Norwegian critical infrastructure organizations can’t rest on their laurels, warns DNV Cyber report

What secured us yesterday won’t secure us tomorrow, advises DNV Cyber.

A new report shows that more than half (55%) of Norwegian executives working in critical infrastructure are confident in their organization’s ability to manage cyber threats. The leading driver of this confidence is past success in quickly responding to attacks, coming ahead of factors such as training that address the next generation of cybersecurity risks. 

Two-thirds (66%) of Norwegian executives working in industries deemed most critical to the running of society report an increase in cyber-attacks, while threats are becoming more sophisticated – with attackers targeting vulnerabilities in supply chains and bolstering attacks using AI. Past success could be contributing to a false sense of security according to How Cyber Resilient is Norway? – a new report from DNV Cyber drawing on a survey of 200 executives within Norwegian critical infrastructure organizations and 500 members of the public. 

Critical infrastructure industries include energy, transportation, water, healthcare, financial services, and other systems vital for society, the economy, and national security.  

DNV Cyber Threat Intelligence tracks alleged, suspected, and confirmed attacks and breaches. Some 21 cyber incidents were observed impacting Norwegian organizations in 2025, compared to 60 in Sweden, 44 in Finland, and 41 in Denmark.   

Taking confidence from previous security measures can be dangerous. We may not have experienced as many successful attacks on our critical infrastructure as our Nordic neighbours – counting those that have been disclosed publicly – but past successes do not guarantee future resilience,” says Arve Johan Kalleklev, Operations Director at DNV Cyber. “With geopolitical tensions rising and attackers becoming increasing sophisticated, the threat to our critical infrastructure is fundamentally different to the past.” 

The lower number of cyber incidents tracked for Norway by DNV Cyber in 2025 may reflect fewer cyber incidents, or it could reflect less willingness among companies to disclose and discuss attacks. Both factors contribute to a false sense of security, according to DNV Cyber.  

Nevertheless, a quarter of Norwegian critical infrastructure executives (26%) believe it is likely that a cyber-attack will impact the national economy with widespread business disruption in 2026, and the same proportion believe an attack is likely to cause the failure of an essential utility or public service. 

Targeting vulnerabilities in supply chains and bolstering attacks using AI 

Almost two-thirds (65%) of critical infrastructure executives believe it would have an immediate impact on their ability to operate if their key external providers were breached, yet only four in ten Norwegian executives (40%) are confident in the cyber resilience of their critical suppliers.  

“Supply chains are a ‘weak underbelly’ in cyber resilience,” says Anne Wahlstrøm, Head of OT Cybersecurity Advisory Norway, DNV Cyber. “Critical organizations need to manage the geopolitical risk in supply chains, but they also need to address the wider issue of vendor concentration and dependence. If all companies have agreements with the same limited number of suppliers and IT vendors, our critical infrastructure will be more vulnerable.” 

Only two in five Norwegian executives (38%) say their organizations are prepared for hackers’ increasing use of AI – compared with 47% in Denmark and 52% in Finland – as AI is already lowering the barrier for both newcomers and established threat actors to engage in cyber-attacks. 

“Norwegian executives may be underestimating just how rapidly the capabilities of attackers are advancing,” says Wahlstrøm. “Cybercrime-as-a-service means even people with limited technical ability can carry out attacks. And where it used to take hackers weeks to move from vulnerability discovery to exploitation, the growing use of AI means they can now do it in days. AI can also significantly reduce the time it takes hackers to profile targets for sophisticated phishing attempts.” 

Over half of Norwegian executives (52%) say that leaders in their organization see resilience of critical infrastructure as someone else's responsibility – indicating gaps in national cyber resilience – as DNV Cyber addressed in a press release on 5 February, ahead of the Norwegian authorities publishing their threat assessments for 2026. 

Among the public, Norwegian citizens are the most likely across the Nordics to believe that their country’s critical infrastructure systems are safe from cyber-attacks (57% compared with a Nordics average of 48%), according to DNV Cyber’s research. Around half of the Norwegian public say they are prepared for a major cyber-attack disrupting internet (46%), electronic payments (47%), power (49%), access to grocery stores (55%), and tap water (57%). The Norwegian public are less likely than people in neighboring countries to believe that a society-disrupting cyber incident could affect their country in the next two years (47% in Norway compared with 60% in Sweden).  

The report How Cyber Resilient is Norway? provides seven recommendations to strengthen Norway’s cyber resilience: 

  • Do not mistake past successes for future invulnerability 
  • Clarify responsibilities within national cyber resilience 
  • Map supply chain vulnerabilities and sharpen visibility of third parties 
  • Address the rising threat of more sophisticated cyber attackers 
  • Engage the public in the country’s resilience 
  • Collaborate actively and widely to increase overall cyber resilience 
  • Review how regulation can have the biggest impact on resilience. 

About the Research

This report is published by DNV Cyber, a leading cyber security services provider that works with businesses to help them become safer and more resilient in an increasingly complex risk landscape. It is part of a larger research project exploring the cyber resilience of critical infrastructure across four Nordic countries: Sweden, Finland, Norway, and Denmark. 

Focusing on Norway, the report includes three sources of information: a survey of 200 senior critical infrastructure executives in Norway, from industries including maritime, healthcare, energy, and public administration; a survey of 500 members of the public in Norway; and four in-depth interviews with leaders and experts in the field of cyber security.  

The report was developed in partnership with FT Longitude (a Financial Times company). Research was conducted from November 2025 to January 2026. 

About DNV Cyber  

DNV Cyber is a leading cybersecurity services provider empowering businesses with complex needs to become safer and more resilient. With a global team of more than 500 experts and 30 years of IT and operational technology security experience, DNV Cyber safeguards what is critical – enabling businesses to thrive. 

About DNV 

DNV is an independent assurance and risk management provider, operating in more than 100 countries. Through its broad experience and deep expertise, DNV advances safety and sustainable performance, sets industry standards, and inspires and invents solutions.