Iceland (IS)

The Minister of the Interior published the Icelandic National Cyber Security Strategy for Iceland in April 2015. The strategy covers the years 2015–2026, setting out a vision for 2026 but also providing a 3-year Action (2015-2018): Icelandic National Cyber Security Strategy 2015–2026 Plan of action 2015–2018 (Summary in English).

The main strategic goals are in the ENISA self-assessment are: Capacity building; increased resilience; strengthened legislation; tackling cybercrime. 

Future Vision 2026: Iceland should have an Internet culture that is sound, promotes human rights, protects the individual and respects freedom of action to support economic prosperity and development. Security in cyber space should be one of the main cornerstones of economic prosperity in Iceland, resting on a foundation of sophisticated awareness of security issues and adequate legislation. At the same time, Iceland must be prepared to tackle cybercrime, respond to cyber-threats and take measures to prevent espionage and the abuse of personal and commercial data.

The Cyber Security Council is responsible for the implementation of the national cybersecurity strategy, coordinating measures, particularly those involving government bodies. It will review the action plan at least once a year and make proposals on the prioritisation and funding of measures taken.


Capacity-building Priorities

The public, enterprises and government should have the knowledge, skills and equipment needed to cope with cyber security threats. 

Knowledge is the prerequisite for being able to build up capacity in cybersecurity. The challenge is similar to that in raising the level of traffic safety: There is a technical side, similar to having the highest possible standards of vehicle safety and well-constructed roads, etc. The ordinary person does not need to be a qualified mechanic to enjoy traffic safety, but s/he does need to be an active participant in traffic, with a certain knowledge of what constitutes safe vehicles and safe behaviour – this applying both to his own and to others’ – for his own good and that of other road-users.

Security issues must be a part of people’s use of computers and other equipment from the outset when children are first introduced to them and so on up through the school system. Awareness-raising is a key component in the cyber security strategies of most of our neighbouring countries. It must extend to the design and use of equipment and respect for personal data. In Iceland as elsewhere, part of this knowledge involves how we speak about the subject, i.e. the vocabulary and use of terminology. If the subject is to thrive and develop, it will be necessary to standardise and coordinate this terminology.

There must also be a clear division of responsibilities, defining who is to do what, how much responsibility lies with each user and what expectations can reasonably be made of others. Iceland has experts who have worked successfully together for many years. Nevertheless it is a major challenge to develop a reliable foundation on which to build a cyber security culture. The degree to which such a culture is established is one of the factors that investors take into account when they assess countries as potential locations for new projects.


Specific educational measures will taken to make Iceland’s IT environment more secure and more competitive in the international context. Priority is given to integrating security considerations in the initial plan to design reliable computer systems through security by design and privacy by design approaches. 

Cybersecurity must form part of computer-related studies at all levels of the educational system. Moreover, such studies at university level must be upgraded, with closer collaboration with universities abroad to enable students graduating from Icelandic universities to undertake postgraduate studies in cyber security.

The national strategy foresees the following measures: 

  • Awareness-raising Enhancement of general awareness of cyber security issues.

  • Terminology: Relevant international definitions of important terms in cyber security to be collected and translated into Icelandic where necessary. 

  • Education Cyber security to be included in all computer-related studies at all school levels. 

  • Postgraduate studies: Students with first degrees from Icelandic universities will have access to postgraduate studies in cyber security meeting requirements comparable to those made in the other Nordic countries. 
  • Design values: Secure design and personal data protection to be included in the basic values observed in Icelandic software development.
  • Personal data protection International standards and obligations regarding personal data protection to be taken into account when developing cyber security.
Public Private Partnerships

Iceland and Norway, as well as the other Nordic countries, cooperate against cyber threats in collaboration with international organizations such as the UN, the Council of Europe, the European Union and the Organization for Security and Cooperation. 

The Cyber Security Forum is a collaborative venue for representatives of public bodies sitting on the Cyber Security Council and of private entities. The forum will be able to coordinate projects involving stakeholders, in part or in their entirety, and create a basis for collaboration on specific projects, addressing cyber security in demarcated areas.

EU Cyber Professional Register for national stakeholders

The CyPR is all about boosting opportunities in the cybersecurity marketplace. 

This European Cybersecurity Professional Register is the place where professionals, juniors or seniors, age can promote their specific skill sets and experiences in cybersecurity, courses taken and qualifications.

Organisations of any size or sector from SMEs to large companies and public institutions can find and contact the right skills and experiences they need to improve their IT security posture.

Latest Update & Disclaimer

January 2021. 

The information contained here is based on desk research carried out by, including the ENISA interactive maps on national strategies and educational courses. 


Cybersecurity Response Teams: GDPR and NIS Directive Compliance and Notification

Operational capacity building 

Measures to increase capacity include: awareness-raising; terminology of key definitions; education; postgraduate studies; secure by design principles; personal data protection (international standards and obligations). 

CERT-IS is the National CSIRT (Computer Security Incident Response Team) and is part of the Cyber Security Council under the national strategy. 

The primary constituency of CERT-IS is the telecommunication sector. The constituency also includes certain critical information infrastructure (CII) entities that have signed contracts with CERT-IS. Other entities outside the primary constituency are served on best-effort terms.

CERT-IS´s role is the analysis of cybersecurity threats and to give assistance to its primary constituency members using both proactive and reactive measures to prevent cybersecurity incidents and to minimise their impact.

CERT-IS gives advice regarding threats and responses to its primary constituency members and publishes public warnings when needed.

Report a cyber incident to a national CERT/CSIRT 

CERT-IS (English) - Office hours: 9-17 (GMT) Mon-Fri.

  • Team Email:
  • Telephone: +354 5101500 (answering hours 10-14 GMT)
Best Practices

The national cyber security strategy for Iceland stands out for its well-pondered approach to the creation of new legislation and also for its focus on security and privacy by design approaches. However, it lacks emphasis on risk management as central to addressing threats in cyberspace. 

Monitoring systems 

Monitoring and response capacity are to be increased so as to respond to evolving threat landscape, through engagement across stakeholders, at multiple national levels and international co-operation.

Languages Icelandic and English
Latest Update & Disclaimer

January 2021.

The information contained here is the result of desk research carried out by 


Contact us for more info


Iceland (IS) | Cyber Range & Capacity Building in Cybersecurity


The website encountered an unexpected error. Please try again later.