the GDPR cap is EUR 20 million or 4% of global turnover.
In practice, we rarely see top-end fines straight away. The sanctions regime is built to bite, though, and NSM has signalled active enforcement.
What to do now
Don't wait for the new NIS2 act. The Digital Security Act already applies, and the NIS2 requirements are largely known. Start with these steps:
Determine scope. Do you fall within the sector and size thresholds? Do you supply someone who does? If yes to the first, you are in scope today. If yes to the second, you'll be pulled in either via supply-chain requirements from your customers or directly when NIS2 transposition lands.
Run a gap analysis. Map your current security posture against the Article 21 controls. Identify where you don't deliver today. Prioritise by risk.
Build the 24-72-30 runbook before you need it. An incident reporting process that hasn't been tabletop-tested is not a runbook, it's a hope. Walk through a scenario in calm conditions, not during the real event.
Get the board in the seat. Brief the risk picture at board level. Get the security strategy approved. Document it. When NIS2 enforcement comes, supervisors will look for exactly this.
Skarpix offers a free NIS2 assessment that takes 5-10 minutes and produces a concrete report on where you stand against the Article 21 controls. It's built around the Norwegian regulatory picture, including today's Digitalsikkerhetsloven and what's known about the coming NIS2 act.