News and insights

EU’s DORA Regulation on ICT Security in Finance – Norwegian Implementation

The EU’s Digital Operational Resilience Act (DORA) was adopted in December 2022 and represents a key regulatory initiative aimed at strengthening ICT security within the financial sector. The regulation is set to be incorporated into Norwegian law through a new Act on Digital Operational Resilience in the Financial Sector, introducing extensive new requirements for Norwegian financial institutions and their ICT service providers. This article summarises the core elements of the new regulatory framework.
• Finance Law

1. Background to the Regulation

As a leading country in financial sector digitalisation, Norway has long maintained extensive ICT security requirements. The ICT Regulation of 2003 remains significant, setting out obligations relating to risk management, incident handling, and ICT outsourcing. However, requirements concerning sound organisation, risk management, and internal control are dispersed across various laws and regulations in the financial sector.


The rationale for heightened ICT security is clear: vulnerabilities in digital infrastructure pose risks to financial stability and broader societal security. Threats originate from internal operational failures, criminal cyberattacks, and politically or militarily motivated cyber incidents. Given the international nature of service providers, a harmonised regulatory approach is imperative.

DORA marks a major step by the EU towards aligning and advancing ICT security standards across Europe. Developed over several years, it was adopted in December 2022 and takes effect on 17 January 2025. The framework is set out in Regulation (EU) 2022/2554 and Directive (EU) 2022/2556, which amend various financial sector directives. Furthermore, extensive technical standards are being developed.
The regulation is expected to be fully incorporated into Norwegian law. The Norwegian Ministry of Finance aims to present a legislative proposal (Prop. LS) to Parliament in the first quarter of 2025. While the ICT Regulation will largely become redundant, it will probably be retained in a modified form for entities outside the scope of DORA.

2. Scope of the Regulation

Under Article 2(1) of the regulation, DORA applies to a broad range of financial entities, including:

  • Credit institutions;
  • Payment institutions, including those exempt under Directive (EU) 2015/2366;
  • Account information service providers;
  • Electronic money institutions, including those exempt under Directive 2009/110/EC;
  • Investment firms;
  • Crypto-asset service providers;
  • Central securities depositories;
  • Central counterparties;
  • Trading venues;
  • Trade repositories;
  • Alternative investment fund managers;
  • Management companies;
  • Data reporting service providers;
  • Insurance and reinsurance undertakings;
  • Insurance, reinsurance, and ancillary insurance intermediaries;
  • Pension institutions;
  • Credit rating agencies;
  • Administrators of critical benchmarks;
  • Crowdfunding service providers;
  • Securitisation repositories; and
  • Third-party ICT service providers.

Certain firms are exempt, primarily based on size or the nature of their services.

A key feature of the regulation is the proportionality principle in Article 4, which ensures that the application of risk management and other regulatory requirements is commensurate with an entity’s size, overall risk profile, and operational complexity.

3. Key Requirements for Financial Entities

DORA imposes a series of requirements on in-scope financial entities, many of which build on existing Norwegian rules but with significant divergences in scope and detail.

The core obligations include:

  • Risk Management: Entities must implement a governance framework to ensure a high level of digital operational resilience. In Norway, the board of directors will be responsible for overseeing ICT risk management. Requirements extend to detecting, preventing, and recovering from incidents, including backup protocols, crisis communication plans, periodic reviews, and vulnerability assessments.
  • ICT Incident Management, Classification, and Reporting: Entities must establish procedures for identifying, managing, and reporting ICT-related incidents, classified by severity and reported to the relevant supervisory authorities.
  • Testing of Digital Operational Resilience: Independent testing is mandated to detect weaknesses, errors, and deficiencies, with a follow-up system to address identified issues.
  • Third-Party ICT Risk Management: Given the widespread use of outsourcing, DORA introduces dedicated requirements for assessing, contracting, monitoring, and reporting on third-party ICT risks. Critical ICT service providers will be subject to EU-level oversight.
  • Information Sharing Arrangements: The regulation encourages financial entities to exchange intelligence on cyber threats.
  • Supervisory Authorities: In Norway, the Financial Supervisory Authority (Finanstilsynet) is expected to assume responsibility for oversight, though this may be reconsidered in light of the implementation of the NIS2 Directive on network and information system resilience. DORA also provides for information exchange between supervisory authorities. Enforcement measures will include administrative sanctions, most likely in the form of fines.

4. Implementation in Norwegian Law

DORA is expected to be incorporated into the EEA Agreement and transposed into Norwegian law. The Ministry of Finance launched a public consultation on implementation in January 2024, based on a proposal prepared by the Financial Supervisory Authority. The consultation period ended on 3 April 2024. Our sources indicate that the Ministry now aims to present a legislative proposal to Parliament in the first quarter of 2025. While DORA entered into force in the EU on 17 January 2025, the final timeline for implementation in Norway remains to be determined.