National control and digital sovereignty for ICT services is important to protect ICT services and data, and also to avoid Norway becoming too dependent to other countries. The aim is to protect both the nation state and the rights of the population both in peacetime, in a crisis and during armed conflicts.

Complete national control is an ideal, but challenging to achieve. Despite this, ICT services that are critical to society and government should increasingly be under national control. Some decisions can reduce risk. Norwegian organisations should consider a new balance between national control, functionality and cost.

The report highlights central factors to ensure that a service is under sufficient national control. 

Organisations should consider using data centers within national boundaries, and to consider to what extent all layers of the service (all part of “the stack”) must be managed only by personnel on national soil. Organisations should consider peacetime, crisis and armed conflicts. A long perspective (10-20 years) should be considered to safeguard the service. The organisation should not take todays current technology, current legal status or current geopolitics as a given. 

The report is relevant for organisations that run the service on-premise or that outsources the service to a company on national territory or abroad. 

Definition of national control

National control for an ICT service means that som critical ICT services is under actual technical and legal Norwegian control and that one may be reasonably sure that no foreign company or government has any form of technical access.