A plain readiness checklist for Digitalsikkerhetsloven and NIS2
There is a lot of noise around the Digital Security Act and NIS2 right now, and most of it is written for lawyers or for enterprise IT teams. Neither of those is you. So here is a plain version. You can walk through it in an afternoon, on one site, without buying anything.
None of this makes you compliant on its own, and anyone who promises that is selling something. What it does is show you roughly where you stand, and give you an honest list before a regulator, an insurer, or an opportunist makes one for you.
1. Know what you have
You cannot protect or document what you have never written down. Start here, even if it is just a spreadsheet.
- List every device on site that connects to a network: feeding, oxygen, pumps, dosing, sensors, cameras, the remote gateway, the office machines.
- For each one, note who made it, roughly how old it is, and whether it still gets updates.
- Mark which ones can be reached from outside the local network. Be honest, and when in doubt, assume yes.
2. Close the easy doors
This is the part that stops the opportunists, and it is mostly free.
- Change every default and shared password. One login per person where you can.
- Turn off remote access you are not actually using.
- Put the control equipment on a separate network from office and guest wifi.
- Make sure someone is responsible for applying updates, and that it actually happens.
3. Be able to prove it
This is the difference between doing security and being able to show it. The Act, NSM Basic Principles, and NIS2 all care about evidence, not good intentions.
- Keep the asset list current, with a date on it.
- Write down your suppliers and what they can access. The Act pushes requirements down to them too.
- Have a short, written note on how you would respond to an incident, and who does what.
- Keep a simple record of the fixes you have made, so you can show progress over time.
4. Be ready for the bad day
- Know who you call, internally and externally, at any hour.
- Know how you would run the site if the control systems went down for 72 hours.
- Make sure backups of your configurations exist, and that someone has tested restoring one.
How this maps to the rules
Sections 1 and 3 are the heart of what the Digital Security Act and NSM Basic Principles ask you to demonstrate: you know your systems, and you can document them. Section 2 is the practical risk reduction. Section 4 is incident readiness, which NIS2 leans on heavily. You do not need to quote paragraph numbers to a board. You need to be able to show the work.
Want the printable version, and the occasional note like this?
Leave your email. We will send the checklist as a one-pager and, now and then, a short note on aquaculture OT and regulation. No spam, unsubscribe anytime.
If you go through this and the honest answer is “I am not sure,” that is exactly what a readiness check is for. We do the walk-through with you, on your site, and hand you the evidence at the end. We are onboarding founding pilot sites in Troms and Finnmark now.
Written by Havvakt's founder. Full name and bio once Havvakt is full-time. For now, the work speaks first.