New Norwegian directive provides more secure power supply

At a time of increasing threats to the power supply - both physical and digital - the authorities have tightened the requirements for emergency preparedness and security. The new Power Contingency Regulation will strengthen security of supply and make the power industry better equipped. Here's what you need to know as a manager or employee in the power sector.

Almost every day we hear about various attacks on the power supply and other challenges related to power delivery. We read about physical and digital attacks, power outages as a result of storms, and other challenges related to security of supply. At the same time, more and more of society is becoming increasingly dependent on a stable and secure power supply. This was the starting point for the authorities to adopt The Power Contingency Regulation for the first time in 2012, or Regulations on Security and Emergency Preparedness in the Power Supply, which is the actual name. The Norwegian Water Resources and Energy Directorate (NVE) is the emergency preparedness authority and is responsible for ensuring that the power industry complies with the regulations.

The biggest threats to the power supply

• Cyberattacks: Increasing digitization makes the power sector vulnerable to cyberattacks that can disrupt operations.
• Physical attacks: Power plants can be targets for sabotage or acts of terrorism.
• Natural disasters: Extreme weather and natural events can damage infrastructure and affect power supply.
• Insider risk: Individuals with access to sensitive information can pose a threat if they misuse this access.

Increasing unrest combined with a more serious digital threat picture was the starting point for the Storting last year to amend the current power supply regulations. The authorities wanted greater awareness of threats and security of supply. Mandatory plans and exercises have therefore been incorporated into the regulations. The authorities also wanted a clearer definition of what constitutes sensitive information, and to adapt the regulations to current technological developments. The changes, which were adopted at the end of December 2024, entered into force on January 1, 2025.

You can read the guidance to The Power Contingency Regulation" here (norwegian) >

The most important changes in The Power Contingency Regulation"

There are several changes in the new directive but the most important change is related to sensitive information. NVE has made it clearer which information is subject to confidentiality and which is public.

1. Ensure that confidential information about the power plants is not made public. 
2. Prepare and regularly update risk assessments for extraordinary situations.
3. Hold at least one annual crisis exercise that includes the entire organization.
4. Implement information plans and strengthen preparedness for handling crisis situations.
5. Evaluate and improve processes after exercises and actual incidents.

• KBO units: This includes major power producers, grid companies, district heating companies and major wind power plants with classified facilities. (KBO stands for the power supply's emergency response organization.)
• Other relevant enterprises: Enterprises that own or operate facilities, systems or other things of significant importance for the production, transformation, transmission, sale or distribution of electrical energy or district heating.

Five measures for the power industry

1. Understand the regulations: Review the updated regulations and consider how they affect your business
2. Establish close cooperation with NVE: Ensure regular dialog for guidance and support
3. Update procedures: Adapt internal policies for risk assessment, contingency planning, and information management
4. Hold crisis drills: Hold crisis exercises involving the entire organization at least once a year
5. Strengthen competence and training: Provide employees with the necessary training to handle the updated requirements, focusing on the identification and protection of power-sensitive information

To follow up on the new regulation, NVE has established two new sections, Section for Digital Security and Section for Emergency Preparedness in the Power Supply. The purpose is to ensure closer follow-up on topics related to digitization, including threats related to cyber attacks, as well as the geopolitical situation. Both sections will follow up the directive through coordinated supervision and guidance.

Increasing expectations of uninterrupted availability of electricity require efficient operations and good emergency preparedness in the power supply, both to maintain and improve security of supply. NVE is committed to ensuring that disruptions in the power supply are handled correctly and that the supply is restored quickly. The amendments to this directive are an important step towards ensuring a robust power supply in a world with an increasing number of threats.

Read our article on NIS2 training requirements - How to ensure information security >