NIS2 and the Norwegian Digital Security Act: where things stand in 2026

Norway's first cross-sector cybersecurity law, the Digital Security Act (Lov om digital sikkerhet, often shortened to Digitalsikkerhetsloven), has been in force since 1 October 2025. On paper, it implements the EU's original NIS1 directive from 2016. In practice, the Norwegian Ministry of Justice and Public Security wove a number of NIS2 requirements into the act ahead of the formal transposition, which is still pending while the directive works its way through the EEA Agreement.

For Norwegian SMBs, this leaves a slightly awkward state. NIS2 hasn't formally entered Norwegian law yet, but the current Digital Security Act already pushes towards a NIS2-aligned posture for entities in scope. And once NIS2 is incorporated into the EEA Agreement, the act will be updated, likely fairly quickly, to reflect the directive's broader sector coverage, stricter incident reporting, and management liability provisions.

This article walks the current state, who's in scope, what NIS2-aligned practice looks like operationally, and what Nordic SMBs should be doing this quarter regardless of where the formal transposition lands.

Where Norway sits

Two things are running in parallel.

The Digital Security Act entered into force on 1 October 2025. It applies to providers of essential services in energy, transport, health, water supply, banking, financial market infrastructure, and digital infrastructure, plus certain digital service providers: online marketplaces, search engines, and cloud services. The Norwegian National Security Authority (Nasjonal sikkerhetsmyndighet, NSM) acts as the central coordinator and national CSIRT. Sector-specific regulators handle day-to-day oversight.

The NIS2 directive (Directive (EU) 2022/2555) has not yet been formally incorporated into the EEA Agreement. When it is, expected during 2026, the Digital Security Act will be updated to reflect the directive's expanded scope (estimates suggest roughly 5,000 Norwegian organisations come into scope under the NIS2 baseline, up from the few hundred under NIS1), stricter management liability, and standardised incident reporting timelines.

If you read older guidance, you'll see specific dates floated for the NIS2 transposition. Treat those as soft until the EEA Joint Committee formally incorporates the directive. The dates have slipped before.

The 24-72-30 incident reporting rhythm

One of the most distinctive operational features of NIS2, already partially baked into the current Digital Security Act regulation, is the staggered incident reporting cadence:

• 24 hours after becoming aware of a significant incident: submit an early warning to the competent authority. This is short and procedural: what happened, current impact, suspected cause if known.
• 72 hours in: submit an incident notification with an initial assessment of severity, indicators of compromise, and an update on the impact.
• One month in: submit a final report covering root cause, mitigation, and lessons learned.

Practically, this means your incident response runbooks need to be designed for the 24-hour deadline, not just the 72-hour one. By the time a senior engineer has paged through the morning's alerts, you may be twelve hours into a clock you didn't know was running. The most expensive mistake at this stage is not the incident itself but the regulatory paperwork delay that compounds it.

What "in scope" actually means

The Digital Security Act distinguishes between essential and important entities, with stricter requirements (and higher fines) for essential entities. The exact list of in-scope sectors is in the act and its regulation, but for an SMB the rough heuristic is:

If you provide critical infrastructure, run a digital service that many depend on (cloud, marketplace, search, DNS), or operate in a sector where outage causes social harm (utilities, finance, health), assume you're at minimum an important entity.

If you're a B2B SaaS with a small customer base, you're probably not in scope today, but your customers may be, and they will start asking you for evidence of NIS2-aligned controls. Supply chain risk management is a first-class concept under NIS2, which means in-scope entities are accountable for the security posture of their providers.

Management liability

Under NIS2, senior management can be held personally liable for failures of cybersecurity governance. In Norwegian law this layers on top of existing general management liability rules (which can already attach personal damages to managers across the organisation), but NIS2 raises the bar significantly: in serious cases, regulators can require the temporary removal of management, and in the most serious cases prohibit an essential entity from operating.

For a founder or board, the practical implication is that cybersecurity is no longer something you can fully delegate to IT. The board needs to be able to answer specific questions: what's our risk register, when was the last incident response exercise, who's the named accountable person for our supply chain risk programme.

What to do this quarter

If you're a Norwegian SMB and you're not certain whether you're in scope, here's the short list:

1. Read the Digital Security Act and its regulation. The act is concise; the official text is at lovdata.no.
2. Map your services against the in-scope sectors. If you provide a digital service to a Norwegian organisation that's in scope, you're effectively in scope through supply chain expectations.
3. Draft incident response SOPs against the 24-72-30 timeline. This is the lowest-cost, highest-impact step. The infrastructure of an incident response, the who-do-I-call list, the legal contacts, the customer notification template, is hard to build under pressure.
4. Run a gap analysis against the Article 21 control set. NIS2 Article 21 lists the ten control families that essential and important entities must implement. Most are familiar (risk management, supply chain security, encryption, MFA), but the formal documentation requirements are often where SMBs fall short.
5. If you have ISO 27001 certification, hold onto it. Indications are that ISO 27001-certified organisations may receive accelerated treatment during their first NSM audit.

How Skarpix can help

Skarpix's NIS2 self-assessment maps your current posture against the Article 21 control set and the Norwegian Digital Security Act's implementing requirements. It takes about 30 minutes, produces a PDF report you can share with your board or with customers asking for due diligence evidence, and identifies the gaps most likely to be the focus of an NSM audit.

Start the NIS2 assessment or read more about the regulation at /nis2.