Back to articles

11/06/2026

NIS2 and DORA — without the panic. Here's what Norwegian SMB owners actually need to do.

Consultants are selling panic about NIS2 and DORA, and "personal liability for daily managers" lands in the inbox weekly. Most of what they're shouting about doesn't apply to you. We summarised the essentials in a 14-page brief — who's actually in scope, what's in force in Norway, and what's just noise.

We're getting emails from Norwegian SMB owners who've read they "may be personally liable" if NIS2 isn't followed. They've slept poorly for a week. They're considering spending 50 000 NOK on a compliance package.

Most of what they heard is exaggerated or simply wrong.

Here's the status in Norway as of June 2026:

DORA — the European regulation on digital operational resilience — has been in force in Norway since 1 July 2025. It applies to the financial sector. Banks, insurance, payment institutions, crypto firms. If you're not one of these, DORA doesn't apply to you.

NIS2 is NOT in force in Norway yet. The EEA incorporation isn't complete. We expect entry into force during 2026 via a brand-new cybersecurity law — the one currently in force (since October 2025) implements the old NIS1. When NIS2 arrives, it will hit about 5 000 Norwegian entities, not "all SMBs".

To be in scope for NIS2 you must pass two filters simultaneously: at least 50 employees (or over €10M in revenue and balance sheet), AND operate in a specific critical sector — energy, transport, finance, health, postal, chemicals, ICT services among others. A typical Norwegian consultant, accounting firm, or e-commerce business outside these sectors is not covered.

Article 20 on personal liability for management is real — but only applies if the entity is classified as essential or important. If you're out of scope, you don't have an Article 20 problem.

We summarised all of this in a 14-page brief — with source citations, a Norwegian implementation timeline, and a concrete decision flow so you'll know in a glance whether any of this applies to you.

Download it for free. It's in Norwegian, takes 10 minutes to read, and contains zero scare-tactics.

→ Download the NIS2 and DORA brief (PDF, 14 pages)

What we think you should actually look at in 2026 is the EU AI Act — it hits much more broadly than NIS2 because Article 4 on AI literacy applies to every employer using AI, regardless of size or sector. We cover that in the brief and in our earlier article on the AI Act for Norwegian SMBs.

*This is not legal advice. It is a summary built on Finanstilsynet, NSM, PwC, Deloitte, and direct regulation text. Consult a lawyer before making concrete decisions.*

Roger Agerup

Founder and AI advisor

NIS2 and DORA — without the panic. Here's what Norwegian SMB owners actually need to do. — AgerTechAI