Archived data from 2016-2023

40. Norway 67.53

40th National Cyber Security Index
17th Global Cybersecurity Index
8th ICT Development Index
10th Networked Readiness Index
Population 5.2million
Area (km2) 323.8thousand
GDP per capita ($) 72.7thousand
NCSI FULFILMENT PERCENTAGE
NCSI DEVELOPMENT TIMELINE 3 years All data
RANKING TIMELINE
NCSI Update Data source
30 Nov 2022 Public data collection
18 Feb 2019 Public data collection
25 Jun 2018 Public data collection
6 Apr 2017 Cooperation partner

Version 30 Nov 2022

GENERAL CYBER SECURITY INDICATORS
BASELINE CYBER SECURITY INDICATORS
  • 5. Protection of digital services 0/5 0%
    0
    5 0%
    • 5.1. Cyber security responsibility for digital service providers 0
      0
      1
      Requirements
      Criteria

      According to legislation, digital service providers (except micro and small enterprises): (1) must manage cyber/ICT risks or (2) must implement established cyber/information security requirements.

      Accepted references

      Legal act

      Evidence
    • 5.2. Cyber security standard for the public sector 0
      0
      1
      Requirements
      Criteria

      Public sector digital service providers must implement (1) cyber/ICT security requirements (defined by legislation) or (2) a widely recognised security standard.

      Accepted references

      Legal act

      Evidence
    • 5.3. Competent supervisory authority 0
      0
      3
      Requirements
      Criteria

      The government has a competent authority in the field of cyber/information security that has the power to supervise public and private digital service providers regarding the implementation of cyber/information security requirements.

      Accepted references

      Official website or legal act

      Evidence
  • 6. Protection of essential services 5/6 83%
    5
    6 83%
    • 6.1. Operators of essential services are identified 1
      1
      1
      Requirements
      Criteria

      There is a legal act that allows to identify operators of essential services.

      Accepted references

      Legal act

      Evidence

      The Security Act (link above), Chapter 7 (Object and infrastructure security), Section 7.1 (Critical national objects and infrastructure) and Section 7.2. (Classification of critical national objects and infrastructure)


      NOU 2006: 6, When safety is most important – Protection of the country’s critical infrastructures and critical societal functions (Recommendations from a committee appointed by royal decree on 29 October 2004. Submitted to the Ministry of Justice on 5 April 2006) (Link above, see Chapter 3, Table 1.1)

      Norway differentiates between six critical infrastructures and eleven critical societal functions: 

      Critical infrastructure

      • Electric power
      • Electronic communication
      • Water and wastewater
      • Transportation
      • Oil and gas
      • Satellite-based infrastructure

      Critical Societal functions

      • Banking and Finance
      • Food Supply
      • Health, social and social security services
      • Police
      • Emergency and rescue service
      • Crisis Management
      • Storing and Government
      • The courts
      • Defence
      • Environmental monitoring
      • Renovation
    • 6.2. Cyber security requirements for operators of essential services 1
      1
      1
      Requirements
      Criteria

      According to the legislation, operators of essential services must manage cyber/ICT risks.

      Accepted references

      Legal act

    • 6.3. Competent supervisory authority 3
      3
      3
      Requirements
      Criteria

      The government has a competent authority in the field of cyber/information security that has the power to supervise operators of essential services, regarding cyber/information security requirements.

      Accepted references

      Official website or legal act

      Evidence

      The National Security Authority (NSM) 

      The Security Act (link above), Chapter 3 (Supervision), Section 3.1 (Supervision of undertakings). 


      Official website of the Norwegian National Security Authority 

    • 6.4. Regular monitoring of security measures 0
      0
      1
      Requirements
      Criteria

      Operators of essential services must regularly (at least once every 3 years) provide evidence of the effective implementation of cyber/information security policies (e.g. audit result, documentation, specific report).

      Accepted references

      Legal act

      Evidence
  • 7. E-identification and trust services 8/9 89%
    8
    9 89%
    • 7.1. Unique persistent identifier 1
      1
      1
      Requirements
      Criteria

      The government provides a unique persistent identifier to all citizens, residents, and legal entities. For example, the identifier remains the same after document expiration and name change.

      Accepted references

      Legal act

      Evidence

      Regulations on population registration ; Norwegian identification number – Birth Number and “D” Number, see Section 2-2. (Date of birthday) and § 2-5. (D number). For more information click here


      Link above, some additional information concerning national identity numbers and D-numbers can be found.

      In regards to legal entities

      “(…) Upon registration, legal entities are issued an organisation number. The organisation number serves as the identifier of the legal entity. The organisation number thereby also serves as the TIN for legal entities. (…)

      The organisation number (TIN) is the unique identification of a legal entity. The TIN will appear on all official documents issued both by the legal entity itself and by government agencies such as the tax office. The identification on tax returns and other tax related forms for legal entities will thus always be the TIN.”

    • 7.2. Requirements for cryptosystems 0
      0
      1
      Requirements
      Criteria

      Requirements for cryptosystems in the field of trust services are regulated.

      Accepted references

      Legal act

      Evidence
    • 7.3. Electronic identification 1
      1
      1
      Requirements
      Criteria

      Electronic identification is regulated.

      Accepted references

      Legal act

      Evidence

      Electronic ID

      "In order to use digital services from Norwegian public agencies, you must have an electronic identification, e-ID, to be able to log in. An electronic identification is an electronic way of proving one's identity on the internet."


      Regulations on self-declaration of schemes for electronic identification (the self-declaration regulations), see for example §§ 17, 18.

    • 7.4. Electronic signature 1
      1
      1
      Requirements
      Criteria

      E-signature is regulated

      Accepted references

      Legal act

      Evidence

      Act on the implementation of the EU regulation on electronic identification and trust services for electronic transactions in the internal market (Act on electronic trust services)

      § 1. eID and electronic trust services in the EEA

      The EEA Agreement annex XI Electronic communications, audiovisual services and information society services (regulation (EU) no. 910/2014 ) on electronic identification and trust services for electronic transactions in the internal market applies as law with the adaptations that follow from annex XI, protocol 1 to the agreement and the agreement in general.


      Background information (see link above):

      "With the eIDAS regulation, which entered into force in 2016, the EU attempted to solve such challenges. Through the EEA agreement, the regulation was incorporated into Norwegian law in 2018."

    • 7.5. Timestamping 1
      1
      1
      Requirements
      Criteria

      Timestamping is regulated.

      Accepted references

      Legal act

      Evidence

      Act on the implementation of the EU regulation on electronic identification and trust services for electronic transactions in the internal market (Act on electronic trust services)

      § 1. eID and electronic trust services in the EEA

      The EEA Agreement annex XI Electronic communications, audiovisual services and information society services (regulation (EU) no. 910/2014 ) on electronic identification and trust services for electronic transactions in the internal market applies as law with the adaptations that follow from annex XI, protocol 1 to the agreement and the agreement in general.


      Background information (see link above):

      "With the eIDAS regulation, which entered into force in 2016, the EU attempted to solve such challenges. Through the EEA agreement, the regulation was incorporated into Norwegian law in 2018."

    • 7.6. Electronic registered delivery service 1
      1
      1
      Requirements
      Criteria

      Electronic registered delivery service between state entities, citizens and private sector entities is regulated. The service provides legally binding data exchange and guarantees the confidentiality and integrity of information.

      Accepted references

      Legal act

      Evidence

      Act on the implementation of the EU regulation on electronic identification and trust services for electronic transactions in the internal market (Act on electronic trust services)

      § 1. eID and electronic trust services in the EEA

      The EEA Agreement annex XI Electronic communications, audiovisual services and information society services (regulation (EU) no. 910/2014 ) on electronic identification and trust services for electronic transactions in the internal market applies as law with the adaptations that follow from annex XI, protocol 1 to the agreement and the agreement in general.


      Background information (see link above):

      "With the eIDAS regulation, which entered into force in 2016, the EU attempted to solve such challenges. Through the EEA agreement, the regulation was incorporated into Norwegian law in 2018."

    • 7.7. Competent supervisory authority 3
      3
      3
      Requirements
      Criteria

      There is an authority responsible for the supervision of qualified trust service providers.

      Accepted references

      Official website or legal act

      Evidence

      In Norway, the Norwegian Communications Authority (Nkom) is designated as the supervisory body for electronic ID and trust services.

  • 8. Protection of personal data 4/4 100%
    4
    4 100%
INCIDENT AND CRISIS MANAGEMENT INDICATORS
Information Disclaimer

The information provided on the NCSI website is based on publicly available evidence materials. The appearance in the index and subsequent ranking is commensurate to the existence and public availability of such information. The NCSI links to third party websites and information. The NCSI and eGA are not responsible for the accuracy or completeness of third party website information.

What can I do to improve my country's data in NCSI?

Become a data contributor Update a specific indicator with evidence data

CONTRIBUTORS

Nils Brede
Watchcom