What Norway’s Supply Chains Must Learn Before NIS2 Arrives
On 27 November 2025, Achilles gathered industry leaders, cybersecurity experts and legal specialists in Stavanger to address a question that will define the next decade of Norwegian competitiveness:
Are our supply chains ready for the cyber threats Norway will face in 2026 and beyond?
The seminar followed the success of our first major industry event in coloberation with Schjødt earlier this year: Cybersecurity Meets Defence and Infrastructure
From offshore infrastructure to transport, public services, and manufacturing, Norway’s digital vulnerabilities are no longer hypothetical. They are current, active and evolving. What emerged from the session with Schjødt and Orpheus was not another reminder that “cybersecurity is important” but something far more urgent:
The next major cyber incident in Norway will almost certainly originate in the supply chain.
And unless organisations begin treating cybersecurity as a strategic, board-level responsibility, not an IT project, the impact will be felt across sectors central to national security and economic stability.
Why Norway Is Becoming a Prime Cyber Target
Several recent headlines, ranging from monitoring of fibre cables, to mobile threat intelligence and security concerns in public transport procurement reinforce a reality we rarely say out loud:
Norway is a small country with an outsized geopolitical footprint.
Norway’s energy exports power Europe. Its digital administration underpins welfare, taxation, health services, and immigration. Industrial capabilities, from maritime to process manufacturing, make Norway a gateway into European markets.
In this geopolitical environment, cyberattacks are no longer “someone else’s problem.”
They are the new method of state influence, sabotage and economic disruption.
Yet most successful attacks do not begin with the big players. They begin quietly, invisibly, and in the weakest corner of the supply chain.
Supply Chains: Our Greatest Strength and Most Dangerous Vulnerability
One moment from the seminar illustrated this perfectly. A discussion around the DolWin Beta offshore grid connection showed how even highly engineered, mission-critical infrastructure is exposed through:
- interconnected IT and OT environments
- complex communication systems
- energy management layers
- and most critically: third-party suppliers
The point was simple, and uncomfortable: A modern cyberattack does not need to break into Fort Knox. It only needs a door left open by a subcontractor three layers down.
This is not speculation. We have already seen it in Norway.
PST has publicly linked recent sabotage and data breaches to a pro-Russian threat actor exploiting precisely this chain-based vulnerability.
The pattern is clear:
- Attackers identify the weakest supplier
- They infiltrate quietly
- They escalate
- The primary victim suffers the consequences
It is no longer enough to secure your own systems. You must secure the ecosystem you depend on.
NIS2: More Than Regulation – A Reset of Responsibility
Many organisations still see NIS2 as a compliance project. That is a dangerous misconception. NIS2 will require Norwegian organisations to:
- map and assess their supply chains
- continuously monitor digital risk
- conduct board-level oversight
- ensure operational resilience
- and document all of it
The scope is vast. Energy, waste, transport, chemicals, public administration, research, digital services, finance. The list is long, and growing.
By July 2026, thousands of Norwegian companies will move from “cyber awareness” to legally enforceable cyber governance. And regulators will expect evidence, not good intentions.
The Human Element: Demonstrations That Removed Any Illusion of Safety
One of the most eye-opening parts of the seminar was not theoretical at all.
It was physical:
A fake charging cable that can hijack a device. A USB stick that behaves like a computer. A simple antenna that can extract unencrypted data from the air.
These are not advanced nation-state tools.
They are cheap, easily purchased, and shockingly effective.
If the Norsk Hydro attack in 2019 taught us anything apart from 800 million NOK in damages, 23,000 PCs and 3,000 servers impacted, it’s this:
Digital infrastructure is fragile. But trust is more fragile still. And Norway, a high-trust society, is particularly exposed.
Cybersecurity Is No Longer an IT Task. It Is Risk Leadership.
Orpheus Cyber’s contribution brought the conversation to a critical point: Cyber risk must be managed with the same discipline as financial, operational, and strategic risk.
Their threat intelligence models, already used by the FCA, Bank of England and European defence actors, show that:
- attacks are predictable
- risk can be quantified
- and suppliers can be assessed long before they become liabilities
In fact, Orpheus demonstrated 94% accuracy in predicting which suppliers would be attacked within 10 days in a UK Ministry of Defence study.
This level of foresight transforms cybersecurity from reactive firefighting into proactive business protection. Inside the MyAchilles platform, companies can access these predictive risk ratings directly, giving procurement and risk leaders the tools to detect, prioritise and act long before incidents occur.
What Companies Must Do Now
Across all speakers, three strategic imperatives emerged:
Cybersecurity must be a board-level responsibility
If your annual revenue exceeds 100m NOK, accountability already sits at the top.
Build a security culture that matches the threat landscape
Employees are the first line of defence and often the easiest point of entry.
Treat cyber resilience as a continuous discipline
Small, daily actions matter more than annual training.
The most common message from all presenters:
Organisations don’t need to become perfect.
They need to become harder to attack than the next organisation in the chain.
