Abstract
This paper is related to the research project NEXUS, focusing on risk communication and ac-tion capacity in Norway. NEXUS is evaluating actions from The Gjørv Report (NOU 2012:14), written after a terrorist attack in Norway in 2011. One suggested action was: “The provisions of the Security Act that require measures for protecting objects must be implemented in a proactive manner". We have performed reviews and interviews to explore how key actors have acknowledged risks related to critical objects and critical infra-structure vs. other countries. Some critical objects have emergent vulnerabilities; it is a need to perform im-proved risk assessments and build resilience to mitigate surprises. The emergence of cybersafety in the energy sector can impact health, safety and the environment. It has taken 10 years before regulatory action has been implemented to protect objects. This paper discusses if this complacency has created a reactive and brittle regulatory regime, and if the missing proactivity creates organizational losers and scapegoats in the sharp end.
