Lecture on the Security Act of Norway

Introduction

• Official Title: Act relating to national security (Security Act)
• Date Enacted: June 1, 2018
• Ministry: Ministry of Justice and Public Security
• Entry into Force: January 1, 2019
• Original Title: Lov om nasjonal sikkerhet (sikkerhetsloven)
• Note: Unofficial translation for informational purposes; the Norwegian version prevails in case of inconsistency.

Chapter Overview

1. Purpose and scope
2. Responsibility and authority related to protective security work
3. Supervision
4. General requirements concerning protective security work
5. Information security
6. Information system security
7. Object and infrastructure security
8. Personnel security
9. Classified procurements
10. Restrictions on ownership
11. Special oversight arrangements, fines, and penalties
12. Entry into force and amendment of other acts

Chapter 1: Purpose and Scope

Section 1-1: Purpose

• Objectives:
  • Protect sovereignty, integrity, and democratic governance
  • Prevent, detect, and counter security threats
  • Ensure security measures align with democratic values

Section 1-2: Application

• Applies to governmental bodies, suppliers in classified procurements
• Includes specific applications to Svalbard, Jan Mayen, and dependencies

Section 1-3: Decision on Application

• Ministries decide the act’s application to undertakings handling classified information
• National Security Authority can propose decisions

Section 1-4: Application to Government Bodies

• Applies to the Storting, government, and courts with specific provisions

Section 1-5: Definitions

• Key Terms:
  • National security interests
  • Fundamental national functions
  • Protective security work
  • Activities threatening security
  • Associates

Chapter 2: Responsibility and Authority

Section 2-1: Ministerial Responsibility

• Ministries must identify fundamental functions and notify the National Security Authority

Section 2-2: National Security Authority

• Oversees compliance, provides guidance, and facilitates information exchange

Section 2-3: Exchange of Security Information

• Arranges access to threat assessments

Section 2-4: Cybersecurity Response

• National authority for cyberattack response and warning system
• May process relevant personal data

Section 2-5: Decisions on Security Risks

• King in Council can make necessary security decisions

Chapter 3: Supervision

Section 3-1: Supervision of Undertakings

• National Security Authority supervises compliance

Section 3-2: Cooperation

• Cooperation agreements between supervisory authorities

Section 3-3: Supervision Principles

• Avoid disruption, use information only for security work

Section 3-4: Site Access

• Authorities can access and inspect sites

Section 3-5: Processing Personal Data

• Must not infringe privacy rights unnecessarily

Section 3-6: Instructions

• Can instruct measures to fulfill the act’s purpose

Chapter 4: General Requirements for Security Work

Section 4-1: Security Management

• Responsibility lies with the head of the undertaking

Section 4-2: Risk Assessment

• Regular assessments are mandatory

Section 4-3: Security Measures and Exercises

• Implement necessary measures, conduct regular exercises

Section 4-4: Documentation

• Document risk assessments and security measures

Section 4-5: Duty to Notify

• Immediate notification of security breaches required

Chapter 5: Information Security

Section 5-1: Critical National Information

• Defines what constitutes critical national information

Section 5-2: Protection

• Ensure security in relation to access, alteration, and availability

Section 5-3: Classification

• Defines classification levels: TOP SECRET, SECRET, CONFIDENTIAL, RESTRICTED

Section 5-4: Access and Secrecy

• Access only for those with need-to-know; secrecy obligation

Section 5-5: Surveillance

• NSA can inspect premises for security breaches

Section 5-6: Cryptosecurity

• Cryptosystems must be NSA-approved

Chapter 6: Information System Security

Section 6-1: Critical Systems

• Information systems critical for national functions

Section 6-2: System Protection

• System security measures required

Section 6-3: Approval

• Critical systems must be approved before use

Section 6-4: Monitoring

• Continuous monitoring required

Section 6-5: Penetration Testing

• NSA may test systems upon request

Section 6-6: Communication Monitoring

• NSA can check if systems exceed security approval

Chapter 7: Object and Infrastructure Security

Section 7-1: Critical Objects

• Identification and classification required

Section 7-2: Classification

• Defines criticality levels: HIGHLY CRITICAL, CRITICAL, IMPORTANT

Section 7-3: Protection Measures

• Undertakings must implement security measures

Section 7-4: Security Testing

• NSA can test security of objects/infrastructure

Section 7-5: Access Restrictions

• Regulations on access near military areas

Chapter 8: Personnel Security

Section 8-1: Clearance and Authorisation

• Clearance required for classified information access

Section 8-2: Security Clearance

• Necessary for access to CONFIDENTIAL or higher information

Section 8-3: Access Clearance

• Required for access to critical objects

Section 8-4: Clearance Decisions

• Based on suitability and reliability

Section 8-5: Vetting

• NSA responsible for vetting

Section 8-6: Conditional Clearance

• Conditions may apply

Section 8-7: Foreign Nationals

• Clearance after assessment of ties to home country

Section 8-8: Revocation

• Clearance can be revoked if suitability changes

Section 8-9: Authorisation

• Procedures for granting authorisation

Section 8-10: Authorisation Changes

• May be downgraded, suspended, or revoked

Section 8-11: Notification Duty

• Must notify changes affecting security suitability

Section 8-12: Police Service Information

• NSA can share clearance data with Police Security Service

Section 8-13: Decision Reasons

• Must notify individuals of clearance decision outcomes

Section 8-14: Disclosure

• Individuals can examine case documents

Section 8-15: Legal Assistance

• Entitled to appointed lawyer for clearance issues

Section 8-16: Clearance Authorities

• Designated authorities for clearance

Section 8-17: Appeals

• Appeals processes for clearance decisions

Chapter 9: Classified Procurements

Section 9-1: Definition

• Supplier access to classified information or objects

Section 9-2: Security Agreements

• Required for classified procurement

Section 9-3: Facility Clearance

• Supplier must hold clearance

Section 9-4: Procurement Notices

• Notices required for critical system procurement

Chapter 10: Ownership Restrictions

Section 10-1: Notification Duty

• Notify ministry/National Security Authority on acquisition

Section 10-2: Processing Notices

• Ministry/NSA decision timeline

Section 10-3: Prohibit Acquisition

• King in Council can prohibit risky acquisitions

Chapter 11: Oversight and Penalties

Section 11-1: Oversight Arrangements

• Parliamentary oversight

Section 11-2: Coercive Fines

• Imposed for non-compliance

Section 11-3: Fines

• For intentional or negligent contraventions

Section 11-4: Legal Penalties

• Fines or imprisonment for violations

Chapter 12: Entry into Force

Section 12-1: Commencement

• Effective from January 1, 2019

Section 12-2: Repeal

• Repeals the Act of March 20, 1998

Important Notes

• This act is pivotal for safeguarding Norway's national security across various domains including information, personnel, and infrastructure security.