The Digital Security Act entered into force on October 1, 2025 – what does it mean for businesses?

As of October 1, 2025, Norway’s new Digital Security Act applies. The law and its accompanying regulation set requirements for how organizations that are critical to society, and selected digital service providers, must manage digital security.

The Digital Security Act (and regulation) represents Norway’s national implementation of the EU’s Network and Information Security framework. Norway has chosen to first implement NIS1 (the original 2016 directive) through this act and its regulation. The practical reason for starting with NIS1 instead of NIS2 is to establish a solid legal foundation before expanding the framework. This allows time for adjustment and further development. The goal of the act is to strengthen the resilience of critical societal functions while making cybersecurity responsibility clear at the management level.

Who is covered?

The Digital Security Act primarily applies to:

• Providers of essential services in sectors such as energy, transport, health, water supply, banking and financial markets, and digital infrastructure.

• Selected digital service providers, including cloud services, online marketplaces, and search engines.

The regulation specifies the scope in more detail and defines the categories that fall under the law.

However, it doesn’t stop there: suppliers to these entities will also be affected. When critical service providers are now legally required to take responsibility for digital security, they must impose similar requirements throughout their supply chain. For suppliers, this means that lack of compliance may become a competitive disadvantage — customers covered by the law cannot work with partners who fail to demonstrate adequate security.

In other words, even if your organization is not directly covered by the Digital Security Act, there’s a high chance that your customers will demand compliance. Being proactive in your security work can therefore be decisive for keeping existing customers and winning new contracts.

See also: What is the supply chain, and how can I secure it?

Three good reasons why suppliers should care about the Digital Security Act:

1. Customer loss – organizations covered by the law cannot use suppliers that fail to meet legal requirements.

2. Competitive advantage – proven compliance can be a strong selling point in tenders and contract negotiations.

3. Future regulation – NIS2 and stricter frameworks are coming. Getting ahead now makes the transition easier and less costly.

See also: Cybersecurity as a competitive advantage – trust as a strategic investment

Key requirements for affected organizations

Organizations covered by the law must, among other things:

• Establish and maintain a management system for digital security.

• Conduct and document systematic risk assessments.

• Have procedures for monitoring, detecting, and handling security incidents, and an obligation to notify relevant authorities of serious incidents.

• Set and document security requirements for their supply chain.

These requirements are detailed in the regulation.

Consequences of non-compliance

The law authorizes supervisory authorities to impose enforcement actions and penalties for non-compliance, including coercive fines and administrative sanctions. Legal basis and assessment criteria for sanctions are described in the government proposition and the law text.

Why act now?

Even though the law is already in effect, implementation takes time: management systems, risk mapping, supplier agreements, contingency plans, and technical measures need to be in place and tested. Many organizations can reuse existing frameworks (such as ISO 27001, risk management, and incident handling), but this work must be adapted to the specific requirements of the new law and regulation.

How Sicra can help

Sicra offers services that directly support organizations in meeting the requirements of the Digital Security Act:

• Advisory and GAP analysis: Assessing maturity and identifying gaps against the law/regulation and relevant frameworks (ISO 27001, NIS2 principles).

• Governance systems and management anchoring: Assistance in establishing governance models, policies, and documentation to demonstrate management accountability.

• Risk, supplier management, and technical security: Risk assessments, supplier reviews, and implementation of technical measures.

• Monitoring and incident response (SOC/IR): 24/7 monitoring, MDR/SOC services, and incident response readiness for rapid handling of security events.

• CISO-for-hire & training: Strategic security leadership and awareness training for management and employees.

Sicra also holds relevant certifications and partnerships that strengthen delivery quality (including ISO 27001).

A practical checklist — what to do this month

1. Determine whether your organization is covered by the law (map your services and deliveries).

2. Conduct a quick GAP analysis against the regulation’s requirements.

3. Prioritize actions: management commitment, risk assessment, supplier requirements, and incident handling plans.

4. Consider entering into a SOC/MDR or IR agreement to ensure rapid detection and response.

5. Document everything — supervisory authorities may request both plans and evidence of implementation.

Sources

• Norwegian Government: “New Digital Security Act enters into force today.” Regjeringen.no

• Lovdata: Regulation on Digital Security (Digitalsikkerhetsforskriften). Lovdata

• EU / European Commission: NIS2 Directive (Overview). Digital Strategy.

• Prop. 109 LS (2022–2023) — Government proposition describing the legal basis and sanction mechanisms. Regjeringen.no