The EU is very active in the field of digital security and has several different legal acts under development. Norway is admittedly some way behind the EU in adopting these rules, both because of the EEA process and national circumstances. However, it seems clear that the EU’s legal acts in this area will be EEA-relevant, so it is only a matter of time before they are incorporated into Norwegian legislation.
A common denominator for the EU rules is that they seek to regulate societal risks related to digital security and the information society, as well as to establish common ground rules for the EU’s internal market. Affected sectors are typically sectors of great societal importance that may be exposed to digital threats. This typically includes infrastructure, energy, transport, finance, health, food, public administration, etc.
The most relevant legal acts from the EU in this context are:
- NIS 1 Directive (2016/1148): This was the first EU directive to address cybersecurity, focusing on increasing the security of network and information systems of operators of essential services.
- Cybersecurity Regulation (2019/881): A regulation that seeks to establish a high level of digital security and increase trust in ICT products and services in the EU through certification and co-operation.
- NIS 2 Directive (2022/2555): Replaces the NIS 1 Directive and expands its scope to include more sectors and entities. NIS 2 also contains a slightly different taxonomy, has a greater focus on risk approach, and stricter notification requirements than NIS 1
- CER Directive (2022/2557): Focuses on increasing the resilience of so-called critical entities that provide essential services, such as energy, transport and health. Supplements the NIS Directive, but is aimed more at authorities and will achieve resilience in a broader sense than pure cybersecurity.
- DORA (2022/2554): A regulation that focuses on the digital operational resilience of the financial sector. It covers both actors in the financial sector and their ICT service providers, and is so-called lex specialis in relation to NIS.
- Cyber Resilience Act (2024/2847): A regulation that aims to regulate the digital security of products with digital elements, typically IoT devices, etc. It applies to all manufacturers, importers and distributors who supply products with digital elements on the European market.
Several of the legal acts overlap and complement each other, both in terms of who is covered and the type of obligations, and the relationship between the various sets of rules can be complex. For example, DORA is a specific set of rules for the financial sector, which builds on the overall framework of NIS2. And both NIS2 and the CER Directive target critical entities, but with different areas of focus. In general, the “most stringent rule” seems to apply where there is overlap between the sets of rules, and it is envisaged that different authorities will cooperate across the legal acts both nationally and within the EU.
For affected businesses, it is important to have a clear understanding of which requirements apply to them and when they come into force, as breaches of the rules could expose the business to large infringement fees. And although it may take several years for these legal acts to be implemented in Norway, Norwegian businesses operating in the European market, or supplying digital goods or services to covered parties, may have to comply with the rules that apply in the EU already now. For many organisations, it may also make sense to start planning now for future requirements.
