You are here


Survey Answer:

In summary, the obligations regarding IT-Security according to Question 3, above, mainly relates to governance requirements, i.e. requirements to implement and document security measures and internal control systems in the organization. The requirements for IT security thus mainly focuses on preemptive actions and routines to avoid IT security breaches. The obligations also relates to confidentiality, interaction with supervisory bodies in case of data breach etc.
Below, we have further specified the obligations regarding IT security, according to Question 3, above:
A. Telecom providers are subject to the following obligations regarding IT-security:
(i) To implement security measures for the protection of communications and data;
(ii) To notify subscribers/users and/or authorities in case of security breach;
(iii) To delete traffic data, localization data and personal data as soon as they are no longer necessary;
(iv) To maintain confidentiality about the content of electronic communication and use of electronic communication; and
(v) To maintain preparedness by drawing up and maintaining plans and carry out measures to ensure sufficient IT security.
B. Energy suppliers are subject to the following obligations regarding IT-security;
(i) To establish routines for protecting- and controlling access to sensitive information,
(ii) To perform risk and vulnerability analyses,
(iii) To appoint an IT security coordinator,
(iv) To notify and report undesirable incidents such as data breach to the authorities,
(v) To maintain preparedness by performing practical drills for extraordinary situations, also within IT security,
(vi) Establish and document internal control programs in order to comply with inter alia IT-security requirements, and
(vii) There are specific requirements to the security of operation control systems of KBO entities. The KBO entities are responsible to ensure the functionality and security of operation control systems in order to provide stabile and continues power supply. Operation control systems include control center and affiliated data centers, communication facilities, software for surveilling and controlling facilities and other infrastructure.
C. The offshore sector is subject to following obligations regarding IT-security:
(i) To maintain a high level of security in accordance with the technological development;
(ii) To initiate and maintain security measures to contribute to avoiding deliberate attacks against facilities and have contingency plans to deal with such attacks (such as espionage and sabotage).
D. The public sector is subject to following obligations regarding IT-security:
(i) Establish internal control and IT-security routines;
(ii) Protect classified information;
(iii) Obtain approval of information systems from the National Security Authority, if such systems is used for processing of sensitive information;
(iv) Apply cryptosystems approved by the National Security Authority to protect sensitive information; and
(v) Notify the supervisory authority, if the organization becomes aware of activities which might pose a threat to security.
E. The health sector subject to following obligations regarding IT – Security:
(i) To implement planned and systemized efforts to ensure adequate information security with regard to confidentiality, integrity, quality and availability in relation to processing of personal health data.

Provided By:
Haakon Opperud: Advokatfirmaet Thommessen AS