The Financial Supervisory Authority of Norway sets out DORA incident reporting and Register of Information reporting approach

The Financial Supervisory Authority of Norway published the recording and materials from a webinar on the Digital Operational Resilience Act (DORA), focusing on practical expectations for ICT incident reporting and for maintaining and reporting the Register of Information on ICT service agreements as DORA is implemented in Norway. The materials also describe how reports will be channelled via Finanstilsynet and shared with the European Supervisory Authorities (EBA, ESMA and EIOPA). On incident reporting, the webinar summarises the DORA and level 2 requirements for classifying and reporting “serious” ICT-related incidents, including staged deadlines: an initial notification as soon as possible within four hours of classification and no later than 24 hours from detection, status reporting after material changes and at resumption of normal activities and no later than 72 hours after the initial notice, and a final report within one month of the last status report. Reporting must use standardised templates defined by the ESAs in JSON and Excel, with 42 mandatory and 35 conditional fields across general, initial, status and final reports. Finanstilsynet is developing an Altinn web form aligned to the standard and will convert submissions to JSON before forwarding them to the ESAs, with limited use of the Excel template as an exception; guidance on incident reporting is planned. The slides also note that ICT incident reporting can be outsourced to a third party, but responsibility remains with the reporting entity and outsourcing must be notified to Finanstilsynet, and that Finanstilsynet will forward reports to the ESAs without undue delay and receive ESA reports on incidents relevant for Norway, while encouraging Norwegian branches of foreign firms to report incidents directly to Finanstilsynet until DORA enters into force in Norway. For the Register of Information, the materials explain that entities subject to DORA must maintain a register covering critical or important ICT outsourcing arrangements and that, in groups, registers are required at entity, sub-consolidated and consolidated levels, with reporting made by the highest-level entity to the EU/EEA home authority. Norwegian entities will not be required to submit the register until the Norwegian DORA Act enters into force, after which reporting will be annual or on request, with the exact firm-level date still to be set. Finanstilsynet indicated it must submit the prior-year register to EBA by 31 March 2026 and expects the reporting format to be XBRL CSV, likely via an Altinn-authenticated link, and encouraged firms to prepare by reviewing critical ICT service contracts and collecting supplier identifiers such as EUID and Legal Entity Identifiers.