This year’s threat and risk assessments describe a landscape characterised by lasting rivalry and changed parameters for international cooperation. The wording in the assessments is open and provide room for different development paths. However, this should not be interpreted as a sign of a decrease in severity.
A main focus of the intelligence, surveillance, and security services’ assessments is that developing resilience is integral, also for the civilian sector. It is crucial to be prepared; at the same time, it is important to emphasise that self-intimidation must be avoided.
A persistent challenging situation
This year’s unclassified assessments place Norway in a landscape where the geo-political development is increasingly affecting Norwegian affairs. NIS describes a security situation where Russia is combining overt, covert, and influence-driven measures to form European decisions.
Moreover, it is noted that capabilities related to underwater critical infrastructure is continuously developed – this is relevant for pipelines, cables, and other seabed systems in Norwegian water.
Furthermore, the assessments describe periods in where navigational tools and infrastructure will be affected by defensive electronic countermeasures, as well as periodically visible military activity in northern maritime areas, including in areas close to Norwegian civilian and commercial operations. These activities are related to a broader geo-strategic picture in which the northern sea areas are included in state military and political signaling.
In parallel, the assessments describe how China is expanding their room for manoeuvre (operational leeway) through economical and industrial measures and positioning themselves within value chains that have implications for European security and energy.
Norway plays an important role as a stable supplier of oil and gas to Europe, and the infrastructure on the continental shelf and the onshore facilities are of interest to foreign states. PST assesses that more of the activity conducted by such actors is likely to occur in ways that attract minimal public attention.
Reconnaissance, influence, and use of proxy-actors are described as the most probable manifestations, while sabotage against civilian targets is considered a possibility if deemed beneficial. The assessments describe that Russian services are focused on monitoring military affairs, allied activity, Norwegian support to Ukraine, and infrastructure along the coastline, by, among other means, use of civilian vessels for covert intelligence purposes.
In sum, these factors form a picture in which entities of societal importance may be affected both directly and indirectly, in which variations concerning methods and timing are part of the assessments. These aspects must be considered by companies in the petroleum sector when conducting risk assessments and evaluate or develop risk-reducing measures.
We have the best foundation for success, but it will require effort.
Arne Christian Haugstøyl, NSM
Security management to build resilience
NSMs risk assessment emphasises holistic security management as a pre-requisite to build resilience. During supervisory audits in the past year, NSM has identified non-conformities related to commitment, implementation, and capability to escalate security measures when the risk level changes. These findings coincide with Havtil’s findings in the petroleum sector. Considering this, we, together with NSM, emphasise that security management must include all disciplines – from digital and physical security, role, responsibilities, and plans, to personnel security, and safety culture. It is not sufficient to excel in one area; threat actors will only seek alternative points of entry.
Furthermore, NSM highlights personnel security as an area where many organisations are facing persistent challenges. This includes, amongst others, inadequate follow-up of employees and poor internal communication flow between units that inhabit relevant personnel information. Such deficiencies can make it difficult to identify employee-related vulnerabilities within reasonable time and increase the risk of personnel being exploited.
In Risk 2026, NSM emphasises that baseline security and planned enhancement measures are not always kept up to date, and that physical security measures risk becoming outdated and less resilient as threat actors develop new techniques and tactics. Physical security must therefore be viewed in conjunction to other security measures, as these are often mutually dependent.
NSM also highlights ownership and supply chains as central risk areas. Complex supply chains and complex owner structures may create points of influence within the value chain, thus increasing vulnerabilities in critical functions during times of increased pressure. The report underlines the meaning of understanding dependencies and interfaces to external actors and part of the holistic risk landscape in 2026.
Cyber security must be ensured
The threat landscape in the cyber domain is persistent and severe. PST assesses this area to be where the threat is the greatest. This year’s assessments stress that it is likely that cyber operations will affect Norwegian businesses in 2026, and there will also be an increase in successful operations in the coming year.
It is in the cyber domain the threat is greatest.
Beate Gangås, PST
Cyber operations have wide-reaching effects. NSM emphasises that attacks are becoming increasingly sophisticated, and technological developments are giving competent actors expanded opportunities. At the same time, new technologies, such as language models, enable actors with less advanced capabilities to execute operations that previously required a higher technical expertise.
PST underscores that Norwegian digital infrastructure is being mapped by use of commercial proxy-actors. Such mapping can be used to collect sensitive information, gain foothold in organisations’ infrastructure, or collect credentials for resale purposes. Considering this, it is integral that businesses build both organisational and technological resilience.
Moreover, NSM highlights vulnerabilities in unsecure OT systems as an area of concern. Lack of network segmentation, unsecure remote accesses, missing patching, and inadequate monitoring are conditions that may be exploited when businesses lack overview of their own systems and vulnerabilities.
These conditions emphasise that security measures must mirror the prevailing threat landscape. NSM urges businesses to reinforce their own security posture by updating their emergency response plans and exercise scenarios. To implement appropriate measures, businesses must know which systems, components, and dependencies they have, as well as test and verify that the security measures function as intended.