Laster…
Add-on for any level
NIS2 is the EU's revised directive for digital security (Directive (EU) 2022/2555). The directive is not yet Norwegian law, and work on implementing it is ongoing. Its predecessor NIS1, by contrast, became Norwegian law when the Digital Security Act came into force on 1 October 2025. For small Norwegian businesses, NIS2 most often hits indirectly, via the supply chain.
Who needs it
NIS2 becomes your concern when you supply something material to a customer who is themselves in scope. Their security requirements then propagate down the supply chain, whether or not you are directly covered yourself. The package therefore suits three groups:
Norwegian businesses in sectors where the new digital-security requirements are expected to land (energy, transport, finance, health, water, digital infrastructure and more).
Suppliers and subcontractors whose customers are tightening security expectations across their supply chain.
Boards that want a documented, defensible picture of cyber risk and how it is being managed.
Background
NIS2 is the EU's revised directive for digital security, formally Directive (EU) 2022/2555, adopted on 14 December 2022. It is a further development and expansion of the first NIS directive (NIS1) and sets requirements for risk management, incident reporting and supply-chain security. NIS2 covers 18 defined critical sectors, split across the directive's annexes I and II.
In Norway, NIS2 has not yet been implemented. What applies today is the Digital Security Act, which implements the predecessor NIS1. NIS2 and the related CER directive have not yet been incorporated into the EEA Agreement, and work on implementing them in Norwegian law is ongoing. The sources to follow are nsm.no (the Norwegian National Security Authority is the national contact point, national incident-response team (CSIRT) and guidance authority for digital security) and the EU NIS2 directive itself.
Where things stand
NIS2 has not yet come into force in Norway as of June 2026. What already applies is the Digital Security Act and the digital-security regulation, which came into force on 1 October 2025 and implement the NIS1 directive in Norwegian law. NIS2 and the CER directive have not yet been incorporated into the EEA Agreement; work is ongoing, and a Norwegian date of entry into force has not been finally fixed. For the latest on timing, see regjeringen.no.
By comparison, the EU's own member states had until 17 October 2024 to transpose NIS2 into national law. Norway implements via the EEA at a later point. We follow developments closely and tell you in good time what it means for you, so you can build up gradually instead of ending up in a scramble.
| Topic | Applies in Norway now | NIS2 (in progress) |
|---|---|---|
| Regulation | The Digital Security Act + regulation | Directive (EU) 2022/2555 + CER |
| Built on | The NIS1 directive ((EU) 2016/1148) | NIS2 (revision and expansion of NIS1) |
| Status | In force from 1 October 2025 | Not yet in the EEA; work ongoing |
| Supervision and roles | NSM as contact point and CSIRT; supervision split between Nkom and sector authorities | The Norwegian model is set on implementation |
| Sectors | Critical + digital services | 18 sectors (annexes I and II) |
The Norwegian supervisory model and the exact EEA/entry-into-force timing are set when NIS2 is implemented in Norwegian law; both remain open. We update this page as the picture clears.
Scope in Norway
NIS2 most directly affects larger entities in the 18 critical sectors in the directive's annexes I and II. Smaller businesses are most often drawn in indirectly, through the supply chain to a covered customer. For the latest official guidance, see nsm.no for Norwegian guidance, or the EU NIS2 directive itself.
Energy, transport, finance, health, water and digital infrastructure are typically the most exposed. Larger businesses here are the ones most likely to be affected directly.
From logistics and manufacturing to digital service providers, these are also likely to be in scope as the requirements take shape.
Smaller businesses are most often drawn in indirectly. If you supply something material to a larger customer, their security expectations become your concern too. Documentation and controls follow the chain.
Municipalities, public agencies and their IT and security suppliers are increasingly held to higher security expectations in tenders already today.
NIS2 divides covered entities into two categories: «essential» entities and «important» entities. Which category an entity falls into is determined by a combination of sector (annex I or II) and size. As a rule, large entities in the annex I sectors count as essential, while medium-sized entities in annex I and entities in annex II count as important. The distinction determines both how strict the supervision is and how large the sanctions can be: essential entities are subject to stricter, more active supervision than important entities.
For small businesses
Most small Norwegian businesses are unlikely to be affected directly by NIS2. The reason is the size threshold: as a rule, NIS2 covers entities that are at least medium-sized. The threshold for falling outside «small business» is at least 50 employees, or an annual turnover or balance sheet above EUR 10 million, per the EU definition in Commission Recommendation 2003/361/EC. Businesses below this threshold generally fall outside the direct scope. The final threshold in the forthcoming Norwegian NIS2 regulation is set on implementation.
Where NIS2 does still reach small businesses is indirectly: as a supplier to a larger customer who is in scope, and who must assess and document their supply chain. Already today, larger customers ask their suppliers to show that security is in order, and that requirement is only tightening.
For small businesses, in practice that means questionnaires, documentation requests and control checks landing in the inbox, often with short deadlines. Handling it once is doable. Handling it across several customers, kept current over time, is where a digital operations department earns its keep.
A digital operations department can carry this work continuously: keeping the policies current, the technical controls in place, and the documentation ready to send the day a customer asks. The work does not stop at the gap audit; it becomes part of running IT operations and monitoring for the business.
The practical groundwork behind these requirements is the same regardless of any deadline: see cyber security for small businesses.
| Directly in scope | Indirectly via the supply chain | |
|---|---|---|
| Who | Medium-sized/large businesses in the 18 sectors | Smaller suppliers to a covered customer |
| Size | At least 50 employees, or turnover or balance sheet above EUR 10 million | Below the threshold, but supplying something material |
| What it triggers | Statutory requirements, supervision, reporting | Customer requirements: questionnaires, documentation, controls |
| Sanctions | Administrative fines + management liability | May lose contracts where documentation is missing |
The requirements
NIS2 (article 21) requires concrete risk-management measures that covered entities must have in place. It is not an abstract paper requirement, but a list of measures that must be documentable. The same measures are good practice whether or not you are directly in scope or are asked by a customer.
Risk analysis and security policies for information systems.
Incident handling, with routines to detect, notify and remediate.
Backup, crisis preparedness and continuity after an incident.
Supply-chain security, including requirements for subcontractors.
Access control and use of multi-factor authentication.
Patch routines, log retention and access reviews to keep systems current.
NIS2 (article 23) also requires multi-stage incident reporting: an early warning within 24 hours, a full incident notification within 72 hours, and a final report within one month of the incident notification.
Liability
NIS2 introduces personal management liability and significant fines. That is one of the biggest differences from NIS1. Under article 20, the management body of essential and important entities must approve the risk-management measures, oversee their implementation, and can be held liable for breaches. The responsibility cannot be delegated away.
On the sanctions side, NIS2 (article 34) allows administrative fines of up to EUR 10 million or 2% of total global annual turnover for essential entities, and up to EUR 7 million or 1.4% for important entities. The higher amount applies. For essential entities, the authorities may also temporarily ban a person from holding management functions. The final Norwegian sanction provisions are set when NIS2 is implemented in Norwegian law.
The difference
NIS2 is an expansion of NIS1, not an entirely new regime. Where NIS1 (implemented in Norway as the Digital Security Act from 1 October 2025) covered a narrower set of entities, NIS2 expands the scope to 18 sectors, introduces the distinction between essential and important entities, and adds personal management liability and stricter sanctions.
| NIS1 (Digital Security Act, applies now) | NIS2 (in progress) | |
|---|---|---|
| Scope | Providers of critical + digital services | 18 sectors, annexes I and II |
| Categories | No essential/important split | Essential and important entities |
| Management liability | Limited | Personal liability for management (art. 20) |
| Sanctions | Lower | Up to EUR 10m / 2% of turnover (art. 34) |
| Reporting | Per regulation | 24h / 72h / 1 month (art. 23) |
Under article 3(3), the EU member states had to draw up a list of essential and important entities by 17 April 2025. Norway gets corresponding duties when NIS2 is implemented via the EEA.
How it runs
The fastest route to being prepared is to have the documentation ready before the customer asks. Then you answer questionnaires in hours, not weeks, and do not lose contracts over missing paperwork. We make you ready in four phases, and keep it alive afterwards.
Phase 1
We map your business against recognised security controls and tell you, in plain language, where you stand and what is missing.
Phase 2
Written policies, incident handling, supplier control and risk register, tailored to your business and signed off by the leadership.
Phase 3
Patch routines, multi-factor authentication, backup verification, log retention and access reviews, set up with your existing tools.
Phase 4
Monthly follow-up, incident drill once a year, status report to the leadership. Good digital security is a continuous job, not a one-off.
Partnership
We deliver NIS2 together with Nordic Defence AS, a Norwegian cyber-security partner. They handle the deep technical assessment and incident response; we operate the documentation, training and monthly cadence inside the Unilab subscription. That gives you security expertise combined with a fixed, predictable operating rhythm.
Questions
NIS2 applies directly to medium-sized and larger businesses in 18 critical sectors (at least 50 employees, or turnover or balance sheet above EUR 10 million). Small businesses below the threshold are generally not directly in scope, but are often drawn in indirectly if they supply something material to a covered customer. We help you read your situation in plain language, with no obligation.
NIS2 has not yet come into force in Norway. The Digital Security Act (which implements the predecessor NIS1) applies from 1 October 2025. NIS2 and the CER directive have not yet been incorporated into the EEA Agreement, and work on Norwegian implementation is ongoing. We follow developments and tell you in good time what it means for you.
In practice it means having your digital security in order and being able to document it: risk overview, access control, backup, incident handling and tidy supplier routines. These are good practice regardless of any deadline, and they are exactly what we set up and operate for you.
No. Customers already ask for documented security today, and the groundwork is the same whatever the final wording looks like. Starting now means a calm, gradual build rather than a scramble later. We carry the work continuously so you stay prepared.
The direction is clear even while the dates move: digital-security requirements are tightening. We follow developments so you do not have to, and tell you in good time what it means for your business.
Other add-ons
Add-ons sit on top of any subscription level. Most customers start with one and add more as the business needs them.
Ready?
We give you a free health check: 20 minutes, plain language, you know exactly where you stand.