Compliance
Documentation for security work,
not certification.
qEY Coverage produces technical documentation that can support vulnerability management, audit preparation and supplier follow-up. It does not make any organization automatically compliant with NIS2, the Norwegian Digital Security Act, or any other regulation.
This page covers what the current Norwegian regulatory landscape looks like, who it affects, and what kinds of evidence Coverage helps you produce.
Where Norway stands
Two phases:
in force, and incoming.
In force
Digitalsikkerhetsloven
Norway's Digital Security Act came into force on 1 October 2025, transposing the EU's original NIS directive (NIS1) into Norwegian law. Requirements applied from day one - the law is not phased.
It primarily covers organizations providing essential services in energy, transport, health, water supply, banking, financial market infrastructure and digital infrastructure - and providers of certain digital services. In-scope organizations register with NSM (Nasjonal sikkerhetsmyndighet).
Incoming
NIS2
NIS2 is the EU's expansion of the original directive. As of this writing, it is not yet incorporated into the EEA Agreement and not yet implemented into Norwegian law. Norway plans to transpose NIS2 by amending the existing Sikkerhetsloven (Security Act) rather than passing a separate law.
Public estimates suggest roughly 5,000 Norwegian organizations will fall in scope once NIS2 is transposed, with first NSM-led audits expected from late 2026 onwards. Timing is subject to change.
Sources: NSM (nsm.no), Norwegian government publications, ECSO NIS2 transposition tracker. Always verify current status with primary sources or your legal counsel.
Even if you're not directly regulated
Your customers might be.
NIS2 places explicit obligations on in-scope organizations to manage supply chain security - meaning they must hold their direct suppliers and service providers to security standards comparable to their own.
For SMBs that aren't themselves in scope, the practical effect is the same: regulated customers will start asking for evidence of security testing, vulnerability management and incident response capability. Without documentation, you don't risk fines - you risk losing contracts.
You may not be directly regulated, but your customers may be. Documentation can be the difference between keeping and losing a contract.
Evidence Coverage helps produce
What you can put in front of
an auditor or a customer.
qEY Coverage produces evidence aligned with several of the risk-management measures listed in NIS2 Article 21. It does not certify compliance - it gives you something concrete to show.
Risk identification
Continuous discovery of devices, services, wireless surfaces and access systems at every site
Vulnerability management
Active validation against current vulnerability data with month-over-month tracking
Effectiveness validation
Confirmed exploitability vs. theoretical findings - what an attacker could actually use
Audit preparation
Monthly reports with findings, evidence and recommended fixes, retained for review
Supplier follow-up
Independent third-party documentation you can share with regulated customers
Incident readiness
Retest workflow that confirms whether identified issues were actually resolved
NIS2 Article 21 lists 10 categories of risk-management measures. Coverage produces evidence relevant to several, not all. Areas like governance policies, business continuity planning, HR security and cryptography remain the customer's own responsibility.
What Coverage does not do
Honest scope.
›Coverage is not a compliance certification. No private vendor can certify NIS2 or Digitalsikkerhetsloven compliance.
›Coverage does not replace legal counsel. Specific obligations under Norwegian law require qualified legal advice.
›Coverage does not substitute for risk management policies, governance, business continuity plans, or HR security controls.
›Coverage produces technical evidence. Translating that evidence into compliance posture is the customer's responsibility.
Product compliance
EU Declarations of Conformity
Disqnect hardware aims to comply with applicable EU directives and regulations. Declarations available below.
qEY-0
Network Security Device
Applicable directives
Radio Equipment Directive
2014/53/EU (RED)
RoHS Directive
2011/65/EU
Compliance inquiries
Questions?
For technical documentation requests, scope discussions or any compliance-related question:
theis@disqnect.comThis page is informational. It does not constitute legal advice. Norwegian and EU regulatory landscape evolves; always verify current obligations with NSM, the relevant sector regulator, or qualified legal counsel.