Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Back
Mar 2022
LinkedIn Created with Sketch. Twitter Created with Sketch.

Norway: Cybersecurity

Cybersecurity
Quardia / Essentials collection / istockphoto.com

1. GOVERNING TEXTS

There are currently no general applicable laws dedicated to cybersecurity in Norway. Accordingly, the regulatory cybersecurity landscape in Norway is fragmented and sector specific. Of particular importance is the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and the Law on the Processing of Personal Data (Personal Data Act) of 15 June 2018 (only available in Norwegian here) ('the Act'), which regulates the processing of personal data. The GDPR requires organisations to implement technical and organisational measures to ensure a level of security that is appropriate to the risk of the data processing. Additional statutory provisions, which are described in more detail below, supplement the GDPR within certain industry sectors.

The Directive on Security Network and Information Systems (Directive (EU) 2016/1148) ('NIS Directive') has not yet been incorporated into the EEA Agreement, and therefore not been implemented into Norwegian law. On 15 December 2020, the European Commission submitted a proposal to replace the NIS Directive with the revised Directive on Security of Network and Information Systems ('NIS 2 Directive'). The Norwegian Ministry of Justice and Public Security expects that the NIS Directive will be incorporated into the EEA Agreement and implemented into Norwegian law within short time, and thereafter replaced by the NIS 2 Directive.

Please note that the Directive on Measures for a High Common Level of Cybersecurity across the Union (Directive (EU) 2022/2555) ('NIS 2 Directive') was published in the Official Gazette of the European Union on 27 December 2022 and became effective as of 16 January 2023. Pursuant to Article 41 of the NIS 2 Directive, by 17 October 2024, Member States must transpose the NIS 2 Directive into their national legislation, and the transposition laws shall apply from 18 October 2024. On the same date, the NIS Directive will be repealed. For further information please see our Insight article on the NIS Directive here.

To ensure a dynamic and flexible framework to help safeguard national security interests due to rapid technological development and digitisation, the National Security Act of 1 June 2018 (only available in Norwegian here) ('the Security Act') and the Enterprise Security Regulation of 20 December 2018 (only available in Norwegian here) ('the Enterprise Security Regulation') were adopted. The ambit of these laws is public enterprises. However, the Norwegian National Security Authority ('the NSM'), a cross-sectoral professional and supervisory authority within the protective security services in Norway, and/or relevant ministries may decide that these laws shall apply to private enterprises which:

  • process classified information;
  • are in possession or control of information, information systems, objects, or infrastructure which are important to fundamental national functions; or
  • are engaged in activities that are important to fundamental national functions.

1.1. Legislation

General legislation

Despite the lack of general applicable laws dedicated to cybersecurity, Norway has a number of laws which require organisations to take measures to monitor, detect, prevent, or mitigate incidents such as identity theft/fraud, electronic theft, and other activities that may adversely affect or threaten the security, confidentiality, integrity, or availability of any IT-system, infrastructure, communications network, device, or data (collectively referred to as 'Incidents'). These applicable laws and some of the more relevant measures required to be taken under these laws are described below. In general, data controllers are subject to the Act and, by extension, the GDPR.

Sectoral legislation

The public sector is subject to:

  • the Security Act; and
  • the Enterprise Security Regulation.

Financial undertakings and similar organisations are subject to the Regulations on Use of Information and Communication Technology of 21 May 2003 ('the ICT Regulation').

Telecom providers are subject to:

The energy sector, i.e. energy providers and entities that are comprised of the nationwide Power Supply Preparedness Organisation, are subject to:

  • the Act relating to the Generation, Conversion, Transmission, Trading, Distribution and Use of Energy etc. of 29 June 1990 (only available in Norwegian here) ('the Energy Act'); and
  • the Regulations on Safety and Emergency Preparedness in the Power Supply of 7 December 2012 (only available in Norwegian here) ('Energy Preparedness Regulations').

1.2. Regulatory authority 

Organisations subject to the abovementioned laws are required to report information related to Incidents to the relevant regulatory/supervisory authorities in Norway. The most generally applicable reporting requirement in Norway related to Incidents is set out in Article 33 of the GDPR. In Norway, personal data breaches are reported to the Norwegian data protection authority ('Datatilsynet'), which is the Norwegian supervisory authority appointed in accordance with Article 51 of the GDPR.

Datatilsynet is an independent public authority that supervises, through investigative and corrective powers, the application of European and Norwegian data protections laws in Norway. Datatilsynet provides expert advice on data protection issues and handles complaints lodged against any violation of the Act and the GDPR.

In addition, the purpose of the NSM is to counter threats to the independence and security of Norway, and other vital national security interests. The NSM's primary tasks involve investigation, monitoring, and the prevention of security threats and the development of security measures, including being the supervisory body for the Security Act.

Moreover, organisations may have reporting duties to the following specific sectoral authorities:

1.3. Regulatory authority guidance

The NSM regularly publishes reports, updates, and general guidance notes on matters pertaining to cybersecurity. The National Cybersecurity Center ('NCSC') also assist with protecting basic national functions, public administration, and businesses from cyber-attacks, and also issues related guidance.

General guidance on matters relating to the GDPR, such as information regarding data breach incidents, can be found on Datatilsynet's website.

Datatilsynet has, inter alia, issued the following guidance:

  • Data Protection by Design (only available in Norwegian here); and
  • Information security and internal control (only available in Norwegian here).

The NSM has, inter alia, issued the following guidance:

  • Basic principles for IT security, version 2.0 (only available in Norwegian here);
  • Security recommendations related to outsourcing and cloud services (only available in Norwegian here);
  • Recommendations regarding passwords (only available in Norwegian here);
  • Guidelines for assessing the laws and practices of foreign countries in connection with outsourcing (only available in Norwegian here);
  • Measures regarding IT security when traveling (only available in Norwegian here);
  • Securing email accounts (only available in Norwegian here);
  • Digital blackmail/ransomware (only available in Norwegian here); and
  • Establishing security governance (only available in Norwegian here).

2. SCOPE OF APPLICATION

2.1. Network and Information Systems

There is no general definition of 'network' or 'information systems' under Norwegian law.

2.2. Critical Information Infrastructure Operators

There is no definition of 'critical information infrastructure operators' under Norwegian law.

2.3. Operator of Essential Services

There is no definition of 'operator of essential services' under Norwegian law.

2.4. Cloud Computing Services

There is no definition of 'cloud computing services' under Norwegian law.

2.5. Digital Service Providers

There is no definition of 'digital service providers' under Norwegian law.

2.6. Other

As stated in section 1 above, the NIS Directive has not been incorporated into the EEA Agreement, nor implemented into Norwegian law. It is possible to draw parallels to similar terminology contained in Norwegian law. For example, the E-Com Act defines 'electronic communication networks' and establishes requirements for such networks. However, 'electronic communication networks' are technically not the same as 'network and information systems' as defined in the NIS Directive. It should be noted that the NIS Directive and the proposed NIS 2 Directive are expected to be fully implemented into Norwegian law.

3. REQUIREMENTS

3.1. Security measures

Data controllers and processors as per the GDPR are required to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the data processing.

Entities (public and private) under the Security Act are required to:

    • ensure an adequate level of security for information, information systems, infrastructure, and objects regarded as sensitive for Norwegian national security;
    • conduct regular risk assessments and tests concerning security risks; and
    • document its risk assessments and security measures.

Financial undertakings and similar organisations under the ICT Regulation are required to:

  • establish procedures for safeguarding equipment, systems and information of importance to the undertakings' operations;
  • establish Incident and change management procedures; and
  • ensure that the abovementioned procedures are complied with.

Telecom providers under the E-Com Act are required to:

  • implement adequate security measures for the protection of communications and data; andmaintain confidentiality about the content of electronic communication and use of electronic communication.

Energy suppliers under the Energy Act and Energy Preparedness Regulation are required to:

  • establish routines for protecting and controlling access to sensitive information; and
  • secure and monitor the confidentiality, integrity, and accessibility to digital information systems.

3.2. Notification of cybersecurity incidents

Notification to supervisory authority – General legislation

The most generally applicable reporting requirement in Norway related to Incidents is set out in Article 33 of the GDPR, which is described in greater detail below:

The reporting obligation under Article 33 of the GDPR is triggered by a 'personal data breach.' Pursuant to Article 4(12) of the GDPR, a 'personal data breach' means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

Personal data breaches are reported to Datatilsynet. Data processors (i.e. organisations which process personal data on behalf of the data controllers) are required to report the personal data breach to the data controller (i.e. the organisation which determines the purpose and means of the processing of personal data).

The report must at least:

  • describe the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned, and personal data records concerned;
  • communicate the name and contact details of the data protection officer ('DPO') or other point-of-contact;
  • describe the likely consequences of the personal data breach; and
  • describe the measure taken or proposed to be taken by the data controller to address the personal data breach.

The data controller must notify a data breach to Datatilsynet without undue delay and, where feasible, no later than 72 hours after having become aware of the data breach (Article 33(1) of the GDPR). However, the data controller is not required to report the personal data breach to Datatilsynet if it is unlikely that the personal data breach will result in a risk to the rights and freedoms of natural persons.

Notification requirements – Sector specific legislation

The entity (public or private) under the Security Act is required to notify the NSM if the entity is affected, may be affected, or becomes aware of any planned or ongoing Incidents which may harm national security interests, or if there have been material infringements of the security requirements set out in the Security Act.

Financial undertakings and similar organisations under the ICT Regulation are required to notify the Finanstilsynet of any Incidents that may result in a significant reduction of the functionality of the IT-systems.

Telecom providers under the E-com Act are required to notify subscribers, users, and/or authorities of certain security breaches and risks of security breaches.

Energy suppliers under the Energy Act are required to notify and report undesirable Incidents, such as data breaches, to the authorities.

Notification to individuals/data subjects – General legislation

The requirement to communicate a breach to data subjects is triggered where a breach is likely to result in a high risk to their rights and freedoms (Article 34(1) of the GDPR). The threshold for communicating a breach to data subjects is higher than for notifying Datatilsynet. In practice, where notification to data subjects is required, notification to Datatilsynet, or the relevant data protection authority, will always be required. Neither the GDPR nor the Act sets a deadline for notifications to individuals. Nonetheless, Article 34(1) and Recital 86 of the GDPR stipulates that such notifications must be sent without undue delay. Consequently, the exact timeline will depend on the circumstances in each individual case. The Article 29 Working Party, now the European Data Protection Board, states that, as a general rule, the relevant authorities should be notified prior to notifying individuals in order to obtain advice from such authorities.

3.3. Registration with a regulatory authority

Norwegian law does not mandate that an organisation registers with either Datatilsynet or the NSM for cybersecurity purposes. However, certain sector specific laws require that the organisation in question registers with the relevant regulatory authority.

For example, Section 1-2 of the E-Com Regulations requires that providers of electronic communication networks utilised for public electronic communication services are registered with the Communication Authority. The registration must contain the following information:

  • the service provider's name, Norwegian organisation number and address, contact person, and any partners that assist the service provider with developing and/or providing a public telephone service;
  • the electronic communication network's geographical location and reach, including abroad connections;
  • technical specifications regarding the electronic communication network; and
  • how the electronic communication network is to be provided.

The Communication Authority has prepared a form which organisations may use when registering with them (only available for download in Norwegian here). There are no other formalities to observe when registering with the Communication Authority.

3.4. Appointment of a 'security' officer

There is no general requirement to appoint such security officers. However, Article 37(1) of the GDPR provides that controllers and processors shall designate a DPO if:

  • the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
  • the core activities of the data controller or the data processor consist of processing operations which, by virtue of their nature, their scope, and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
  • the core activities of the data controller or the data processor consist of processing on a large scale of special categories of data pursuant to Article 9 of the GDPR or personal data relating to criminal convictions and offences referred to in Article 10 of the GDPR.

The reference to Article 39 of the GDPR ensures that the DPO is obligated to monitor compliance with the GDPR and, therefore, the security obligations which the GDPR imposes on controllers and processors.

Certain sector specific regulations require the appointment of a security officer. By way of example, energy suppliers are, under Section 2-2 of the Energy Preparedness Regulation, required to designate a security officer.

3.5. Other requirements

Not applicable.

4. SECTOR-SPECIFIC REQUIREMENTS

Cybersecurity in the health sector

Section 22 of the Patient Journal Act, Act No. 42 of 20 June 2014 (only available in Norwegian here) ('the Patient Journal Act') requires that data controllers and data processors of patient's health data implement technical and organisational measures to achieve a level of security which is suitable for the potential risk associated with the processing, as per Article 32 of the GDPR. In addition, Section 23 of the Patient Journal Act requires that such data controllers and data processors implement adequate technical and organisational measures which ensures that the processing is conducted in line with Article 24 of the GDPR.

Cybersecurity in the financial sector

Please see section 3 for laws and security measures applicable for the financial services sector.

Cybersecurity practices for employees

There are no specific cybersecurity law or regulation applicable directly (and generally) to employees in Norway. However, employees will typically be subject to employment contracts, the employer's instruction authority, and general obligations of loyalty. Consequently, employees must diligently follow instructions and governance routines pertaining to cybersecurity, as applicable from business to business.

Cybersecurity in the education sector

The educational sector will be subject to the obligations contained in the GDPR. Additionally, public schools will be subject to the Security Act and the security measures the Security Act imposes.

5. PENALTIES

As a general rule, the NSM does not impose penalties, such as fines. Penalties and fines are normally issued by Datatilsynet and/or the sector-specific regulatory authorities.

Criminal sanctions

The failure by an organisation to implement cybersecurity measures does not constitute a criminal offence under the Penal Code 2008 (as amended 2021) ('the Penal Code'). However, certain sectoral legislation may impose criminal sanctions for failing to implement cybersecurity measures.

  • Section 11-4 of the Security Act penalises the failure to implement the cybersecurity measures required under the Security Act with fines or imprisonment for a term not exceeding six months;
  • Section 10 of the Act on the Supervision of Financial Institutions etc. of 7 December 1956 No. 1 (available in Norwegian only, here) penalises the failure to implement the cybersecurity measures described in section 3 above with fines or imprisonment for a term not exceeding one year;
  • Section 12-4 of the E-Com Act penalises the failure to implement the cybersecurity measures described in section 3 above with fines or imprisonment for a term not exceeding six months; and
  • Section 10-5 of the Energy Act penalises the failure to implement cybersecurity measures required under the Energy Preparedness Regulation, as described in section 3 above, with fines or imprisonment for a term not exceeding one year.

The penalties described above may be mitigated on the basis of Section 78 of the Penal Code. Mitigating factors of particular relevance in a cybersecurity context under Section 78 of the Penal Code are, inter alia, that the offender has confessed that they have committed the crime, or that the offender has prevented, rectified, or limited the damages caused by the offence, or tried to do so.

Civil and administrative sanctions

The following supervisory authorities have the following powers with respect to penalties:

  • Datatilsynet may impose administrative fines up to €20 millions, or in the case of an undertaking, 4% of the total worldwide annual turnover. However, infringements of the reporting requirements under the GDPR are limited to €10 millions , or in the case of an undertaking, 2% of the total worldwide annual turnover;
  • the NSM may impose coercive fines and administrative fines for any infringements of the Security Act;
  • Finanstilsynet may impose coercive fines;
  • the Communication Authority may impose coercive fines and administrative fines for any infringements of the E-Com Act or E-Com Regulations; and
  • the Water Resources and Energy Directorate may impose coercive and administrative fines for any infringement of the Energy Preparedness Regulations.

6. OTHER AREAS OF INTEREST

According to publicly available information, the Communication Authority sanctioned the telecom provider Telenor with a fine of NOK 1.5 million (approx. €153,000) for its failure to implement organisational and technical measures with regards to achieving a suitable level of security pursuant to the GDPR, and for not notifying the Datatilsynet about a breach of Telenor's IT-security. Datatilsynet gave Telenor a reprimand for the same infringements.

Datatilsynet regularly publishes information regarding administrative fines which it has imposed on organisations for not complying with the security requirements under the GDPR, including the following noteworthy administrative fines:

  • Datatilsynet sanctioned the Municipality of Bergen with an administrative fine of NOK 3 million (approx. €305,000) for failing to adequately secure the protected/secret addresses of parents and pupils in a communication solution which they used.
  • Datatilsynet issued an administrative fine of NOK 1.2 million (approx. €122,000) to the Municipality of Oslo for failing to ensure adequate security in a mobile application which the schools in the municipality relied on to communicate with parents and pupils. Due to inadequate login security, it was possible for unauthorised persons to access and alter the personal data of more than 63,000 pupils.
  • Datatilsynet issued an administrative fine of NOK 1.25 million (approx. €127,000) to Norwegian Olympic and Paralympic Committee and Confederation of Sports after the organisation accidentally made the personal data of 3.2 million Norwegians publicly available on the internet. The incident occurred when the organisation was testing a new cloud solution. Datatilsynet found that the organisation had not established adequate testing routines.
  • Datatilsynet issued an administrative fine of NOK 750,000 (approx. €76,000) to Østfold HF Hospital. The administrative fine was imposed due to Østfold HF Hospital's storing of extracts from patient journals outside the hospital's designated secure storing areas. These journals did not have access controls or access logs, and where therefore accessible to all of the hospital's employees. Approximately 14,000 individuals where affected by the hospital's security infringements.
  • Datatilsynet issued an administrative fine of NOK 500,000 (approx. €50,000) to the Municipality of Rælingen due to the level of security for the learning application 'Showbie', implemented in some municipal schools, not being proportionate with the risk.

 

 

 

Christopher Sparre-Enger Partner [email protected] Uros Tosinovic Partner [email protected] Nikolai Rekman Senior Associate [email protected] Advokatfirmaet Thommessen AS, Oslo

Company

Our Policies

Your Rights

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
© OneTrust, LLC. All Rights Reserved.
The materials herein are for informational purposes only and do not constitute legal advice.
Feedback