NIS2 and Norwegian Law: What Your Business Needs to Know in 2025
The NIS2 Directive, adopted by the EU in December 2022, represents a significant update to the original NIS Directive from 2016. Its primary goal is to strengthen cybersecurity across critical sectors and improve protection against increasingly sophisticated cyber threats.
While EU member states were required to implement NIS2 by October 2024, the directive has not yet been incorporated into Norwegian law as of May 2025. However, Norwegian businesses should start preparing now to meet the upcoming requirements.
For an overview of the implementation of NIS2 in other european countries, please click here.
What Is NIS2, and Who Does It Apply To?
Once implemented in Norway, NIS2 will introduce stricter cybersecurity requirements for businesses in sectors such as energy, healthcare, transport, financial services, and digital infrastructure. The directive will apply to medium-sized and large organisations in these sectors, with stricter obligations for entities classified as “essential.” Key obligations under NIS2 include:
- Risk Management: Businesses must implement technical and organisational measures to manage cybersecurity risks effectively.
- Incident Reporting: Significant cybersecurity incidents must be reported to relevant authorities within tight deadlines, likely within 24 hours.
- Supply Chain Security: Organisations must ensure that their suppliers and service providers meet cybersecurity standards.
- Governance and Accountability: Clear responsibilities for cybersecurity must be established at the management level, with boards and executives held accountable for compliance.
- Regular Audits: Businesses will need to conduct periodic risk assessments and audits to ensure ongoing compliance.
How Can Businesses Operating in Norway Prepare?
Although NIS2 has not yet been implemented in Norway, businesses can take proactive steps to prepare for its eventual adoption:
- Stay Informed About Legislative Developments
Keep track of updates regarding NIS2’s implementation in Norway. Consult with legal experts to understand how the directive will impact your business. - Conduct a Cybersecurity Gap Analysis
Evaluate your current cybersecurity measures against the anticipated requirements of NIS2. Identify gaps and create a plan to address them before the directive becomes law. - Develop an Incident Response Plan
Prepare for the directive’s likely incident reporting requirements by creating and testing a robust incident response plan. Ensure your team is equipped to detect, respond to, and report cyber incidents effectively. - Collaborate with Your Supply Chain
Work closely with suppliers and service providers to verify their cybersecurity practices. Update contracts to include specific security obligations that align with NIS2 standards. - Raise Awareness Across Your Organisation
Provide training to employees and management about the importance of cybersecurity and the anticipated requirements of NIS2. Building a culture of security awareness will help your organisation adapt smoothly to the new regulations.
Why Act Now?
Although the timeline for NIS2 implementation in Norway remains uncertain, waiting until the last minute to prepare could expose your business to unnecessary risks. Non-compliance with the directive, once it becomes law, could result in significant penalties, including fines and reputational damage. Early preparation not only ensures compliance but also strengthens your organization’s resilience against cyber threats, giving you a competitive edge in an increasingly digital economy.
How Brækhus Can Support Your Business in adapting to NIS2
At Brækhus, we specialise in helping businesses navigate complex regulatory landscapes. Our team of legal and cybersecurity experts is closely monitoring the progress of NIS2 implementation in Norway and is ready to assist your business in preparing for the changes ahead.
Read more: Brækhus’ expertise within privacy and cyber security
We offer tailored advice and practical solutions, including:
- Conducting compliance assessments
- Developing incident response plans
- Strengthening supply chain security
- Providing training and awareness programs
Contact us today to learn how we can support your business in adapting to NIS2 and enhancing its cybersecurity posture. By acting now, your organisation can stay ahead of regulatory developments and position itself for long-term success in a rapidly evolving threat landscape.
