The new security act
A new and modernized Security Act came into force in Norway on 1 January 2019. The new act expands the scope of pre-existing legislation, and also provides companies with greater flexibility in implementing preventive security measures. International companies with operations in Norway face uncertainty, and there has been a chilling effect on foreign investors, as public authorities will have discretionary powers to designate which private businesses will need to comply. In this newsletter we present the key features of the act.
1. SUMMARY OF THE NEW REGIME
Both the old Security Act (of 1998) and the new act protect "national security interests". In essence, these acts set requirements for processing of classified information, which includes security-graded information (Confidential, Secret, Top Secret, etc.). The old act contained numerous specific requirements for achieving this goal. These specific rules have been replaced by functional requirements, so companies to whom the new act applies are able to choose how to achieve the required level of security. However, certain features of this new legislative approach mean that more companies be affected, and that these companies will need to prepare internal control systems, adopt risk assessments, implement protective measures and notify authorities in case of security incidents.
2. WHY A NEW ACT?
Digital transformation and advancing technologies have created new ways to produce, share and store information, and new cross-sector dependencies and vulnerabilities have emerged. The consequence is a complex risk image in which hybrid threats and advanced cyber-attacks challenge national security. The rationale behind the Security Act is to manage new security politics and increasingly sophisticated threats to society.
3. WHICH ENTITIES ARE COVERED?
The Security Act applies not just to information with formal security classifications but also to non-classified information systems that implement "basic national functions". This term is defined broadly, as are "national security interests". Included among such functions are, for example, financial and payment services, electricity supply, health services, food supply, transport services, district heating systems, media platforms and electronic communications. Thus, the Security Act is not limited to companies in specific industries or sectors, and will affect a large number of private companies, whether these companies directly carry out a "basic national function" or are suppliers to such companies.
Ultimately, each ministry within the government shall designate "basic national functions" within its sector. Any affected private company shall receive prior notice, but no minimum notice period has been set. Furthermore, the ministries are not required to consult any expert bodies prior to making their decisions. The ministries are expected to issue their first decisions by Q1 2020.
4. WHAT IS NEW?
The Security Act dictates that any sensitive objects, infrastructure, information and information systems shall have a "reasonable" level of security. In this way, the rules enable flexible solutions in reaching security compliance. The use of these functional requirements means that companies have an opportunity to use new standards and technology as well as modern security measures.
However, the change from specific requirements to functional requirements also means that companies have greater responsibility, which may require more security expertise. The requirement for a reasonable level of security is a dynamic concept that will be in constant change based on technological development, innovations and new threats. A good starting point is the classification/grading system – the higher the level, the more stringent the security requirements will be.
Furthermore, the Security Act introduces a mechanism for ownership control. This entails that the authorities may stop any acquisitions of companies subject to the act if the acquisition causes a “not insignificant” risk to national security interests. In addition, investments falling within the scope of the act triggers a filing obligation. Essentially, investors that wish to acquire a "qualified" stake in the targeted company may risk that the acquisition is stopped by authorities.
5. WHAT IS REQUIRED?
The Security Act sets forth some general preventive security requirements. A company’s managers are responsible for establishing a security management system and for setting up preventive security measures based on specific risk assessments. Furthermore, companies must conduct monitoring and penetration testing, and must have documentation and a plan for notification to the authorities in case of security incidents.
The existing rules regarding security clearance for personnel, security agreements, and supplier clearance will continue to apply under the new regime.
The Norwegian National Security Authority (NSM) will continue to enforce the Security Act and may issue penalties or take other measures against any company that does not adhere to the act. NSM will receive an additional NOK 38 million of funding during 2019 to enable the agency to implement and exercise the new and expanded responsibilities, including the ability to conduct penetration tests.
6. WHY WORRY ABOUT COMPLIANCE?
The Security Act constitutes a general security framework across sectors and industries. Companies with operations in Norway should work strategically and purposefully to assess the scope and meet the requirements of the act. Compliance is the key factor to mitigating the risk for fines and other penalties. Moreover, the value of avoiding reputational loss, claims for damages, unexpected costs and other negative security issues impacting company assets should be not be underestimated.
Other general frameworks concerning information security such as the General Data Protection Regulation (GDPR), and any sector-specific security regulations, may apply in addition to the Security Act. In this way, companies need to comply with different sectoral and general rules, which are supervised by various authorities.
The EU's recent Network and Information Security Directive (2016/1148) will also soon be implemented in Norwegian law. The directive will oblige certain suppliers of services, including digital services, to comply with cyber security requirements and to provide notification in the event of cyber security incidents. Further, the directive will require that companies conduct risk assessment of networks and IT solutions, and are able to show that they have put technical and organizational security measures in place.
In sum, because different sets of overlapping security rules will apply in different circumstances and because it is not certain which companies will be affected, companies doing business in Norway will often face complex requirements based on different sets of security rules.
Schjødt has extensive experience advising national and international clients on matters related to information security, including generally with respect to regulatory compliance and specifically with respect to preparing for the new Security Act's requirements.
M : +47 924 97 029
T : +47 23 01 15 64
Erlend W. Holstrøm
M : +47 911 32 417
T : +47 23 01 18 28
M : +47 400 42 480
T : +47 23 01 19 54