Read the untranslated law here: https://lovdata.no/dokument/NL/lov/2016-08-12-78
Law amending the Safety Act (reduction of the number of clearance authorities etc..)
Ministry Defense Ministry
Commencement King decides
12.08.2016 kl. 14.00
changes to Security Act
In Act 20 March 1998 No.. 10 for protective security services is amended as follows:
§ 2, fourth to eighth paragraph should read:
§ 29 a applies to all procurement of critical infrastructure. The King may issue regulations concerning the identification of critical infrastructure and on the information to legal entities that own or disposal of critical infrastructure.
Act applies to courts with the special provisions resulting from the provisions on security and authorization and pursuant to the Courts Act and the Criminal Procedure Act. The King may establish additional special rules.
The provisions laid down in and pursuant to the Act Chapter 6 on personnel safety does not apply to government members and judges of the Supreme Court.
Act does not apply to Parliament, the Auditor General, the Parliamentary Ombudsman and other organs of Parliament.
Act applies to Svalbard and Jan Mayen to the extent decided by the King.
§ 3 subsection paragraph. 21 should read:
Critical Infrastructure; plants and systems that are necessary to maintain the community's basic needs and functions.
New § 5a shall read:
§ 5 a. Notification obligation and authority to make decisions at the risk of security-threatening activities
A business that acquires knowledge about a planned or ongoing activity that may involve a significant risk of security-threatening activities are established or implemented, shall notify the Ministry in charge of this. If the notifiable activities are not subject to any ministry, notice shall be given to the Ministry of Defence. Notification duty applies notwithstanding the statutory duty of confidentiality. When treating notice after the first and second sentences should be sought advisory opinions from the relevant bodies with expertise in the relevant discipline.
King in Council can make the decisions necessary to prevent a planned or ongoing activities mentioned in the first paragraph. Such a decision can be taken without regard to the limitations of the Public Administration Act § 35, and regardless of whether the activity is permitted by other law or other decisions. Decisions pursuant to the first sentence is especially enforceable by the Enforcement Act Section 13
King in Council may make regulations concerning the notification requirement in the first paragraph and on which decisions can be made under the second paragraph.
§ 9 subsection e and f shall read
operate a national response function for serious cyberattacks against critical infrastructure and a national warning system for digital infrastructure,
provide information, advice and guidance to businesses.
In Chapter 3, the new § 10a read:
§ 10 a. Processing of personal data
When it is necessary to perform the tasks under § 9 subsection e, the National Security Authority process personal data in the form of
metadata on ICT traffic to and from activities related to the national warning system for digital infrastructure
information necessary to analyze triggered alarms in the warning system
IP addresses received from national and international partners
logs and infected hardware, with the consent of a business where this is necessary in connection with assistance to the management of serious cyberattacks.
In other cases than those mentioned in the first paragraph, personal information can be processed when this is strictly necessary to safeguard duties under § 9 subsection e, and treatment after an assessment seems both necessary and proportional in relation to the procedure it represents in privacy.
The King may issue regulations concerning the National Security Authority's personal data processing.
New § 13a shall be added:
§ 13a. For safety monitoring of approved information
The individual enterprise shall continuously monitor an authorized information system for safety-threatening incidents against information system or information system, preferably using automated system monitoring. Relevant safety incidents must be recorded.
Information exchanged between systems, across authorization stand or to portable storage media, should be recorded and stored.
Several businesses associated with the same information, may agree that one of the companies shall be responsible for monitoring and recording the first and second paragraphs on behalf of the responsible business.
Information recorded by the first and second paragraph shall be stored for five years. Such information shall be used only to deal with security-threatening events.
The individual enterprise shall ensure that authorized users of information systems that are monitored under this provision receives information about the purpose of treatment, whether the measures are implemented, the information will be disclosed and whether identity of the recipient.
The King may issue regulations concerning
types of data that can or will be registered and stored
who should have access to the recorded and stored data
how access will be given
exception of storage in five years.
§ 23 shall read:
§ 23. Authorization Responsible and clearance authority
Authorization may be granted if the authorizing authority does not have information that makes it doubtful whether the competent safety is to rely on. Authorization is normally given by the operation manager. Authorization shall not be granted until there is notification of security clearances, except for the cases described in § 19, third paragraph, and an authorization call is held. National Security Authority issues rules for authorization and on who is the authorizing authority.
The king appoints a clearance authority for the defense sector and for the civilian sector. King may designate others trust authorities if special reasons for doing so. Intelligence and security services trust its own personnel.
§ 28 first paragraph, second sentence should read:
King issues regulations concerning the validity of the provider trusts.
Chapter 7 headline should read:
Chapter 7. Security Classified procurement and procurement of critical infrastructure
In Chapter 7, a new § 29 a read:
§ 29 a. Notification obligation and authority to make decisions on procurement of critical infrastructure
By procurement of critical infrastructure will be carried out a risk assessment. The assessment procedure must be determined whether the acquisition involves a significant risk of security-threatening activities are established or carried on or by the use of the infrastructure. The obligation to conduct a risk assessment does not apply if it appears to be obvious that the acquisition may not involve any such risk.
A business that owns or disposal of critical infrastructure shall notify the parent ministry if a risk assessment as mentioned in the first paragraph concludes that the acquisition may involve a significant risk of security-threatening activities are established or implemented. Businesses that are not subject to any ministry shall notify the Ministry of Defence. Notification duty applies notwithstanding the statutory duty of confidentiality. This obligation does not apply if the business itself initiates mitigation measures that eliminate the risk, or make it insignificant.
A ministry that receives notification under the second paragraph, should obtain an advisory opinion from the relevant bodies about the delivery risk potential, and suppliers safety reliability.
If an acquisition to critical infrastructure could have an appreciable risk that the security-threatening activities are established or completed, the King in Council decide that the contract should be denied completed, or that it be set for implementation. This also applies if you have already signed an agreement for the acquisition. If no decision is made after the first sentence, the Ministry shall notify the company about this. Decisions pursuant to the first sentence is especially enforceable by the Enforcement Act Section 13
King in Council may make regulations concerning the procurement of critical infrastructure.
Act applies from the King. The King may decide that different provisions shall enter into force at different times.
Search Translated Laws of Norway