What are you looking for?

Hjem Insight New Digital Security Legislation – Is Your Business Prepared?

Date 13.11.2024

New Digital Security Legislation – Is Your Business Prepared?

The new Digital Security Act applies to providers of critical services within selected sectors, as well as certain types of digital services.
The Digital Security Regulation is currently under consultation, and Hjort is assisting the industry in this process.

Authors

The new digital security legislation implements the NIS1 Directive and introduces requirements for digital security for several types of critical services and certain digital services. The regulation also partially implements the NIS2 Directive, although a general “NIS2 update” is still pending.

The Digital Security Act has already been adopted, but has not yet entered into force, pending the completion of regulatory work.

Who Does the Act Apply To?

The Digital Security Act applies to providers of certain digital services, as well as providers of critical services within the following sectors:

  • Energy
  • Transport
  • Health
  • Water supply
  • Banking
  • Financial market infrastructure
  • Digital infrastructure

Of digital services, only marketplaces, search engines, and cloud services are covered. However, these are subject to the EU’s implementing regulation and are therefore less affected by the Norwegian regulation.

In addition, the supplier market for such businesses will be indirectly covered by the regulations through requirements for supplier management.

The specific definition of which businesses are covered by the Act is expected to be regulated in the forthcoming regulation.

The Act has the same scope as NIS1, and the upcoming NIS2 implementation will cover many more sectors and types of services.

Consultation on the Digital Security Regulation

In September, the Ministry of Justice and Public Security sent a proposal for the new Digital Security Regulation out for consultation.

The regulation further specifies the scope of the Act, including which businesses are covered, and operationalizes the security requirements for those businesses. Among other things, it requires covered businesses to establish or update management systems for digital security, as well as to establish or adapt their contingency plans, routines for incident handling and notification, and other security measures to comply with the regulations.

The deadline for consultation is 11 December 2024, and the Act and regulation are expected to enter into force sometime in the new year. However, there are still several unresolved issues related to both the content of the regulations and their entry into force.

How Should Your Business Prepare?

Regardless of the outcome of the consultation, businesses in the relevant sectors should do the following:

  1. Check if your business is affected by the regulations: The regulation sets criteria and thresholds that define which businesses are considered providers of critical or digital services. It is essential to understand these criteria to determine if your business is subject to the new rules. If your business falls directly within the scope of the Act, as specified in the regulation, this must also be reported. If your business is a supplier to entities covered by the regulations, you should expect that some of the requirements will also apply to you.
  2. Familiarize yourself with the regulations: Understanding the regulations is necessary to comply with the requirements. For businesses also subject to other security legislation, often through sector-specific regulations, it will be necessary to determine which set of rules applies in different situations.
  3. Conduct a gap analysis: It is important to analyze how your business’s current digital security measures compare to the requirements of the Digital Security Act and regulation. This will identify areas that require action. All businesses covered will need to make changes, but the extent depends largely on their current state.
  4. Implement necessary measures: Businesses that are covered must meet the minimum requirements set out in the regulations. This includes reviewing management systems and other documentation, updating them with references to the new rules, and ensuring that minimum digital security requirements are met. The regulations also require that digital security is maintained in supply chains, which may trigger a need to renegotiate contracts.

When Will the Act Enter Into Force?

The Digital Security Act has been adopted but has not yet entered into force, pending the completion of regulatory work. The Ministry of Justice and Public Security sent a proposal for the new Digital Security Regulation out for consultation in September. The regulation specifies the scope of the Act and operationalizes the security requirements for the affected businesses.

Hjort Offers Advice and Practical Assistance

Hjort offers advice and practical assistance to ensure that your business both understands and complies with the requirements of the digital security legislation. We are also assisting ICT Norway in preparing a consultation response to the regulation.

The deadline for consultation is 11 December 2024.
Eivind Grimsø Moe

Specialist Counsel

egm@hjort.no

+47 91 12 03 55

Petter Enholm

Managing Associate

peen@hjort.no

+47 90 83 99 19

Kristin Veierød

Partner

kv@hjort.no

+47 91 80 08 33

Related articles

Legal Issues with use of Artificial Intelligence in Businesses

Artificial intelligence (AI) presents opportunities and challenges for businesses. While AI can offer significant benefits, and the risk of not implementing AI can also be perceived as high by many, it is crucial to understand and address the associated legal risks to ensure compliance and ethical AI development. Failure to adhere to legal requirements, or to take proper account of them when planning an AI strategy, can also limit an enterprise’s ability to harness the potential of AI.