This thesis will examine how aligned is Norway's national legislation and cybersecurity strategy with the NIS2* Directive in the context of cybersecurity incident reporting requirements.
A key aspect is verifying that specific NIS2 articles have been transposed effectively into Norwegian national legislation and the cybersecurity strategy that, together with other requirements, aim to support a common high level of cybersecurity for the essential and important entities of the country and foster international cooperation and the facilitation of situational awareness, preparedness, and response capabilities of Norway and the EU as a whole.
The thesis will also focus on mapping and demystifying Norway's underlying cybersecurity ecosystem and entities involved in such transactions, including single point(s) of contact, the national security authority, sectorial CSIRTs/CERTs/ISACs, and operators of essential services (referred to as important & essential entities in NIS2). We will investigate the established governance model and workflows for incident reporting (from end to end), incident reporting templates, and how such actions are performed (eg, obligation or voluntarily).
*(Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures to ensure a high common level of cybersecurity in the Union (amending Regulation (EU) No 910/2014 and Directive (EU) 2018 /1972 and repealing Directive (EU) 2016/1148).