CRA Compliance in Norway
National competent authority, Article 14 CSIRT contacts, and enforcement guidance for Norway manufacturers.
Norway participates in the EU single market through the European Economic Area (EEA) agreement, and the EU Cyber Resilience Act will be incorporated into the EEA Agreement following its adoption, making it applicable to Norwegian manufacturers. The Nasjonal sikkerhetsmyndighet (NSM) — Norway's national security authority — leads cybersecurity policy and operates NorCERT as the national CSIRT. Norwegian manufacturers in maritime, oil and gas, and defence sectors face significant CRA exposure given Norway's export-oriented manufacturing profile.
National Competent Authority (CRA)
NSM
Nasjonal sikkerhetsmyndighet
NSM is Norway's national security authority and the designated authority for cybersecurity under the EEA agreement. Following EEA incorporation of the CRA, NSM will serve as Norway's national competent authority. NSM operates NorCERT as Norway's national CSIRT.
https://www.nsm.no →National CSIRT (Article 14 Reports)
NorCERT
NorCERT
https://www.nsm.no/kontakt
https://www.nsm.no/norcert →CRA Enforcement in Norway
Norway participates in the EU single market through the EEA Agreement, and EU product regulations including the CRA apply to Norway following EEA incorporation — typically within 12-24 months of EU adoption. NSM will serve as the national competent authority for CRA enforcement in Norway. The Direktoratet for samfunnssikkerhet og beredskap (DSB) coordinates market surveillance for consumer product safety, and the Norwegian Communications Authority (Nkom) retains competence for radio equipment. Norwegian manufacturers placing products on the EEA market must comply with CRA requirements on the same timeline as EU-based manufacturers once the regulation is incorporated into the EEA Agreement.
Article 14 Incident Reporting for Norwegian Manufacturers
Norwegian manufacturers will report CRA Article 14 incidents to NorCERT, NSM's national CSIRT. NorCERT operates a 24/7 incident response capability and secure reporting channels. Following EEA incorporation, Norwegian manufacturers will face the same Article 14 timeframes as EU manufacturers: early warning within 24 hours, full notification within 72 hours. NorCERT participates in the EU CSIRTs network as an EEA associate and will relay reports to ENISA as required. Norwegian manufacturers with EU subsidiaries or entities may need to file reports with both NorCERT and relevant EU-member-state CSIRTs depending on where the legal manufacturer entity is registered.
Market Surveillance & Penalties
Market surveillance in Norway for CRA products will be coordinated between NSM, DSB, and Nkom depending on product type. Norway will implement the CRA penalty regime following EEA incorporation: up to €15 million or 2.5% of global annual turnover for violations of essential cybersecurity requirements. Norway has a robust market surveillance tradition in product safety, and the DSB has extensive experience in CE marking enforcement. Norwegian manufacturers should not assume EEA status provides any grace period — the CRA applies on the same basis as to EU manufacturers once incorporated.
Support for Norwegian Manufacturers
NSM publishes free cybersecurity guidance in Norwegian and English, including its National Cyber Security Strategy and sector-specific frameworks. NorCERT provides threat intelligence sharing for registered organisations. Innovasjon Norge supports cybersecurity capability development through innovation grants for Norwegian manufacturers. SINTEF, Norway's independent research institute, provides technical research and testing services applicable to CRA conformity assessment. Norwegian manufacturers also benefit from access to ENISA guidance and the Nordic cooperation framework through NSM's participation in Nordic cybersecurity coordination mechanisms.
CVD Portal automates your Article 14 notification obligations.
Pre-built notification workflows for NorCERT, deadline tracking, CSAF advisory generation, and a public CVD submission portal. Free forever.
Start your free portalFrequently asked
How does Norway's EEA status affect CRA applicability for Norwegian manufacturers?+
Norway participates in the EU single market through the EEA Agreement. EU regulations such as the CRA are incorporated into the EEA Agreement following adoption, typically with an adaptation text accommodating Norway's institutional arrangements. Once incorporated, the CRA applies in Norway with full legal force. Norwegian manufacturers placing products on the EEA market must comply with CRA requirements on the same timeline as EU manufacturers — there is no permanent EEA exemption. Manufacturers should monitor the EEA Joint Committee decisions for the official incorporation date.
How do I contact NSM or NorCERT as a manufacturer with a CRA compliance question?+
NSM can be contacted through nsm.no, and NorCERT through the same website for cybersecurity incident reporting. For CRA-specific compliance queries, NSM's industry liaison function handles manufacturer enquiries. NSM publishes guidance in Norwegian and English and engages industry through the annual NSM cybersecurity conference. For Article 14 notifications, use NorCERT's secure incident reporting channel.
How does the CRA interact with Norway's Sikkerhetsloven and cybersecurity obligations?+
Norway's Sikkerhetsloven (Security Act) imposes security obligations on organisations operating in sectors vital to national security, which partially overlaps with CRA obligations for manufacturers supplying critical infrastructure. NSM administers both the Sikkerhetsloven and will administer CRA compliance. Norwegian manufacturers subject to Sikkerhetsloven obligations should conduct a joint gap analysis, as the CRA's essential requirements may add to but not duplicate existing Sikkerhetsloven product security requirements.
Need a CRA compliance checklist for your product?
Browse free niche-specific checklists covering classification, Annex I obligations, and CVD requirements.