State actors and criminal networks are attacking critical infrastructure with increasing precision and speed. AI makes attackers faster, cheaper and harder to detect. For Norwegian businesses in the energy, maritime and public service sectors, this is not a scenario for the future - it's the current threat landscape.
Norway is an attractive target
Norway's role in NATO, our digitized economy and our position as an energy supplier to Europe make us a priority target for both state intelligence and criminal actors. NSM has repeatedly warned that Norwegian businesses are exposed to persistent, advanced attacks, so-called APTs (Advanced Persistent Threats), where the attackers can remain hidden in the systems for months before they strike.
AI amplifies these attacks in three ways:
- Automated reconnaissance - attacks map vulnerabilities at scale, faster than manual defenses can keep up.
- Deepfake and social engineering - AI-generated communications are now virtually indistinguishable from the real thing, making phishing far more effective.
- Adaptive malware - attack tools that adapt to and bypass traditional detection mechanisms in real time.
.
Compliance is the floor - not the ceiling
The Digital Security Act (DSL), which came into force on October 1, 2025, tightens the requirements for risk assessment, incident management and collaboration for Norwegian businesses. The upcoming NIS2 directive, expected to be incorporated into Norwegian law in 2026, will extend these requirements to more sectors and introduce significant sanctions for non-compliance.
But the legislation describes minimum requirements, not sufficient protection. Businesses that only aim for compliance are already lagging behind in the face of a threat landscape that is evolving faster than the regulations.
Ask yourself these questions:
- Do you know which vendors have access to your critical systems today?
- Have you tested your contingency plan in the past year?
- Would you detect an ongoing attack?
Three areas that require management attention now
1. Supply chains are your biggest blind spot
The most serious attacks in recent years haven't gone straight to the target, they've gone through suppliers and subcontractors with weaker security. For Norwegian businesses in the oil, gas and technology sectors, this is particularly critical. Strict security requirements for suppliers, ongoing monitoring and regular follow-up are no longer optional; they are a prerequisite for being able to rely on your own infrastructure.
2. Humans are an attractive attack target
AI-generated phishing attacks are now so convincing that technical tools, not just training, are needed to catch them. At the same time, psychological safety around reporting - that employees actually report suspicious incidents without fear of repercussions - is what separates companies with good security cultures from those without. Simulation frequency and reporting culture are measurable indicators that management should follow.
3. Real-time alerting and collaboration are not technical luxuries
Dynamic threats require dynamic defenses. Connecting to NSM's alert systems and sharing threat information with relevant security partners allows Norwegian businesses to act on new attack patterns before they reach their own systems. This is not an IT issue, it's a strategic choice about how quickly the business can respond to a crisis.
What the healthcare sector learned from a data breach that affected 12.9 million
In May 2024, sensitive prescription and health information for nearly 13 million patients was exposed after an attack on an Australian e-prescription provider. The attackers got in through a system handling critical healthcare infrastructure, not through an obvious vulnerability, but through a trust that had not been verified. Similar scenarios are entirely possible in the Norwegian healthcare sector, and ransomware attacks against Nordic companies such as Norrmejerier and Umeå University show that no sector is immune.
What these incidents have in common is that recovery was costly, time-consuming and reputationally damaging - and in many cases, contingency plans were not tested under realistic conditions.
Cybersecurity is a leadership responsibility
Supply chains, particularly in oil, gas and technology, are a vulnerable point. Strict supplier security requirements, monitoring and regular follow-up are necessary to reduce risk.
Cyber security is a management responsibility
Cyber security cannot be fully delegated to the IT department. The board and senior management must own the risk picture, set the level of ambition and ensure that investments in detection, response and competence keep pace with the threat. It's not just about technology - it's about the level of risk the business is willing to accept and whether it has the capacity to deal with the worst when it happens.
AI doesn't just change how attackers operate, it also changes what is possible to defend against. Automated attacks against critical infrastructure can now occur at a pace and scale that makes manual response inadequate. Power grids, water supply and digital control systems in industry are all sectors where a successful attack can have immediate physical consequences, not just data loss. At the same time, AI opens up the defense side: systems that continuously monitor traffic patterns, detect anomalies and alert before the damage is done. The difference between businesses that survive an attack and those that don't will increasingly come down to how quickly they detect it, and that's determined by whether you've invested in the right technology beforehand.
Businesses that succeed in the future are not necessarily those with the most security tools. They are the ones that have built a culture where security is everyone's responsibility, where management asks the right questions - and where crises are practiced before they happen.