The Norwegian Financial Supervisory Authority has issued an ICT supervisory report on Vipps MobilePay AS following an inspection on 19–20 June 2025, concluding that the firm’s governance and control of its ICT operations showed no material deficiencies while identifying several minor observations linked to risk management. The observations relate to clarifying the firm’s overarching ICT governance documentation, strengthening change management, improving monitoring of outsourced ICT activities, and expanding the scope and grounding of contingency planning and testing. The report also highlights areas for improvement in documenting and anchoring the business impact analysis, including recovery objectives and disruption tolerances (RPO, RTO and MTPD), and in strengthening board reporting on compliance with board-approved ICT governing documents. The inspection was assessed against the ICT Regulation applicable at the time, and the report notes that the firm must comply with the Digital Operational Resilience Act (DORA) framework from 1 July 2025. Finanstilsynet requested a copy of the minutes from the board meeting where the supervisory report is considered and asked Vipps MobilePay to provide a copy of the letter to its external auditor.
Norwegian Finanstilsynet 2025-10-13
Norwegian Financial Supervisory Authority publishes ICT inspection report on Vipps MobilePay finding no material deficiencies but noting minor risk management issues
The Norwegian Financial Supervisory Authority issued an ICT supervisory report on Vipps MobilePay AS, finding no material deficiencies but noting minor risk management observations. These include clarifying ICT governance documentation, enhancing change management, and improving outsourced ICT activity monitoring. Vipps MobilePay must comply with the Digital Operational Resilience Act framework from 1 July 2025.