Meld. St. 9 (2024–2025)

Total preparedness

Meld. St. 9 (2024–2025) Report to the Storting (white paper)

Next chapter

Previous chapter

Part 3
A civil society that is resilient to hybrid threats

7 Improve resilience to hybrid threats

Foreign states use hybrid activities that have a broad impact, encompass both legal and illegal activities, take place over a long period of time and below the threshold of armed conflict. Malicious actors may intend to target parts or all of society, create divisions between groups, weaken trust and destabilise society, or weaken emergency preparedness and military capabilities to make society more vulnerable. It can be difficult to understand, recognise, handle and counter this type of activity. The willingness and ability of malicious actors to confront the West and Norway using hybrid threats appears to have increased.1

Hybrid activities affect the whole of society. Both the defence and civilian sectors are affected, in physical and digital spheres, and across areas of responsibility. Public bodies, private organisations and individuals can be exposed to the use of such methods. Actors that are affected may, for example, be linked to the supply of critical goods and services such as power, petroleum products, electronic communications and water. In the long term, this activity could threaten our democracy, the rule of law, our social values and Norway’s economic and political scope of action. This does not mean that we are at war, but the activity impacts how Norway – its people, municipalities, business and industry and public administration – addresses the challenges. At the same time, Norway has a toolbox of instruments to tackle such threats. We can strengthen society’s resilience at state, community and individual level. Handling hybrid activities requires information sharing across sectors, the ability to see incidents in context and a shared situational awareness.

Strengthening society’s resilience in peacetime acts as a deterrent and helps to increase preparedness during crisis and armed conflict. A resilient population provides a better foundation for national security and defence capabilities.

Much of the critical infrastructure in Norway is owned by the private sector. These companies have expertise in identifying vulnerabilities and managing incidents effectively within their respective areas of responsibility. They are thus a key part of our resilience and total defence, and must be closely involved in tackling hybrid threats.

The Government will build on and strengthen the measures in Report No 9 to the Storting (2022–2023) National control and cyber resilience to safeguard national security, cf. Recommendation No 247 to the Storting (2022–2023), to strengthen civil society’s resilience to hybrid threats. See Chapter 9 for a more detailed discussion of cyber resilience.

The Government will:

increase situational awareness of hybrid threats by
- strengthening agencies and intelligence and security services tasked with understanding, detecting, handling and countering hybrid threats.
- further developing the National Intelligence and Security Centre (NESS).
- establishing a new organisational structure at ministry level for preparedness planning and status assessments in civilian sectors.
- intensifying the dialogue with the business community, knowledge sector and other sections of society.
- if necessary, authorising more people to receive and manage classified information.
stepping up the work to counter disinformation and influence by
- presenting a strategy to strengthen resilience to disinformation in spring 2025.
- in consultation with the media industry, assessing possible measures to improve people’s ability to scrutinise sources and resist disinformation.
- following up the major technology platforms’ influence on public debate in Norway.
strengthening personnel security through a civil security clearance authority that is fit for the future.
working towards a close, binding and predictable international cooperation on national security and countering hybrid threats together with allies, partners, NATO, the UN, Nordic countries and Europe.

7.1 Hybrid threats challenge society

The war in Ukraine affects the intelligence, influence and sabotage threat in Norway. In their threat assessments, the Norwegian Intelligence Service and the Norwegian Police Security Service (PST) point out that foreign states will use a wide range of means against and in Norway to achieve their goals. This particularly applies to authoritarian states. One example is the increased risk of sabotage against Norwegian arms deliveries to Ukraine. Fewer bilateral cooperation channels mean that Russia has less access to information about the situation in Norway, which requires more of Russian intelligence and security services than previously. Russia is likely to compensate for this by making greater use of travelling personnel, as well as proxies, to carry out tasks that were previously performed by permanently stationed intelligence personnel. Russian actors are interested in obtaining information about Norwegian politics, energy, the High North, allied activity and defence. Russia is also interested in Norwegian technology in areas they wish to develop themselves. Russia utilises civilian vessels in intelligence operations. They have legitimate access to Norwegian infrastructure and the Norwegian coast. Identifying whether they are carrying out intelligence activities alongside their legitimate activity can be difficult.

China does not pose a direct military threat to Norway, but has an interest in establishing a political and economic foothold in the Arctic and an independent capability to operate militarily in the region. Chinese intelligence services operate throughout Europe. These activities include both intelligence and industrial espionage. The digital sphere is the most relevant point of entry for such activity. Chinese diplomats, visiting delegations, private individuals, businesses and interest organisations regularly perform tasks on behalf of Chinese intelligence services. There are close links between Chinese intelligence services and Chinese commercial companies. Beijing has both institutional resources and a legal framework to utilise Chinese businesses and individuals for state purposes. All Chinese companies and individuals are obliged under Chinese law to assist China’s intelligence and security services. Cooperation with Chinese actors must be considered against this backdrop.

Textbox 7.1 Examples of hybrid activities

Throughout 2024, Russia has used a wide range of activities to undermine NATO countries’ capability and willingness to continue to support Ukrainian defence capabilities. This includes public statements by the Russian authorities, such as threats to use nuclear weapons and accusations against Ukraine and the West, but also the covert use of activities by the Russian intelligence and security services. For example, a number of public and private organisations with a role in the European support for Ukraine have been subject to cyber operations. Russian intelligence has also used proxies to commit several acts of sabotage and other disruptive activities in various European countries. The majority of the latter actions have targeted value chains that support donations to Ukraine or infrastructure used daily by the civilian population in Europe.

7.2 Increase situational awareness of hybrid threats

Hybrid activities impact the whole of society. This makes it necessary to facilitate good information sharing, coordination and situational awareness across sectors, at all administrative levels and with the business sector. Measures are needed to address hybrid threats in a coordinated and targeted manner. The Ministry of Justice and Public Security has a special responsibility to follow up and coordinate the Government’s work to counter hybrid threats, in close cooperation with the Ministry of Foreign Affairs and the Ministry of Defence.

The establishment of the National Intelligence and Security Centre (NESS) in 2022 was key to increasing the authorities’ situational awareness. NESS consists of the Norwegian Police Security Service (PST), the Norwegian Intelligence Service, the Norwegian National Security Authority (NSM) and the rest of the police. These parties work together to strengthen our national capability to identify, build understanding of and provide decision-making support related to central government actors’ use of, or our national security interests’ vulnerabilities to, hybrid threats. The Ministry of Justice and Public Security and the Ministry of Defence are now further developing NESS to establish a national situational picture of hybrid threats, and to strengthen the cross-sectoral work required to identify, understand, counter and handle hybrid activities.

The establishment of a new structure for preparedness planning and status assessments at ministry level, see Section 3.1, is also an important means of countering hybrid threats. Systematic reporting on status and vulnerabilities from different sectors will provide a better and more comprehensive basis for improving the Government’s situational awareness. The new structure will also facilitate more comprehensive input to the Ministry of Justice and Public Security’s leadership and coordinating role in the prevention and handling of hybrid threats.

Another measure to strengthen situational awareness of hybrid threats is to ensure that relevant personnel are authorised to receive classified information if necessary. This will make it easier for personnel with an official need in the ministries and undertakings subject to the Security Act, including subordinate agencies at local and regional level and municipalities, to receive classified information and thus gain a better understanding of the threat and risk situation. Work is underway to strengthen personnel security in the ministries. The Government will also make it easier for municipalities to handle classified information.

Figure 7.1 Hybrid threats challenge society

7.3 Measures to counter the insider threat

The use of unfaithful servants is part of the intelligence threat. An insider threat can enable malicious actors to gain access to assets that are important for national security. According to NSM, an insider risk is defined as a current or former employee, consultant or hired employee who has or has had legitimate access to the organisation’s systems, procedures, objects and information, and who misuses this knowledge and access to carry out actions that harm or entail a loss for the organisation. An insider risk can carry out or facilitate espionage or sabotage from inside the organisation.

The security policy situation has led to more and more organisations falling under the Security Act, and the need for security clearances is increasing in line with this. This also applies to the Norwegian defence industry, where the need for security-cleared personnel has increased in connection with government-supported capacity expansion, but it is also the case in several civilian sectors.

It is vital and legitimate for the state to have appropriate personnel security measures to protect national security interests. At the same time, different organisations’ need for critical expertise and personnel across the crisis spectrum must be met.

Protection against insider activity can be achieved through various measures related to, among other things, personnel security, and physical and cyber security. The legal rights of the individual to be given clearance must be safeguarded. The Government has decided to initiate work to modernise the Civil Security Clearance Authority to make it fit for the future.

7.4 Resilience to influence operations

Influence operations are part of the hybrid threat picture. By influence operations is meant other states’ use of open and covert campaigns, operations and activities, often without the use of military force, to change attitudes, decisions or outcomes. The aim is often to influence political processes or decisions in a particular direction, but they may also aim to reinforce polarisation, spread distrust or create general unrest in the population. Disinformation is one of several means of achieving this. Traditional media, alternative media and social media can be misused to spread disinformation, initiate smear campaigns, and spread rumours and half-truths. In Norway, some foreign intelligence officers will also target people with political influence in an attempt to influence the outcome of individual cases.

Attempts by foreign states to exert influence are described as a threat by both the Norwegian Intelligence Service and PST in their annual threat assessments. PST believes that we must be prepared for attempts by Russian and Chinese intelligence services in particular to influence decision-makers and the public. Russia has for many years demonstrated the capability and willingness to carry out influence operations in Western countries.

Countering disinformation

As the Total Preparedness Commission points out, several countries have stepped up their efforts to counter hybrid threats in recent years. The Norwegian Defence Research Establishment has carried out a study of other countries’ work to counter hybrid threats. Best practices from other countries have highlighted the importance of increased awareness and knowledge of the threat, asset and vulnerability dimensions. This includes clarifying the roles and responsibilities of key actors and emphasising enhanced collaboration. The Government has implemented several important initiatives in recent years.

Textbox 7.2 Amendments to the Penal Code on the influence of foreign intelligence

PST is tasked with preventing and investigating serious crimes against the nation’s security. In that connection, it identifies, assesses and handles threats related to foreign states’ use of hybrid activities in Norway, including influence operations. To provide PST with an appropriate legal framework for this work, the Storting has adopted amendments to the Penal Code. Two new provisions (Sections 130 and 130a) entered into force in the Penal Code on 1 July 2024. The provisions strengthen legal protection against harmful influence activities by foreign intelligence in Norway. The provisions make it a criminal offence to contribute on behalf of or in agreement with a foreign intelligence actor in activities aimed at influencing decisions or the formation of public opinion, when the activities may harm significant public interests.

The Police Databases Act allows PST to store, systematise and analyse publicly available information for intelligence purposes. Together with the above-mentioned amendments to the Penal Code, this will enable PST to prepare analyses and assessments to provide decision-making support on issues that may threaten Norway’s sovereignty, territorial integrity, democratic form of government and other national security interests.

The Ministry of Culture and Equality has a special responsibility for the public’s resilience to disinformation. The Government has initiated work on a strategy to strengthen resilience to disinformation, which it aims to present in spring 2025. The strategy will address the recommendations of the Norwegian Defence Commission and the Total Preparedness Commission to strengthen the public’s resilience to disinformation. Among other things, the strategy will address:

The role and framework conditions of editorial media.
The public’s critical understanding of the media.
Following up the major technology platforms’ influence on public debate in Norway.
Knowledge of and research into the spread of disinformation and its impact on Norwegian society.

Textbox 7.3 Actors with a special responsibility to counter influence

The principles of responsibility and cooperation stand firm, and handling disinformation and influence is primarily the responsibility of the individual organisation and the sector concerned. However, certain ministries and agencies have a special responsibility in different areas to counter influence.

Ministries

The Ministry of Justice and Public Security is responsible for the general coordination of measures to counter influence operations on civil society, as well as technical responsibility for coordination and crisis management in situations where this is required.
The Ministry of Culture and Equality is responsible for the public’s resilience to disinformation.
The Ministry of Defence is responsible for influence operations aimed at the defence sector, defence policy and defence capability, or which may otherwise pose a military threat to national security, as well as international defence cooperation in this area.
The Ministry of Foreign Affairs is responsible for diplomatic, foreign policy and security policy aspects of disinformation and influence operations.
The Ministry of Local Government and Regional Development is responsible for countering undesirable influence on elections.

Agencies

The police are responsible for hybrid activities that materialise as crime, and for handling them and restoring normality while they conduct an investigation. The police must deal with all aspects of the incident until it becomes clear that the responsibility lies with PST and the case is transferred.
PST is Norway’s domestic intelligence service and it is tasked with preventing and investigating serious crimes against the nation’s security. In that context, it identifies, assesses and handles threats related to foreign states’ use of hybrid activities in Norway, including influence operations. PST is tasked with giving notification of threats to national security and providing decision-making support on matters in Norway that may threaten its sovereignty, territorial integrity, democratic form of government and other national security interests.
The Norwegian Intelligence Service is tasked with giving notification of external threats to Norway and supporting political decision-making processes by providing information of particular interest to Norwegian foreign, security and defence policy.
NSM is tasked with, within the framework of the Security Act and main instructions, providing information, advice and guidance on preventive security work and the measures required, including influence operations against organisations that fall under the Security Act. NSM is also the national specialist environment for cyber security and is tasked with preventing cyberattacks.
The Norwegian Media Authority is tasked with increasing the public’s resilience through critical understanding of the media and good framework conditions for an open and informed public debate.
The Directorate for Civil Protection has a particular responsibility for facilitating good coordination where special cross-sectoral challenges have been identified. It is also responsible for risk and crisis communication to the public, as well as advice on self-preparedness.

In summer 2024, several press organisations, media companies and the fact-checking organisation faktisk.no joined forces in an initiative to establish a national centre for source criticism. The Government is following the initiative with interest and will consider it in connection with the strategy to bolster resilience to disinformation. In the strategy, the Government will also consider strengthening the role and responsibilities of the Norwegian Media Authority in this area. This could be a complementary measure focusing on resilience, on top of the Government’s current efforts to understand and counter foreign state influence operations. The further development of the National Intelligence and Security Centre (NESS), as described in Section 7.2, is a further step towards obtaining a better situational overview and understanding of hybrid threats, which include influence operations.

The legal amendments that give PST greater opportunity to monitor trends and developments on the internet, including influence activities, together with the amendment that makes it a criminal offence to contribute to influence operations on behalf of foreign intelligence, provide a better knowledge base and opportunities to prevent and stop such activities. These were very important legislative amendments. The Total Preparedness Commission’s recommendation to establish closer cooperation between relevant organisations and the EOS services in terms of both surveillance and analysis in order to create a good understanding of the situation will be considered in the Government’s further work on both the strategy for strengthening resilience to disinformation and the further development of NESS. In line with the Total Preparedness Commission’s recommendations, this will strengthen situational awareness across sectors and prevent foreign influence operations.

Major technology platforms such as TikTok and Meta are playing an increasingly important role in public debate. The Government has therefore initiated several dialogue meetings between Norwegian media and major technology platforms, with the aim of establishing a meeting place for these platforms. A number of topics have been discussed. Examples include challenges related to technology platforms’ moderation of Norwegian media content (blocking legal content provided by Norwegian editorial media), the extent to which the platforms’ algorithms prioritise news content, as well as challenges related to social networks spreading fake news stories that are falsely presented as coming from Norwegian media. Crime committed on these platforms has also been discussed at some meetings. The Government will therefore follow up the major technology platforms’ impact on public debate in Norway, including in the upcoming strategy to strengthen resilience to disinformation. For 2025, the Storting has approved the Government’s proposal to increase the allocation to the Norwegian Media Authority by NOK 5 million, among other things to strengthen work on the public’s critical understanding of the media and follow up the technology platforms’ impact on public debate in Norway.

In order for children and young people to learn to resist influence operations and disinformation, it is important to give them suitable, adapted information. The school curriculum provides good opportunities for pupils to learn about democracy and to become active citizens, particularly following the inclusion of the interdisciplinary subject democracy and citizenship in the new curriculum. Critical thinking, democracy and participation are central to the statutory objective of the Education Act, and are important principles in the general part of the curriculum that provides direction for basic education in schools, which includes both primary and secondary education.

Textbox 7.4 Folk high schools and democratic awareness

Democratic awareness is an important part of the curriculum in folk high schools. Norway has around 80 folk high schools that enrol a total of 6,000 students every year. These schools are tasked with promoting general education and public awareness, and help to ensure that knowledge and attitudes are used for the common good. An important aspect of this is creating awareness of what a democracy is nationally and internationally, and helping to build a resilient population with the knowledge, will and courage to stand up for democratic values. This is particularly important at a time when the distinction between truth and falsehood may be becoming less clear, and when attempts at manipulation and influence are part of the challenge. Without democratic awareness, the ability to stand up for democratic values could be weakened, and actors who seek to undermine trust and democracy will have a greater chance of succeeding.

Textbox 7.5 Selected initiatives that contribute to democratic values and attitudes, source criticism and resilience

The Ministry of Education and Research is responsible for the 22 July Centre, a national memorial and learning centre that disseminates knowledge about the terrorist attack in the government quarter and on Utøya island on 22 July 2011.
The Ministry of Education and Research provides operational grants to seven peace and human rights centres with different regional affiliations: The Norwegian Center for Holocaust and Minority Studies, the Falstad Centre, Arkivet Peace and Human Rights Center, the Nansen Center for Peace and Dialogue, the Narvik War & Peace Centre, the European Wergeland Centre and the Rafto Foundation. The centres contribute to the work of strengthening democratic citizenship, documenting the past and combating discrimination, racism and hate speech.
Dembra (Democratic Preparedness against Antisemitism and Racism) offers counselling, courses and online resources for the prevention of various forms of group hostility, such as prejudice, xenophobia, racism, anti-Semitism, Islamophobia and extremism.
Tenk provides educational programmes, courses and lectures to schools across the country on source criticism and critical thinking. It is part of the fact-checking organisation Faktisk.no, and its teaching programmes are closely linked to topical news that children and young people encounter in everyday life, both in social media and conventional media.
The Government’s information channel for children and young people, ung.no, run by the Norwegian Directorate for Children, Youth and Family Affairs, is an example of an important source of information.

The Government’s information channel for children and young people, ung.no, run by the Norwegian Directorate for Children, Youth and Family Affairs, is an example of an important source of information. Critical media literacy is also key for children and young people, older people and other vulnerable groups. Ensuring good framework conditions for editorial media is also essential. People’s ability to distinguish between the truth and falsehoods is challenged at several levels. Artificial intelligence has become both more advanced and more accessible. The global internet platforms amplify the spread of emotional and engaging content, increasing the risk of algorithmic amplification of disinformation. Regulation of these platforms is therefore another important preventive measure, including through the EU Digital Services Act.

8 National control

The Government aims to strengthen national control and raise the level of public knowledge about risk, malicious actors and preventive security efforts. National control is an important means of safeguarding national security. National control of organisations, infrastructure, natural resources, property and assets of importance to national security can be achieved through, for example, regulations, various forms of ownership, oversight, cooperation and advice and guidance. National control as an instrument must be used in such a way that it contributes to predictability and trust.

The Government will:

enable undertakings that fall under the Security Act, the business sector, municipalities and county authorities to make good evaluations to safeguard national security.
ensure adequate national control of property of importance to security, critical infrastructure, natural resources and strategically important companies and value chains.
increase control over property for reasons of national security by investigating statutory ownership registration to achieve adequate oversight of, and control of, ownership of real property.
propose necessary amendments to the rules to ensure an approval mechanism for the purchase of certain properties.
propose a new act for control of foreign investments that will help to safeguard national security interests and ensure that Norway remains an attractive country for foreign investment.
propose amendments to the Regulations relating to data centres to ensure the authorities are able to prevent, avert, stop and investigate crime and handle the loss of data centre services that are important to society.
ensure that national security is safeguarded in new regulations and revisions of existing regulations where relevant.
strengthen security in the maritime sector and ensure that there is close collaboration and coordination between civil and military authorities, as well as between the private and public sectors.
review responsibility for, and management of, critical infrastructure in Svalbard.

8.1 Trade-offs between openness, business interests and national security

Cross-sectoral security challenges mean national security must be weighed against other important considerations, such as a free and open society and the need to provide the best possible framework conditions and predictability for businesses. The Security Act’s purpose clause emphasises that ‘…security measures are implemented in accordance with the fundamental legal principles and values of a democratic society’.

Safeguarding national security interests in peacetime is a prerequisite for maintaining political and economic freedom of action in times of crisis and war. Weighing up considerations can be demanding at all levels – in government, in business and industry, in the community and in the population. Therefore, it is important to have legislation that contains mechanisms to safeguard national security, both in the Security Act and sector legislation. The Government has also drawn up various guidelines to address the balance between openness, business interests and security. We will reduce risk and our dependency on actors that we do not collaborate with on security policy or that may otherwise present a challenge to our national security interests. Guidelines have been drawn up in the transport sector for how organisations should handle economic activity with foreign actors that may pose a risk to national security interests. The knowledge sector has established guidelines for responsible international knowledge cooperation, which intend to safeguard both academic values and national interests, including national security interests. Guidelines are also available that address the authorities’ cooperation on handling economic activities that present a threat to society.

The Government’s comprehensive approach to China is an example of such a trade-off. We will pursue an interest-based policy on all issues concerning China, and we will cooperate and engage in dialogue with China in several areas. This approach will be based on our interests and our values. At the same time, in the interests of national security, we must exercise greater caution towards China. Cooperation should be avoided in certain sensitive areas. We will reduce risk and our dependence on Chinese actors. This is best done in close collaboration with our Nordic neighbours, closely-related European countries and allies, and by strengthening the dialogue with business and industry and other sections of Norwegian society. The Government is intensifying its dialogue with the business sector, the knowledge sector and other sections of society to ensure they are aware of the risks of cooperating with China.

Textbox 8.1 Control questions relating to national security and risk assessments

In the event of questions arising about whether an activity, investment, acquisition, agreement or similar may affect national security interests, certain control questions should be asked as a basis for risk assessment. For example:

Do I manage assets that are important to safeguarding national security interests? Is the organisation I work for subject to the Security Act? For example, all state, county and municipal entities are subject to the Security Act.
Can the activity give undesirable actors insight into, influence over or control over important assets, processes, information or infrastructure? Property, big data or infrastructure can be used as leverage in a crisis situation.
Can the activity create ties or dependencies with undesirable actors? Formal ties or informal expectations can put you in difficult situations.
Does the activity concern sectors, knowledge or areas of technology that are strategically important to Norway? A great deal of civil technology may also have military applications.
Is the offer from an undesirable actor too good to be true? An undesirable actor may make an offer that is significantly better than all other offers, and interests other than purely commercial interests may be behind it.

8.2 Economic activity that presents a threat to security and investment control

It is important for the Government to strengthen control of economic activity and investments that present a potential threat to security. The Government’s proposed amendments to the Security Act on ownership control and the scope of the Act were adopted by the Storting on 12 June 2023, and several of the provisions have entered into force. The amendments strengthen the handling of activity that presents a threat to security, including economic activity, by ensuring that more undertakings that are important to national security interests become subject to the Security Act. The amendment also provides for criminal liability for anyone who intentionally or negligently violates a prohibition or order issued pursuant to Section 2-5 or Section 10-3 of the Security Act. The purpose of this is to ensure that the authorities can enforce non-compliance to a greater extent and reduce the risk of harmful impacts occurring before they implement the necessary measures.

The Government’s prioritisation of national security has helped to raise awareness of the various trade-offs between openness, business interests and national security in different sectors and among public and private undertakings. An inter-ministerial network (the ministries’ screening network), led by the Ministry of Justice and Public Security, handles cases that may involve economic activity that presents a threat to security. The agency network, led by the Norwegian National Security Authority (NSM) as the national contact point for reporting such economic activity, uncovers, handles and counters various forms of investments and acquisitions that may present a threat to security. Cooperation with close allies, in NATO and with the EU is also important in this context, and is actively followed up by the Government.

In December 2023, the government-appointed Investment Control Committee submitted Norwegian Official Report (NOU) 2023: 28 Investeringskontroll – En åpen økonomi i en usikker tid (Investment control – An open economy in uncertain times – in Norwegian only). The Committee investigated the need for control of economic activity in relation to undertakings that are not subject to the Security Act and found that the current system for controlling foreign investments in such undertakings is too limited and fragmented. The Government’s finds that the current system for handling foreign investments that may present a threat to security and are not subject to the Security Act should be further developed. Work is therefore underway on a proposal for a new act on the control of foreign investments. The new act will help safeguard national security interests and ensure that Norway remains an attractive country for foreign investment. The work is seen in the context of regulatory developments in the EU in this area and in close dialogue with closely-related countries and the EU.

The Government has also recently established the Directorate for Export Control and Sanctions (DEKSA). Among other things, DEKSA will be responsible for issuing permits and guidance, and for executive control of exports of defence materiel, dual-use items, technology, services and knowledge. DEKSA will also play an important role in improving guidance for businesses.

Textbox 8.2 The Cosl case

Equinor’s 2023 announcement that it was to enter into agreements with the state-owned Chinese company Cosl to lease drilling rigs for use on the Norwegian continental shelf attracted a great deal of attention. Questions were raised about what assessments had been made, both by Equinor, which is subject to the Security Act, but also by the Government. During the process of examining the case, it became clear that Equinor had entered into the contracts following rigorous security assessments, and the company stated that the rigging company, through the contracts entered into, would not have access to Equinor’s process management and security systems, or any other sensitive information or infrastructure considered critical to national security under the Security Act.

8.3 Strengthen national control of critical infrastructure

In recent years, the ministries, NSM and other agencies have carried out considerable work on mapping assets that are important to national security interests, and the dependencies and value chains that form part of this. Knowledge of what assets different sectors and undertakings have at their disposal is vital to ensuring they can protect them and, if relevant, implement risk-reduction measures. However, many assets, including critical infrastructure, have not been adequately mapped. The Government is prioritising this work to strengthen national control of critical infrastructure, companies and value chains that are important for our national security interests. This is a prudent preventive measure for national security in the current security policy situation. A core aspect of this work also includes identifying and addressing different organisations’ needs for critical expertise and personnel across the crisis spectrum.

Mapping the military and civil infrastructure that supports defence capability is particularly important. Sweden and Finland’s membership of NATO means that allied reception and communication and supply lines across Norwegian territory, as well as interdependencies across national borders, are increasingly important. This may entail an increase in the number of critical national objects and infrastructures, also in civil society. NSM is following this up by stepping up its work on asset mapping, in line with the Security Act, and in consultation with the sector ministries and the Ministry of Justice and Public Security.

In their open threat assessments, the Norwegian Intelligence Service and the Norwegian Police Security Service (PST) point out that China and Russia are actively mapping Norway’s critical infrastructure, both through open sources and through intelligence activities. Openness and national security considerations are included in the Government’s assessment of what information about critical infrastructure should be openly available. The purpose is to strengthen national control. Relevant areas include oil and gas, power, electronic communications, ports and water supply.

A description is provided below of key measures initiated by the Government to strengthen national control of critical infrastructure.

Systematic work throughout society

In the current security policy situation, the Government has found it necessary to take a more in-depth look at certain sectors that are particularly affected by the threat and risk situation. These include the oil and gas, power and electronic communications sectors. The purpose has been to assess whether the existing level of security has been sufficient, and whether additional measures should be implemented, for example in personnel security, physical security, cyber security or other measures in line with the Security Act. Worst-case scenarios were also used as a tool. These reviews have contributed to a higher level of awareness across sectors on how to protect important assets. Such reviews will continue to be used as required, based on developments in the threat and risk situation and in connection with the system to be established for obtaining status assessments of areas critical to society, see Section 3.1.

Maritime security

Maritime covert intelligence activity is constantly taking place along the Norwegian coast, including in the form of civilian vessels engaged in gathering information. The activity may be linked to preparation for sabotage, but also to supporting influence attempts, or evading sanction regulations and potential infiltration. According to PST, Russia poses the greatest threat in this area. The intelligence and security services and the police work closely together to prepare open and classified assessments of the threat and risk situation, so that the actors and organisations involved can organise their preventive work in the best possible manner. Maritime security is also about countering sanction evasion, environmentally harmful conduct and other high-risk activities at sea, such as sabotage threats, including those associated with vessels in what is known as the ‘shadow fleet’.

Increased maritime surveillance is a key measure targeting the ‘shadow fleet’, and includes close information sharing and cooperation between relevant authorities in Norway, in addition to close cooperation with allied countries. The Government is therefore strengthening its situational awareness capability through increased surveillance, presence and control in our surrounding areas. As set out in the long-term plan for the defence sector, this will be achieved through new vessels and the development of satellite and drone capabilities. Norway is working together with our allied neighbours to identify and reduce the risk from such third-country vessels carrying Russian oil and oil products.

It is important for the Government to step up security in the maritime sector and ensure that there is close collaboration and coordination between civil and military authorities, as well as between the private and public sectors. Further development of the National Intelligence and Security Centre is one of several tools in this context. Well-functioning maritime transport markets is also important for national security. When assessing measures to prevent activity that presents a threat to security, this will also be weighed against the needs of the industry.

In 2025, the Government will appoint a legislative committee to evaluate and revise the Ship Labour Act and the Ship Safety Act. New technology, fuels and autonomy herald a need for new solutions that require updated maritime regulations. The heightened security situation also makes it more important than ever to have regulations in place that safeguard maritime safety and preparedness. The maritime industry has resources and assets that are of great importance to national security, and which constitute a major emergency resource across the crisis spectrum.

Regulations on entry into territorial waters

The Government has recently adopted new regulations on entry into territorial waters that will strengthen control of foreign vessels sailing to, from and within Norwegian territorial waters. The regulations describe the rules that apply to foreign vessels entering Norway’s territorial and internal waters. This will help to strengthen the Norwegian Armed Forces’ situational awareness and ability to control foreign vessels that may pose a potential threat to Norwegian maritime security. The new regulations reintroduce the possibility of sanctions for breaches of the regulations, which lapsed when the regulations were revised in 2018. The new regulations on entry into territorial waters entered into force on 1 January 2025.

Ports

As a result of the war of aggression against Ukraine, Norway has introduced a number of sanctions against Russia. This includes a comprehensive port ban, which, among other things, means that Russian vessels shall not have access to ports in mainland Norway. Russian fishing vessels have been granted a limited exemption from this ban and can call at the ports of Tromsø, Båtsfjord and Kirkenes to deliver fish, change crew and stock up on provisions. In summer 2024, the Government decided to further tighten the regulations for Russian fishing vessels, including limitations on where and how long these fishing vessels are allowed to spend in port, in addition to strengthening control activities in the three open ports.

The Government has taken several steps to assess the significance of ports for national security. Municipal ports covered by the Security Act have been informed of the relevant requirements set out in the Security Act. Consideration will be given to whether there is a basis for further ports to be subject to the Security Act, and whether there is a need to designate national critical assets. The importance of ports for our own national security, but also for NATO and allied reception across the crisis spectrum, can be significant. Norway’s capability to receive reinforcement forces has become more important since Sweden and Finland joined NATO. Ports and port facilities play an important role in the transport of goods, materials and fuel to the Norwegian Armed Forces. All ports and port facilities, both public and private, have a duty to assist the Norwegian Armed Forces in times of crisis and war. In addition, the Ports and Fairways Act sets further requirements for preparedness plans and training exercises in ports and port facilities that are particularly important for defence. It is therefore important for the Government to step up port security and ensure a close dialogue between central authorities, local authorities and port authorities.

Critical underwater infrastructure

Protecting critical underwater infrastructure is a priority for the Government. There are a number of initiatives, both at the national and international level, to protect this infrastructure, which in many cases crosses national borders. An inter-ministerial working group has been established to coordinate these efforts. A maritime network has also been established comprising the most important public agencies and civil actors that contribute to securing this infrastructure. In 2022, Prime Minister Jonas Gahr Støre and German Chancellor Olaf Scholz took the initiative for NATO to establish a centre to strengthen the protection of underwater infrastructure, which was established in 2024. In October 2024, the defence ministers of Norway and Germany proposed expanding this initiative to regional entities for different marine areas. In addition, in 2024, Norway and several countries bordering the North Sea signed a joint declaration on cooperation to protect underwater infrastructure.

The Norwegian Ocean Industry Authority has the role of central national contact point for exchanging information about incidents related to underwater infrastructure in the North Sea. The role entails following up its own area of responsibility, as well as coordinating and ensuring the necessary contact with and involvement of the Norwegian Communications Authority and the Norwegian Water Resources and Energy Directorate. A notification scheme will be established, which will be adapted to established notification channels and related notification schemes to avoid overlapping functions. Close cooperation between private and public actors, across sectors, is also essential to protect critical underwater infrastructure.

Electronic communications

In January 2024, the Government appointed an expert committee to make specific proposals on how the state can ensure national control of critical digital communications infrastructure (the Lysne III Committee). The Committee will provide the Government with a basis for assessing how we can safeguard and strengthen national control of critical infrastructure, for example through ownership. This also has transfer value to other sectors that manage critical infrastructure, critical value chains and security of supply. It is important for the Government to have a good knowledge base in order to ensure adequate national control of critical infrastructure across different sectors. The Lysne III Committee will submit its report in February 2025.

To ensure the authorities are able to prevent, avert, stop and investigate crime, and handle the loss of data centre services that are important to society, the Ministry of Digitalisation and Public Governance has proposed certain amendments to the data centre regulations to ensure the authorities in the justice sector and the electronic communications sector have access to necessary information and a better opportunity to implement the necessary measures.

The Government has also recently launched a national digitalisation strategy. The Digital Norway of the Future strategy stresses the importance for total defence of an infrastructure that is secure and robust throughout the entire crisis spectrum.2

Power

In June 2024, the Norwegian Water Resources and Energy Directorate submitted a proposal for consultation concerning amendments to the regulations relating to contingency planning in the power supply system (kraftberedskapsforskriften) on the definition of power-sensitive data. The main objective is to clarify what constitutes power-sensitive data. The amendment also aims to adapt the regulations to the technological developments in society, changes in the threat situation and what information is already openly available.

8.4 Strengthen national control over property of strategic significance or importance for security

In recent years, the intelligence and security services’ threat and risk assessments have focused on foreign ownership of properties in certain geographical areas. Ownership can pose a threat to national security interests in that the properties facilitate intelligence activities, sabotage, economic crime or other activities that threaten security. Hidden ownership of real property can facilitate this. The Government takes a broad approach to the ongoing work to address security challenges related to property.

Comprehensive overview of property ownership

Report No 9 to the Storting (2022–2023) National control and cyber resilience to safeguard national security, cf. Recommendation No 247 to the Storting (2022–2023) sets out the need for a comprehensive overview of property ownership. The Norwegian Tax Administration, the Brønnøysund Register Centre and the Norwegian Mapping Authority have mapped the authorities’ possible use of information about direct and indirect ownership and control of shares and real property. The mapping shows that there is no single joint register that serves to provide complete information about ownership of real property. The information available today is also of insufficient quality. The Government intends to increase control over property for reasons of national security by investigating statutory ownership registration to obtain sufficient information about the ownership of real property. The Norwegian Mapping Authority has been commissioned by the Ministry of Local Government and Regional Development to investigate measures to ensure an adequate overview and greater control over real property ownership.

Textbox 8.3 The Bergen Engines case

The Bergen Engines case drew attention to acquisitions as a means of appropriating technology. Royal Decree 21/1898, the decision that halted the sale of the Bergen company, states that: ‘Norwegian industry and Norwegian knowledge and research institutions are targets for Russian intelligence activities. Russia shows particular interest in companies that have unique expertise and technology, including within the defence industry and maritime sector. The Western sanctions regime is causing Russia to seek alternative methods to acquire critical technology and expertise in order to further develop its own military capabilities. The use of private actors is an example of such a method, and is something which makes it more challenging to detect and prevent covert procurement.’

In the Bergen Engines case, the property’s location was emphasised in the grounds for halting the sale: ‘The property is strategically located beside the northern approach to Bergen and defence installations of security importance for Norway and allied nations. Russian intelligence activities against Norwegian targets and interests may make the property an interesting platform for Russian services.’

Pursuant to Section 2-5 of the Security Act, ‘The King in Council (…) may make necessary decisions to prevent activities which present a threat to security or other planned or ongoing activities which may present a not insignificant risk of a threat to national security interests.’ This provision serves as a safety valve and has only been used a few times, including in the Bergen Engines case.

More stringent control over some types of properties

Certain properties may be important to security because they are located close to critical infrastructure such as ports, defence facilities or power supplies, and may thus be subject to activities that present a threat to security. The Government has strengthened control over such properties through amendments to the Security Act. The amendments entered into force on 1 July 2023 and provide an effective preventive tool to safeguard assets of significance to national security interests. If a ‘property of security significance’ poses a risk to an undertaking’s critical national objects and infrastructure, and the undertaking is unable to maintain a satisfactory level of security, the undertaking shall notify the national security authority or supervisory authority. Pursuant to Section 2-5 of the Security Act, The King in Council may make necessary decisions to prevent activities which may present a not insignificant risk of a threat to national security interests. If the state is going to sell a property, it is similarly important that it is aware of the impact this may have on security and preparedness in the future.

The Government will further strengthen control over properties of security significance, and will propose necessary amendments to rules to secure an approval scheme for the procurement of certain properties. The Norwegian National Security Authority (NSM) has made legal and security assessments of whether there is a legal basis for such an authorisation scheme, or whether the legal authority for such a scheme could be achieved by amendments to, for example, the Security Act. NSM has also considered introducing restrictions on foreign nationals buying property near military facilities. In its assessment, NSM has, in line with the assignment, paid particular attention to how the Finnish authorities have established their scheme, but also to other Nordic countries’ regulations as far as relevant.

8.5 Svalbard

In May, the Government presented Report No 26 to the Storting (2023–2024) Svalbard, cf. Recommendation No 36 to the Storting (2024–2025). The report sets out that the Government will continue to actively use policy instruments in its Svalbard policy and strengthen state governance and national control in Svalbard. Svalbard is an important part of Norway, and its administration has always been associated with strong national interests. Report No 26 to the Storting (2023–2024) reflects this, and, in the report, the Government proposes various measures to strengthen national control and support Norwegian communities in the archipelago. This includes a review of responsibility for and management of critical infrastructure. National control contributes to, among other things, achieving the goals set by the Storting in the Svalbard policy. The goals require that regulations and frameworks for Svalbard are assessed and adapted in line with the development of society, as well as according to other relevant developments.

8.6 Space activity

The importance of space activity for safeguarding national security is a separate topic in Report No 9 to the Storting (2022–2023) National control and cyber resilience to safeguard national security, cf. Recommendation No 247 to the Storting (2022–2023). The consequences of the loss of satellite-based services are highlighted in the Norwegian National Security Authority’s report Risiko 2024 Nasjonal sikkerhet – et felles ansvar (Risk 2024 National security – a joint responsibility – in Norwegian only). The Government’s digitalisation strategy 2024–2029 Digital Norway of the Future specifies that satellite-based services are part of the digital foundation, and national capability and resilience must be further developed and strengthened in the satellite area.

Society increasingly benefits from and depends on space. Space technology and satellites are of great significance for many important societal functions such as transport, power supply, monitoring of sea and land areas, communication and weather forecasting. Space-based data and services are therefore at the centre of security, preparedness and crisis management, and are already an integral part of safeguarding national security interests, for example for maintaining sovereignty, in the exercise of military force and in intelligence. The importance of space activity and geopolitical developments mean that situational awareness in the North is particularly important to both Norway and our allies.

Norway is a maritime nation with large marine areas in the far north. Satellites play a crucial role in safeguarding Norwegian interests in these areas. In times of emergency, crisis and war, the need for secure communication is significant and growing. We can become more robust by being able to employ different systems. Communication systems should therefore be based on a combination of satellite and ground-based solutions.

Norway is geographically well positioned for space-related activities such as launching and communicating with satellites and space surveillance. This makes it possible to establish national capability within certain satellite capacities. However, Norway is entirely dependent on international cooperation to safeguard total defence needs for secure access to space-based services. Such cooperation will also depend on Norway investing in its own capacities that both meet special national needs and have value for our partners. Norway is developing and deploying capacities to be able to make contributions to NATO cooperation, for example, and to be an attractive partner internationally, such as in the EU’s space programmes and bilateral cooperation.

Textbox 8.4 Greater focus on space security

The Norwegian Armed Forces’ capabilities are largely dependent on civil functions, such as transport services and power supply, functioning in different parts of the crisis spectrum. These functions rely on various satellite-based services. In order to strengthen national security and total defence, we need to increase knowledge and awareness of satellite system dependencies, and of the consequences of the loss of satellite-based services in all sectors of society. The Government is implementing or has implemented a number of measures:

The Security Act will be implemented in the space sector. Four space-related fundamental national functions have been identified: Satellite-based communication, satellite-based surveillance and earth observation, space surveillance and positioning, navigation and timing.
The loss of satellite-based services has been included in the planning of the Øvelse Digital 2025 exercise as one of several areas that should be given special attention.
Investigation of a national ground-based time service that ensures the accuracy of our timekeeping capability.

The Government is drafting a new act on activity in outer space (the Space Act). The new act will safeguard Norway’s obligations as a responsible space nation, commercial development and national security interests. A bill is scheduled to be submitted for consideration by the Storting in the first quarter 2025.

Textbox 8.5 Civil-military cooperation on surveillance and communication

In light of the total defence concept, national coordination through civil-military and public-private cooperation is important for also ensuring effective and secure utilisation of space activities. The following initiatives and capacities, represent some of the key collaborations:

A civil-military cooperation model has been established, Arctic Surveillance Program (ASP), for the development of new national capacities for maritime surveillance in the High North. This model ensures greater access to better satellite data, multi-use of satellite data, development of a Norwegian industrial value chain and, not least, that civil and military resources pull together in a cost-effective manner. Maritime satellite-based surveillance data is also a useful contribution to allied cooperation. Under the ASP framework, work is now underway on a pilot project for a separate national system for satellite-based surveillance.
In November 2023, the Norwegian Space Centre was commissioned to temporarily cover the role of national civil entity for space traffic surveillance (SER). Together with the Norwegian Armed Forces, SER will clarify operational national civil-military cooperation and develop Space Surveillance and Tracking (SST) capacity, including assessing an SST sensor under national control.
Located at high latitudes in Svalbard, Svalsat has a unique capacity for downloading satellite data for both civil and military needs. For example, Svalbard is one of the most important points for downloading weather data that helps ensure accurate weather forecasts the world over. Weather forecasting is critical for civil society, but not least for the Norwegian Armed Forces in a crisis or war situation. A new fibre optic cable to be established from Svalbard and Jan Mayen will ensure the transmission of data to the mainland for both civil and military needs. Space Norway’s geostationary satellites provide similar connectivity as the Troll Station in Antarctica.
In August 2024, two Space Norway satellites were launched as part of the Arctic Satellite Broadband Mission. The satellites carry payloads from the US military, the Norwegian Armed Forces and the commercial company Viasat, and provide better connectivity and situational awareness in the north.
We are also making efforts to secure participation in the EU’s new programme for secure global satellite-based connectivity for official purposes, Secure Connectivity/IRIS². This is a civil system, but may also be used for military purposes.
Andøya Spaceport has been established on a commercial basis, but will nonetheless be an important strategic resource for Norway in a total preparedness perspective. The development of the spaceport will potentially help to strengthen Norway’s and its allies’ capability to quickly launch new satellites that need to be replaced in peacetime, crisis and war.

9 Cyber resilience

The need for cyber resilience is increasing as a result of the security policy situation and the scope of digital vulnerabilities and cyberattacks. Cyber security in a national perspective requires long-term, predictable investment throughout society. The Government is implementing a number of measures to ensure that Norway establishes and maintains adequate national cyber security capacities and expertise. The work includes structural measures for closer involvement of the business sector and material measures to develop increased capacity to prevent, detect and manage cyber incidents.

Report No 9 to the Storting (2022–2023) National control and cyber resilience to safeguard national security – As open as possible, as secure as necessary, cf. Recommendation No 247 to the Storting (2022–2023), lays the political groundwork for the Government’s strategic direction, priorities and measures. A key aspect of the report is the use of regulatory instruments to make organisations accountable. At the same time, the authorities must make efforts to strengthen, coordinate and simplify preventive security work.

In addition to prioritising preventive work, Norway must have sufficient capacity to handle cyberattacks that are constantly increasing in both number and complexity. In recent years, significant resources have been deployed to defend Norway against harmful cyberattacks. Even though many good measures have been implemented, the cyber field is developing rapidly, and the Government will therefore implement further measures to strengthen cyber security on a par with our allies and partners.

The Government will:

assess, in cooperation with the business sector, a cyber security reserve consisting of relevant authorities and business communities.
strengthen research, innovation and technology development in cyber security through NCC-NO.
increase advisory and incident management capacity through the National Cyber Security Centre in the Norwegian National Security Authority.
participate in a Nordic-Baltic collaboration to increase operational cyber security cooperation.
develop a national portal for cyber security and a support tool to strengthen advice and guidance, and improve organisations’ digital self-preparedness.
strengthen the authorities’ cyber security coordination.
plan a national cloud service to ensure increased national control of critical digital infrastructure, important societal functions and digital assets.
strengthen quantum technology research through the Research Council of Norway.
consider measures to increase the number of people with the necessary cyber security expertise and ensure the most effective use of the expertise available.
continue to earmark funds for the Research Council’s industrial PhD and public sector PhD schemes aimed at cyber security and cryptology, for qualified applicants with security clearance.

9.1 Cyber security reserve in collaboration with the business sector

The lack of adequate cyber security expertise in society makes it all the more important to make the best possible use of the resources we have. Business and industry have important capacities, knowledge, expertise and innovative power. Key business sector representatives should be systematically and formally included in national cyber capacity. A number of leading countries have established or are planning cyber security reserves to strengthen the authorities’ incident management capability. Expert committees and environments have recommended that Norway also establish such a reserve. Efforts to improve preparedness for cyber security incidents are also high on the international agenda, one example being the ongoing work in the EU on the Cyber Solidarity Act. The Government is now following this up.

The Government will assess a cyber security reserve consisting of relevant authorities and business communities. Such a programme will be a predictable and scalable tool for effectively contributing to the management of crises that require efforts beyond ordinary staffing. The programme could also facilitate harmonisation of security work between actors and ensure closer cooperation between the authorities’ expert environments, academia and businesses, as pointed out by the Total Preparedness Commission.

The cyber security reserve will be particularly important in the event of major crises and incidents that require extra capacity and expertise. The structure of the reserve must be assessed in more detail, but it could entail the authorities entering into agreements with pre-designated business and industry actors with special expertise and resources in cyber security. The setup of the reserve will be assessed in collaboration with the business sector. The initial assessment must include existing frameworks and capacities at national and sector level, relevant actors, prioritisation mechanisms for assistance and agreements between authorities and the business sector that can regulate personnel expenses and set predictable thresholds for the use of the reserve. The setup of the reserve must be seen in the context of work on civil workforce preparedness. Consideration will also be given to international schemes and experiences.

Figure 9.1 National Cyber Security Centre

9.2 Facilitate a stronger cyber security industry

The authorities wish to encourage increased research, innovation and technological development. Among other things, this means contributing to a cyber security industry where security services are requested, developed and offered. One example is NSM’s quality scheme for suppliers’ management of ICT incidents. A stronger cyber security industry will increase the security of society, across public authorities and organisations, by bolstering suppliers who recognise market needs and security requirements.

The EU regulation establishing a network of national cyber security coordination centres is a key measure that Norway is following up. NSM and the Research Council of Norway have joined forces to establish a coordination centre for cyber security research and innovation, referred to as NCC-NO, with EU funding. An important task for NCC-NO will be to promote and guide applicants in the EU’s investment programme DIGITAL and Horizon Europe. Among other things, NCC-NO has established a cyber security grant scheme. The scheme is available to actors that support digital and critical infrastructure, small and medium-sized enterprises, public and private companies, as well as research and educational institutions.

9.3 Increased capacity for advisory services, detection and incident management

Readily available advice and the effective establishment of measures are essential for increasing organisations’ digital self-preparedness. The National Cyber Security Centre under NSM plays a key role in assisting public and private organisations in their preventive security work and ensuring contact between the various environments. The capacity of NSM has been strengthened to meet the ever-increasing need for advice and guidance, in line with the more serious threat and risk picture and in accordance with NSM’s expanded mandate.

The Government will develop a national portal for cyber security and a support tool to strengthen advice and guidance, and improve organisations’ digital self-preparedness. Key actors will participate in the work led by NSM. In the long term, the measure will be a central and effective tool in one-to-many guidance for organisations and possibly private individuals. The portal will be a common gateway for different user groups, but will be designed so that everyone receives uniform advice adapted to their user group. The portal will be launched in 2025.

Cyber incidents often occur across national borders. National capacities for detection and incident management must be supplemented by international capacities. European states and other allies are increasingly influencing Norwegian cyber security policy, and have in recent years taken major steps to secure resilience against cyber threats. The EU’s NIS directives will improve cooperation between member states, both in the event of serious incidents affecting important digital systems and in the event of major crises. Denmark has recently taken the initiative to establish a Nordic-Baltic cyber security collaboration (Cyber Consortium) centred in Copenhagen. Its object is to increase operational cyber security cooperation among the Nordic and Baltic countries. The measure is seen in the context of the EU’s work on cyber security, where the establishment of cyber hubs is a key measure to increase countries’ situational awareness and detection capabilities. The Government has decided that Norway will participate in the cooperation. Participation will increase situational awareness nationally and regionally, and send an important signal that we stand united at a time when multilateral arenas, such as NATO and the EU, are increasing their efforts in the field. The Government is also facilitating stronger incident management by increasing NSM’s capacity for incident management and practical assistance to affected organisations.

Textbox 9.1 National cloud service

The Government has initiated work to establish a national cloud service. The object of a national cloud service is to ensure increased national control of critical digital infrastructure, important societal functions and digital assets. A concept evaluation study is based on the central government’s need for a national cloud service for unclassified critical national information. The study addresses both technological, security-related, organisational, legal and financial issues. A wide range of concepts have been evaluated, with varying degrees of coordination, competitive tendering and own control of cloud services.

The Government’s choice of concept is based on the conclusion of an agreement with one or a few suppliers that will develop, operate and manage a national cloud service. The chosen concept will give the Government access to expertise, resources and innovation. Suppliers will be required to fulfil and provide guarantees for the requirement of national control of the cloud service. The regulations concerning cloud services will also be clarified.

9.4 Consistent advice and guidance from the authorities

It is currently a challenge for organisations that different regulations and guidelines overlap and are poorly harmonised. The lack of good coordination hampers preventive cyber security work, such as knowing which regulations you are covered by, which authorities you need to deal with, and which advice and guides should be used. As a result, the implementation of regulations is often delayed or inadequate, which, in the worst case, can mean that important assets are inadequately secured, in turn entailing significant economic and social consequences.

The Cyber Security Act was adopted on 7 December 2023, but has yet to enter into force. The Act is based on the NIS1 Directive and is an important tool for setting common security requirements for providers of essential and digital services. An advisory service is needed to make advice and guidance more coordinated and accessible, in line with the recommendations from the National Audit Office of Norway, among others.3

A key element in Report No 9 to the Storting (2022–2023) on national control and cyber resilience, cf. Recommendation No 247 to the Storting (2022–2023), is to increase coordination. This is to both make it clearer and easier for organisations to maintain an overview of regulations, advice and guidance, but also to ensure a better division of roles and responsibilities for efficient use of public resources.

In order to strengthen resilience, it is also important that organisations adhere to NSM’s basic ICT security principles, which are a set of principles and measures to protect information systems against unauthorised access, harm or misuse.

One key element has been to give NSM an expanded responsibility to provide guidance across the entire spectrum from citizens, small and medium-sized enterprises and municipalities, to large organisations and actors with responsibility for critical infrastructure. NorSIS, the Norwegian Centre for Information Security, has become part of NSM. Employees of the inter-municipal company Kommune-CSIRT have been offered employment with NSM. Moreover, HelseCERT’s mandate has been expanded so that it now also functions as a response and expertise centre for municipalities, including the county authorities. The Government has thus taken steps to strengthen guidance environments in several parts of the country, including rural areas.

The Government will map user needs and experience of the current organisation of cyber security guidance. The aim of this is to assess tasks, responsibilities and organisation.

9.5 Stronger expert environments in quantum technology

Quantum technology is a multi-use technology with civil and military applications. Quantum technology will provide better and more efficient services, products and security measures in most areas of society. At the same time, the technology will provide malicious actors with new tools, capacities and methods whose reach is unknown. The day quantum computers become powerful enough, they will be able to weaken cyber security by breaking many of the most commonly used encryption methods.

Cryptography is currently available that is assumed to be quantum-resistant and that is standardised for public use. IT suppliers such as Microsoft, IBM, Apple and Google use these quantum-proof standards in their products. However, some organisations have specially developed solutions that do not take this into account. It will therefore be important to develop knowledge about how security can be addressed in such solutions. In future systems and services, it will be important to address the need for quantum-resistant algorithms.

For 2025, the Government has proposed, and the Storting has approved, strengthening research into quantum technology through the Research Council of Norway by raising the annual allocation by NOK 70 million in relation to the current rate. This is an investment in knowledge preparedness in Norway, to ensure that Norway has the necessary expertise to handle Norwegian security needs and increase defence capability, and also prepare the business sector for a new technological reality and a new competitive landscape. The Research Council will organise its efforts to develop a robust national expertise environment of high international quality that will be able to compete and succeed in other arenas.

The initiative is part of the R&D pledge in the long-term plan for the defence sector. Quantum technology is of great importance to the defence sector because it can change the future of radars, sensors, navigation and data processing. The technology is both an opportunity and a threat to the technological development of the Norwegian Armed Forces. The initiative must be seen in the context of the Government’s work on a roadmap for tech-based businesses. The roadmap will describe the new terrain that is emerging and how business, research institutions and the public sector can navigate together to find ways to achieve transformation and value creation.

Textbox 9.2 New national digitalisation strategy

In autumn 2024, the Government presented The Digital Norway of the Future – National Digitalisation Strategy 2024–2030. The strategy has specific goals for where Norway should be in terms of digitalisation in 2030. Overall, the strategy will help make Norway the most digitalised country in the world, through, among other things, stronger governance and coordination of digitalisation policy. The strategy refers to a number of prerequisites that must be in place for digitalisation to succeed, including ‘bolstering security, emergency preparedness and crime prevention’. The strategy contains measures for various focus areas, including AI. In connection with the 2024 budget, it was proposed that the allocation for AI research be increased by NOK 1 billion over five years. The funding comes on top of the more than NOK 800 million already allocated to AI research through the Research Council of Norway. During 2025, Norway could see four to six new AI research centres. Together, the research centres will cover the three main tracks of the AI billion-kroner investment: societal impact, technology and innovation.

9.6 Increased expertise in cyber security

Access to cyber security expertise is vital for developing cyber resilience. Cyber security expertise is currently a scarce resource. The lack of such expertise is not only a challenge in Norway, but also an international challenge that has received increased attention from our allies.

A study conducted by the NIFU Nordic Institute for Studies of Innovation, Research and Education in 2023 on the Norwegian labour market’s need for cyber security expertise towards 2030 shows a shortage of 25%, i.e. that one in four positions will be unfilled in 2030.4 A similar study was also conducted in 2017. Compared with the 2017 study, unmet demand has decreased slightly because educational institutions have increased their capacity. Today, more people are studying cyber security both because more specialised study programmes are available in the field and because more study programmes include cyber security as a subject area.

Over time, there has been increased attention and high expectations in this field, particularly in relation to what the authorities are doing to meet the need for expertise. In 2019, the Ministry of Justice and Public Security and the Ministry of Education and Research drew up a national strategy for cyber security expertise with goals and measures for various focus areas. The 2023 study from the NIFU Nordic Institute for Studies of Innovation, Research and Education confirms the effect of several of the measures, but the challenges have not been solved. It is important to emphasise that Norway already has a high level of expertise in cyber security, but more people are needed with this type of expertise and measures to boost expertise must be sufficiently targeted. In Report No 5 to the Storting (2022–2023) Long-term plan for research and higher education 2023–2032, cf. Recommendation No 170 to the Storting (2022–2023), the Government will, among other things, prioritise facilitating the education of more engineers, graduate engineers and graduates with interdisciplinary expertise on societal security, more PhD candidates who can be granted security clearance and strengthen digital security expertise in key disciplines.

The challenges relating to expertise apply across both the civil and military sectors. The training exercise Locked Shields 2024 (see Box 4.5) showed that the Norwegian participants from NSM, the Norwegian Cyber Defence Force and the business and industry had good, thorough expertise in the topics covered by the exercise. The challenge is that we are not developing and establishing access to enough of this expertise to meet demand. This clearly shows that we must be better at utilising the resources we already have, among other things by considering more efficient work methods, as well as developing and increasing access to expertise.

The Ministry of Education and Research is responsible for education policy and has the most important instruments for assessing measures to ensure that we can meet needs. The Government has decided to consider measures to reduce the skills gap between supply and demand with respect to cyber security. The Ministry of Education and Research will follow this up in consultation with the Ministry of Justice and Public Security, the Ministry of Defence and other key ministries. The Government will continue to earmark funds for the Research Council’s industrial PhD and public sector PhD schemes aimed at cyber security and cryptology. These funds are available to all qualified applicants who have security clearance.

Footnotes

Hybrid threats refer to foreign states’ activities that, based on their purpose, affect Norwegian security directly or indirectly below the threshold of armed conflict. The phenomenon is also referred to internationally as ‘hybrid conflict’ or ‘political warfare’, and can be confused with ‘hybrid warfare’ as a military strategy. In this report, ‘hybrid threats’ is used as defined in Report No 10 to the Storting (2021–2022) Prioriterte endringer, status og tiltak i forsvarssektoren (Prioritised changes, status and measures in the defence sector – in Norwegian only), cf. Recommendation No 392 to the Storting (2021–2022), and Report No 9 to the Storting (2022–2023) National control and cyber resilience to safeguard national security, cf. Recommendation No 247 to the Storting (2022–2023), and hybrid activities is used to describe use of a broad range of methods and tactics.

Regjeringen.no (2024) Digital Norway of the future – National digitalisation strategy 2024–2030.

National Audit Office of Norway (2023) Myndighetenes samordning av arbeidet med digital sikkerhet i sivil sektor (The authorities’ coordination of work on cyber security in the civil sector – in Norwegian only). Dokument 3:7 (2022–2023).

Arbeidslivets behov for digital sikkerhetskompetanse frem mot 2030 (The labour market’s need for cyber security expertise towards 2030 – in Norwegian only). NIFU (Nordic Institute for Studies in Innovation, Research and Education) report 2023:4.

Next chapter

Previous chapter

Next chapter

Previous chapter

To front page

Go to the top

Meld. St. 9 (2024–2025)

Total preparedness