Norwegian Financial Supervisory Authority confirms supervision and incident reporting under Norway’s Digital Security Act for key banks and Oslo Børs

The Norwegian Financial Supervisory Authority (Finanstilsynet) has published a clarification on how Norway’s Digital Security Act and related regulation implementing the NIS Directive apply to parts of the financial sector, confirming its supervisory role and asking firms to copy it on incident notifications submitted to the National Security Authority. The Digital Security Act and Digital Security Regulation have applied since 1 October 2025 and set baseline requirements to prevent, detect and counter unwanted events affecting network and information systems used to deliver essential and digital services, including security for ICT products, ICT services and ICT processes. In finance, the regime covers systemically important banks and financial market infrastructure of material significance to the Norwegian capital market, which as of December 2025 are DNB Bank ASA, Sparebank 1 Sør-Norge ASA, Sparebanken Norge and Oslo Børs ASA. The financial sector’s ICT regime under the DORA law is described as equivalent to or stricter than the Digital Security Act, and financial firms are therefore to comply with sector legislation. Providers of an essential service must report specified information as soon as possible to both the National Security Authority and the supervisory authority, and the Norwegian Financial Supervisory Authority, designated by the Ministry of Finance, is also named along with NFCERT as the sector incident response environment that can assist covered firms with incident handling.