Logo for print


Code of conduct (PDF)
Guideline for remote access between supplier and organization (PDF)

Fact sheets

FYI: No fact sheets are currently updated based on the latest version of the Code (5.3), changes in norwegian health legislation, or GDPR. Updates are in progress.

00 Target groups in fact sheets (PDF)
02 Control system for information security (PDF)
​03 Documents in the information security management system (PDF)

06 Security audits (PDF)

06b Security audits - Code compliance checklist (PDF)

07 Risk assessment (PDF) ​
10 Use of data processor (external business unit) (PDF)

14 Access control (PDF)

15 Incident registration and follow-up (PDF)
​16 Creating a message communication solution (PDF)
​23 Agreements and authorizations relating to reserach (PDF)
​36 Remote access for maintenance and update (PDF)
37 Security requirements and security documentation in ICT projects (PDF)
38 System security requirements (PDF) ​
40 Information security in research projects (PDF)
41 Damage limitation when data have been disclosed accidentally (PDF)
43 Use of test data (PDF)
47 Register of authorizations (PDF)
​48 Information security when performing testing (PDF)  
49 Requirements when using PKI for external communication (PDF)
​50 Patient access to incident registers (PDF)

General information

The Code itself covers all aspects of information security as regulated by Norwegian law. In some instances, the Code of Conduct defines more stringent rules than the law itself.

The Code ensures a secure interoperability for all organizations that comply with the regulations set forth in the Code.

The Code of Conduct has been developed by representatives from the health and care services sector, and comprises the sector's view of how to ensure information security.

In addition to developing the Code of Conduct, the sector has produced a set of short practical guidelines on how to meet the individual requirements in the Code.

Note: Version 4 of the Code of Conduct was published in December 2013. New versions of other Code of Conduct documents in English were published in February 2011.

Presentation in English: Norwegian Code of conduct for information security in the health and care sector (PDF)


An increasing amount of communication in the health sector, both internally, i.e. within a health service provider entity, and between such providers, is taking place electronically.

The fact that the information is collected, stored and spread electronically, in an extent hardly imaginable only a few years back, evoked a need for mechanisms safeguarding that all aspects of information security in the sector are handled adequately.

Consequently, in 2002, the Directorate for Health and Social Affairs invited affected organizations and authorities to establish a project group, whose objective was to compose a holistic set of information security rules for the sector.

A prerequisite was that the group's recommendations were to be in accordance with the data protection and information security principles laid down in EU Directive 95/46/EC (the Data Protection Directive).

As a result, on August 7th 2006, the Code of conduct for information security in the health sector ("the Code") was launched, ready to be used by small, medium-sized and large health service providers alike, and by the collaborating partners of these bodies, as a means to establish satisfactory information security.

Comply with the Code to get connected

The Code is supposedly the first of its kind in Europe; no other overall standards on information security in the health sector are yet developed in any of the EU/EEZ countries.

Norsk Helsenett SF ("Norwegian Health Network") is the provider of a national infrastructure for electronic communication in the health sector, helsenettet ("the health network"). In order to be linked to, and actually utilize, this network, the health service provider must enter into an "affiliation agreement" with the company.

By force of this agreement, the entity admitted to the infrastructure, is obliged to comply with the Code. By this mechanism, the health service providers ensure that the receivers of health-related data – i.e. collaborating partners of many kinds – within the network, all meet the standards of the Code, and thus of the legal provisions. Failing to meet the information security standards of the Code, may lead to the exclusion of the contract-breaching entity.


It is to be noted that the Code, as a text, consists of a main section, where the substantial provisions are expressed. As appendixes to this head document, are found several "guidelines" and some 50 thematically arranged best practice routines, in the Code denominated "fact sheets", providing guidance on e.g. how to perform risk analyses, how to establish back up-procedures, etc. Together, the main document, the guidelines and the fact sheets, aim to cover both the crucial and basic elements of the information security, as well as the more peripheral and remote ones.

The Code itself and a selection of fact sheets and guidelines have been translated to English.


Sist oppdatert: 6. desember 2018

​Fant du det du lette etter?​