Note: This article focuses on the Norwegian Digital Security Act (Digitalsikkerhetsloven), which implements the EU’s NIS directive (NIS1) in Norway. While the regulation applies to Norwegian organizations, the principles and best practices described here are relevant for any company working with Microsoft 365 and identity governance.

Digital transformation has made organizations more efficient, but also more exposed.
As systems move to the cloud and both employees and external partners gain access, the risk surface expands. Over 90 percent of cyber incidents start with a compromised user account — making identity control a critical part of digital security.

The Norwegian Digital Security Act, effective from October 1, 2025, implements the EU’s NIS directive (NIS1) and strengthens how organizations prevent, detect, and respond to digital incidents.
For many companies, this means new expectations for visibility, documentation, and security management.

Here’s how Bsure helps you meet those requirements — while improving security and efficiency in Microsoft 365 and Entra ID.

How Bsure supports key compliance areas

1. Full visibility into users and access
   Access management goes beyond employees. Identities also include guest users, vendors, service accounts, and devices.
   Bsure gives you an up-to-date overview of who has access, which accounts are inactive, who lacks MFA, and which users hold admin privileges.
   It’s full control over every identity — even the forgotten ones.
   
   

2. Insights into applications, licenses, and integrations
   The law requires organizations to know which digital services they use and how they’re connected.
   Bsure provides clear insight into applications and integrations linked to your Microsoft cloud environment, helping identify unauthorized or “shadow IT” systems added without approval.
   
   

3. Overview of devices and connected systems
   All systems that support your digital services must be part of your security governance.
   Bsure shows which devices and accounts are linked to your identity platform, making it easy to detect inactive or outdated systems before they become risks.
   
   

4. Documentation and reporting
   The regulation requires documented processes for risk management, incident response, and supplier oversight.
   Bsure delivers reports and insights you can use directly in your governance framework — from user status and roles to license usage and improvement areas.

What Bsure covers — and what you still need to handle

Bsure addresses key parts of the law’s requirements and provides a strong foundation for control and documentation.
However, full compliance also depends on measures beyond our platform, such as incident reporting, resilience testing, and supplier risk management.

With Bsure, you get:

• A complete overview of users, access, roles, and MFA status

• Insights into active and inactive devices

• Visibility into apps and integrations across your cloud platform

• Reporting and documentation of status and risk areas

• Identification of outdated accounts and forgotten systems

You still need to manage:

• Notification to authorities in case of serious incidents

• Crisis preparedness and incident response

• Security testing and resilience exercises

• Supplier chain management and overall risk governance

How to get started

For organizations covered by the Digital Security Act, we recommend these first steps:

1. Clarify whether the law applies – determine if you provide essential or digital services.

2. Conduct a gap analysis – compare your current practices with the regulation’s requirements.

3. Prioritize actions – focus first on high-risk areas: access control, inactive accounts, and external users.

4. Ensure leadership involvement – the board and management must have responsibility and insight.

5. Establish reporting and documentation – use Bsure to generate automated insights and reports.

6. Set supplier requirements – make sure your vendors meet appropriate security levels.

7. Test and train – run scenario exercises for incident handling and recovery.

In summary

The Digital Security Act raises the bar for cybersecurity — but it also offers an opportunity to build stronger control and better visibility.
With Bsure, you gain the insight and tools needed to meet the law’s requirements safely, efficiently, and with confidence.