Five things you need to know about the Digital Security Act

1. Measures – what obligations do companies have under the Digital Security Act?  

The Digital Security Act sets out both substantive security requirements and reporting obligations. The in-scope companies must implement appropriate organisational, technical and physical security measures to ensure an adequate level of security and establish a risk-based security management system that is documented and maintained by management. This may include:  

• Mapping critical IT and OT systems (such as bridge and engine control, AIS, ECDIS, satellite communication)
• Assessing the risk of attacks, errors or misuse
• Implementing measures such as two-factor authentication, network segmentation, updated backups, physical access control and crew training
• Ensuring that subcontractors meet equivalent security requirements, reflected in contracts and risk assessments

In addition, in-scope companies shall notify both the Norwegian National Security Authority (NSM) and the relevant supervisory authority for the shipping and offshore sector about incidents that significantly affect their service delivery.

2. Other security requirements – how to coordinate the requirements?

Many companies are already subject to various information security requirements through laws, regulations and contractual obligations. The Digital Security Act does not apply to the extent that similar or stricter rules on security and incident reporting are established in or pursuant to any other laws. However, companies within its scope should map and assess all applicable legal and contractual requirements and establish routines to coordinate and document compliance in a consistent and efficient way.

For instance, shipping companies subject to the Ship Safety and Security Act may have to report digital incidents to the Norwegian Maritime Authority. In addition, the General Data Protection Regulation (GDPR) requires companies to implement appropriate organisational and technical information security measures to protect personal data, and some may be fully or partly subject to the Norwegian Security Act, which imposes specific obligations related to national security.

3. Future ­legislation – how should I prepare for NIS2?

The Digital Security Act is based on the NIS1 Directive, which has now been replaced in the EU by NIS2. NIS2 significantly expands the scope to include more types of entities and introduces stricter requirements for digital security and incident reporting. NIS2 is expected to be implemented in Norway soon.

According to estimates from the European Commission, companies may need to increase their IT security spending by 12 to 22 percent, depending on whether they were previously subject to NIS1.

Key changes under NIS2 include:

• A broader scope that covers additional companies in the maritime sector, such as companies engaged in passenger and freight transport at sea.
• More detailed technical and organisational cyber security measures aligned with international standards like ISO/IEC 27001 and 27002.

Even organisations not directly subject to NIS2 may still be indirectly affected through contractual obligations from customers or partners required to comply with the new rules. 

4. Sanctions – what happens in case of non-compliance?

A breach of the Digital Security Act may result in the following sanctions from the relevant supervisory authorities:

• Orders for rectification and coercive fines
• Administrative fines for the company of up to 25 “G” (National Insurance basic amount) or 4% of the previous year’s revenue, with a maximum limit of NOK 50,000,000. Parent companies may be held secondarily liable if subsidiaries fail to pay.
• Under NIS2, also management bodies (e.g. the board and/or the CEO) may be held personally liable for non-compliance with the requirements.

5. Supervisory ­authority – which authority oversees the companies’ compliance? 

Sector-specific supervisory authorities will be designated for companies covered by the Digital Security Act. As of now, it has not yet been decided which authority will have supervisory responsibility for the shipping and offshore sector. Until this has been determined, it is appropriate to regard the Norwegian National Security Authority (NSM) as the relevant supervisory authority.