IdentityStream

IdentityStream

NIS2 / DIGITALSIKKERHETSLOVEN

Where we fit in NIS2 / the Norwegian Digital Security Act

IdentityStream is built for cyber-risk management, identity and access governance, incident handling and supply-chain security — the core of NIS2 Art. 20–23. We are not a SOC, not a vulnerability scanner and not an awareness-training platform — this page shows exactly what we cover, what our partners cover, and the evidence you get out.

Book NIS2 demoRequest a NIS2 assessment

The Norwegian Digital Security Act (Digitalsikkerhetsloven), transposing NIS2, has applied since 1 October 2025. Supervisory focus is on governance, evidence and supply-chain security.

DORA or NIS2 — which applies to you?

DORA is lex specialis for financial entities and their critical ICT third parties (Finanstilsynet). NIS2 / Digitalsikkerhetsloven covers ~18 other sectors — energy, health, transport, public administration, ICT service management, digital infrastructure, manufacturing and more — supervised by NSM and sector authorities. The control surface overlaps ~70–80%: most ICT risk, incident, supplier and governance work is reusable across both.

Read the DORA page

Where IdentityStream delivers value for NIS2

Four areas where our modules give you concrete artefacts, workflow and audit trail — mapped to the NIS2 / Digitalsikkerhetsloven obligations supervisors actually ask about.

Cyber-risk management & access governance

NIS2 Art. 21(2)(a)(i) · IAM / Risk

Move from spreadsheets and ad-hoc approvals to a controlled lifecycle for every identity — employees, contractors and machine accounts — with documented ownership, least privilege and periodic review.

  • Automated Joiner / Mover / Leaver across HR, AD / Entra ID and business systems, with role models combining RBAC, ABAC, PBAC and DAC and role mining via IdentityMap.
  • Risk register that links every risk to processes, systems, suppliers, contracts, incidents and follow-up actions — a living risk picture, not a once-a-year spreadsheet.
  • Function and process register with Business Impact Analysis (BIA), criticality, RTO and RPO — the foundation for proportional cyber-risk measures.
  • Periodic access reviews, exception reports (intended vs actual access) and four-eyes approvals with full audit trail.
  • PoPS — structured decision process for risk-assessing changes to products, organisation, processes and systems before they go live.
IdS IAMIdS Risk

Incident handling & reporting

NIS2 Art. 21(2)(b) & Art. 23 · IdS RegTech

A structured workflow from first signal to final report — with the NIS2 timelines built in, so you can hit the 24-hour early warning, 72-hour notification and one-month final-report deadlines.

  • Structured incident register with severity, root cause, owner and full timeline — handles cyber incidents, near-misses and significant cyber threats in the same workflow.
  • Built-in NIS2 significance assessment (users affected, service disruption, data impact, geographical spread, cross-border impact) with automatic alert when reporting thresholds are crossed.
  • Guided reporting flow: 24-hour early warning → 72-hour incident notification → final report within one month, with reminders and management-body escalation.
  • Submission to the national CSIRT / NSM with structured fields, plus communication to recipients of services where appropriate.
  • Every incident links to corrective actions in the Measures Database and to the systems, suppliers and processes affected — no separate Excel for follow-up.
IdS RegTechIdS ITSM

Supply-chain security & supplier register

NIS2 Art. 21(2)(d) · Service Agreements & ContractManager

A live register of your ICT and security suppliers — not a once-a-year spreadsheet. Assess each supplier's security practices, track dependencies and renewals, and act when something changes.

  • Live supplier register with business functions, services, providers, subcontractors and data flows — full traceability from data element to responsible function.
  • Per-supplier security assessment, contract clauses, exit plans and SLA / KPI follow-up — with reports on suppliers without contract, audit or up-to-date assessment.
  • AI-assisted, continuous supplier monitoring of public sources — Brønnøysund announcements, eInnsyn orders, news and Transparency Act information — that reopens vendor assessments when the risk picture changes.
  • Concentration-risk visualisation across subcontractors so you can see — not just describe — your critical dependencies.
  • Reuse of the same supplier data for procurement, GDPR processor inventory and incident response — one source of truth, not three.
IdS ICT Service AgreementsIdS ContractManager

Governance, controls & audit-ready evidence

NIS2 Art. 20 & Art. 21(2)(f) · Risk POPS + Measures Database

NIS2 puts cybersecurity on the management body's desk. Daily operational work — approvals, reviews, incidents, supplier follow-up — generates the trail your supervisor and your board will ask for.

  • Control database where controls are linked to risks, incidents and regulatory requirements — execution and results documented, with dashboards and alerts to management.
  • Measures Database that ties findings from audits, incidents and supervisory letters to a named owner, deadline and status — with pattern analysis to spot recurring problem areas.
  • Annual cybersecurity report for the management body, consolidated automatically from risk assessments, incidents, actions, suppliers and controls — one source of truth, not a manual exercise.
  • Local and global dashboards across services and tenants, with data available via API and export to Power BI for the analytics platform you already use.
  • Full audit trail with attachments and history on every change, plus export to PDF, PNG and PowerPoint for board reporting and supervisory dialogue.
IdS IAMIdS RegTechIdS Risk

Concrete capabilities you can demo

Production-grade features already in use at Norwegian banks, public-sector bodies and critical-infrastructure operators.

Joiner / Mover / Leaver

End-to-end lifecycle from HR event to access change, with timely revocation when people leave.

Periodic access reviews

Campaigns with reviewers, reminders, sign-off and exportable evidence.

Exception & deviation reports

Intended access vs actual access — find the gaps before the supervisor does.

External user governance

Contractors and third-party staff with sponsors, expiry dates and re-attestation.

NIS2 incident classification

Built-in significance criteria, automatic alert and reporting flow with the 24h / 72h / 1-month deadlines.

Supplier register

Suppliers, subcontractors, business functions and supporting services in one register.

Supplier & contract follow-up

Renewals, exit plans, SLA / KPI, periodic audits and findings tracked per supplier.

Management dashboards

Status across access, incidents, suppliers and findings — with API and Power BI export.

Function & process register with BIA

Functions, processes, RTO / RPO and criticality in one navigable register.

Control database

Define, plan, document and follow up controls linked to risks, incidents and regulatory requirements.

Policy & routine register

Searchable register of policies and routines with process diagrams, periodic review and AI-assisted lookup.

Four-eyes & SoD controls

Dual approval and segregation-of-duties checks on sensitive role assignments.

Delivered through our partners

Two NIS2 areas we cover through skilled, specialised partners — not in-house. You get one programme, with IdentityStream as the system of record and our partners doing what they do best.

SOC, vulnerability management & cryptography

NIS2 Art. 21(2)(e)(h)(j) — via partners

Network and endpoint monitoring (MDR / SOC), vulnerability scanning, penetration testing, MFA infrastructure and cryptography standards are delivered by our specialist security partners.

How IdentityStream ties it together: Plan and document the security programme, register scope and findings from our partners, and track remediation in the Measures Database so findings don't get lost.

Cyber-hygiene & awareness training

NIS2 Art. 21(2)(g) — via partners

Security awareness training, phishing simulation and basic cyber-hygiene programmes are delivered by our training partners on specialised platforms.

How IdentityStream ties it together: Document participation, training completion and gaps as input to risk and audit — and link individual non-completion to access decisions in IdentityStream.

Why Norwegian organisations choose IdentityStream for NIS2

Built with Norwegian customers for Norwegian regulatory reality — and honest about what we are.

  • Same platform you use for DORA, GDPR and internal control — one model, one source of truth, fewer integrations.
  • Customer-driven innovation: modules are built together with Norwegian customers, so functionality maps to actual supervisory dialogue with NSM and sector authorities.
  • Audit-ready evidence is a by-product of daily work, not a separate project — incident reports, supplier register and control documentation in the format supervisors expect.
  • One platform for IAM, supplier risk, contracts, incidents, controls and findings — fewer integrations, lower total cost.
  • 0-code form builder lets your team add new compliance workflows, with AI fields, without involving developers.
  • Honest scope and deployment flexibility: SaaS in Azure or on-prem, and we're upfront about what we don't do so you can pick the right partners for SOC, scanning and awareness.

Want to see how IdentityStream supports your NIS2 work?

Send us a note and we'll walk you through which parts of NIS2 / Digitalsikkerhetsloven our solutions cover — and we'll be upfront about the areas you'll need partners for.

Address

IdentityStream AS

Laberget 22

4020 Stavanger

Phone number
(+47) 98 23 24 55
Email
hello@identitystream.com
What are you interested in?

Select one or more — helps us tailor the conversation.

Modules

Compliance & regulation

We respond within one business day. No sales spam. GDPR-compliant.