Global Data and Cyber Handbook

Norway

Select a Topic
Start Comparison
Security Requirements and Breach Notification
Jump to
Security Requirements and Breach Notification Start Comparison
Do data privacy laws or regulations impose obligations to maintain information security controls to protect personal data from unauthorized access or processing?

Last review date: 27 December 2024

Yes.

☒         general obligation to take appropriate / reasonable technical, physical and/or organizational security measures

☒         obligation to take specific security measures e.g., encryption

Not a strict legal requirement, but encryption is considered by the GDPR as an appropriate technical and organizational measure. In practice, the authorities expect encryption unless specific circumstances justify no encryption.

Do other laws or regulations impose obligations to protect systems from cyberattack?

Last review date: 27 December 2024

Yes.

As stated above in relation to the key cyber security laws and regulations, the legal obligations regarding protection of IT-systems are highly fragmented. This also includes obligations to protect systems from cyberattacks. Please refer to the key laws and regulations section for specific laws imposing such obligations.

☒      public company obligations (e.g., duties to maintain sufficient information security measures or ensure operational resilience to cyberattacks?)

If not within any of the other categories listed below, public companies would in most instances only have obligations provided in the General Data Protection Regulation, as there are no separate legal obligations applicable to public companies at a general level.

☒         network information security requirements (broader than telecommunications)

☒       health regulatory requirements

☒       financial services requirements

☒      telecommunication requirements

☒       providers of critical infrastructure

☒       digital or connected (IoT) products

☒       other

E.g. financial sector and governmental entities.

Has there been regulatory activity – including enforcement action, investigations, regulatory guidance or other public statements by the regulator – relating to cybersecurity by the following regulators in the last 12 months?

☒      Data privacy

     Securities or public company

☒      network information security

☒      financial services

☒      telecommunications

☒      critical infrastructure

Does data privacy or cybersecurity law impose obligations to make notifications about personal data security breaches?

Last review date: 27 December 2024

Yes.

"Personal data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

It is mandatory to report cybersecurity incidents that significantly affect the delivery of a service.

Controllers/Owners have to notify:

Last review date: 27 December 2024

☒        data protection authorities

  • in case of a personal data breach, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
  • without undue delay and, where feasible, not later than 72 hours after having become aware of it.

☒        cybersecurity authorities

☒        affected individuals

  • without undue delay
  • if a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, unless any of the following conditions are met:
  • the controller has implemented technical and organizational protection measures and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption;
  • the controller has taken subsequent measures that ensure that the high risk to the rights and freedoms of the data subjects is no longer likely to materialize; or
  • it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

☒        other

There shall be public communication or similar measure whereby the data subjects are informed in an equally effective manner (instead of informing the data subjects) if the communication to the data subject would involve disproportionate effort.

Processors/Agents have to notify:

Last review date: 27 December 2024

☒        controller/ owner

  • in case of a personal data breach irrespective of a risk to the rights and freedoms of the data subjects
  • without undue delay after becoming aware of it

☒       cybersecurity authorities

Are there any additional sector-specific or non-personal data security breach notification requirements?

Last review date: 27 December 2024

☒       cybersecurity authorities
☒       other

e.g., financial services

Details regarding the identified data security breach notification requirements

Financial services firms are required to inform the Norwegian Financial Supervisory Authority of security breaches without undue delay. It is not necessary to notify individuals.

Breaches include incidents that lead to a substantial reduction in functionality caused by breach of confidentiality, integrity or availability to systems or data. As a general rule, only incidents the firm categorizes as serious or critical require notification, but, if less serious breaches reveal vulnerabilities in, for example infrastructure or defense mechanisms, such breaches also require notification.

{{ $store.state.loadingScreen.message }} ...