Sikkerhetsloven: Strengthening Critical Infrastructure Protection in Norway’s Cybersecurity Landscape

Executive Summary: Norway’s Sikkerhetsloven (Security Act) of 2018 establishes a robust legal framework for protecting critical infrastructure against cyber and physical threats. In the context of Norway’s evolving cybersecurity landscape—amplified by global vulnerabilities such as CVE-2025-53773 and the rising adoption of RPKI for secure BGP routing—this legislation plays a pivotal role in safeguarding national resilience. This article examines the scope, requirements, and strategic implications of Sikkerhetsloven, highlighting its alignment with modern cybersecurity challenges and offering actionable guidance for compliance and risk mitigation.

Key Findings

• Legal Foundation: Sikkerhetsloven mandates mandatory cybersecurity requirements for critical infrastructure operators in sectors such as energy, transport, healthcare, and communications.
• Threat Environment: Emerging vulnerabilities like CVE-2025-53773 in AI-assisted development tools (e.g., GitHub Copilot) and vulnerabilities in BGP routing underscore the urgency of robust protection measures.
• Regulatory Scope: The Act requires risk assessments, incident reporting, and compliance with sector-specific security standards issued by the Norwegian National Security Authority (NSM).
• RPKI Adoption: Route Origin Validation (ROV) through RPKI is increasingly critical to prevent BGP hijacking, a growing concern for national infrastructure.
• Enforcement & Accountability: Non-compliance can result in administrative fines, operational restrictions, or even criminal liability for negligence.

Introduction to Sikkerhetsloven

Enacted to address increasing cyber and hybrid threats, Sikkerhetsloven (Security Act) entered into force on January 1, 2019, replacing and modernizing previous security legislation. It applies to operators of critical infrastructure—defined as entities whose disruption could significantly affect national security, public safety, or economic stability. The Act is complemented by sector-specific regulations and guidelines issued by the Norwegian Directorate for Civil Protection (DSB) and the National Security Authority (NSM).

The legislation reflects a shift from voluntary compliance to mandatory cyber resilience, driven by a recognition that digital dependencies create systemic vulnerabilities. In the era of AI-driven development and cloud-native architectures, this proactive stance is essential.

Critical Infrastructure Sectors Under Sikkerhetsloven

The Act covers a broad range of sectors, including:

• Energy: Power generation, transmission, and distribution networks.
• Transport: Air, rail, road, and maritime infrastructure.
• Healthcare: Hospitals and emergency services reliant on digital systems.
• Communications: Telecommunication networks and data centers.
• Critical Digital Infrastructure: Cloud services, DNS, and data handling systems.

Each sector must implement security measures commensurate with the risk level, as determined by NSM. These measures are operationalized through detailed security requirements published in sector-specific regulations, such as the Forskrift om informasjonssikkerhet i kritisk infrastruktur og kritiske samfunnsfunksjoner (Regulation on Information Security in Critical Infrastructure).

Addressing Emerging Threats: CVE-2025-53773 and AI-Assisted Development

In August 2025, CVE-2025-53773 was disclosed—a critical vulnerability in GitHub Copilot and Visual Studio involving improper neutralization of special elements (e.g., code injection via AI-generated suggestions). This vulnerability highlights the risks of integrating AI tools into development pipelines without rigorous input validation and sandboxing.

For organizations governed by Sikkerhetsloven, such vulnerabilities are not merely technical defects—they represent potential points of compromise in critical systems. Compliance requires:

• Secure Development Lifecycle (SDLC): Integrating static and dynamic code analysis tools to detect AI-assisted injection risks.
• Access Control: Restricting AI tool usage to development environments with strict input sanitization.
• Incident Response: Including AI-generated code failures in threat modeling and response procedures.
• Third-Party Risk Management: Ensuring vendors and contractors adhere to secure coding standards, especially when using AI-powered tools.

The NSM has emphasized that AI integration must be governed by the principle of human oversight and defense in depth, aligning with Sikkerhetsloven’s risk-based approach.

RPKI: Securing BGP Routing Against Hijacking

Another critical element in Norway’s cybersecurity strategy is the adoption of Resource Public Key Infrastructure (RPKI), a cryptographic framework that validates the legitimacy of IP address announcements in the Border Gateway Protocol (BGP).

BGP hijacking—where malicious actors redirect internet traffic by falsifying route advertisements—remains a persistent threat to critical infrastructure. RPKI mitigates this through Route Origin Authorization (ROA) records, which digitally sign the legitimate holders of IP prefixes. Network operators can then validate these routes before accepting them.

Norway’s national research network, Uninett, and major ISPs have begun deploying RPKI, with NSM recommending full adoption by 2027. This aligns with Sikkerhetsloven’s requirement for secure communications infrastructure and reflects a broader EU trend under the NIS2 Directive and Digital Operational Resilience Act (DORA). For entities covered under the Act, RPKI is increasingly considered a baseline security control.

Compliance Obligations and Enforcement

Sikkerhetsloven imposes several key obligations on critical infrastructure operators:

• Risk Assessment: Conduct annual or event-driven risk analyses covering cyber, physical, and supply chain threats.
• Security Measures: Implement technical and organizational controls (e.g., encryption, network segmentation, access logging).
• Incident Reporting: Notify NSM within 24 hours of detecting a serious cybersecurity incident.
• Documentation & Audits: Maintain detailed records and undergo periodic audits by NSM or external assessors.
• Continuous Monitoring: Deploy intrusion detection/prevention systems (IDS/IPS) and SIEM solutions.

Enforcement is rigorous. The NSM can issue binding security instructions, impose administrative fines (up to NOK 10 million or 2% of global turnover), and, in extreme cases, order cessation of operations. Criminal liability may apply for negligent endangerment of national security.

Alignment with International Standards

Sikkerhetsloven reflects alignment with international frameworks such as ISO/IEC 27001, NIST CSF, and the EU’s NIS2 Directive. This harmonization facilitates cross-border cooperation and ensures that Norwegian operators meet global best practices. Notably:

• NIS2 Compliance: Norway, as part of the EEA, is aligning its sectoral regulations with NIS2, expanding coverage to include digital infrastructure and managed service providers.
• CSA Principles: Cloud Service Agreements must comply with Norwegian data protection and security standards, especially for critical workloads.
• Critical Information Infrastructure (CII) Protections: Aligns with guidelines from ENISA and ITU.

Recommendations for Operators

To ensure compliance and resilience under Sikkerhetsloven, organizations should:

• Establish a Security Governance Board: Led by senior management, with representation from IT, legal, and operations.
• Adopt a Zero Trust Architecture: Enforce least-privilege access, micro-segmentation, and continuous authentication.
• Implement RPKI and BGP Filtering: Deploy route origin validation and filtering to prevent hijacking.
• Conduct Threat-Informed Red Teaming: Simulate attacks leveraging AI tools and supply chain vectors