Financial Supervisory Authority of Norway publishes DORA reporting guidance and updates ICT outsourcing and incident reporting processes from 1 July 2025

The Financial Supervisory Authority of Norway has issued new guidance for incident reporting and for notifications of ICT service agreements under the DORA Act, which takes effect on 1 July 2025, and outlined related changes to the scope of Norway’s ICT regulation and ICT outsourcing notification rules. The update also includes changes to relevant Altinn reporting forms. From 1 July 2025, firms covered by DORA will no longer fall within the scope of the ICT regulation, which will instead apply to financing companies, debt collection companies and real estate companies. ICT outsourcing is treated as an ICT service agreement under DORA and will no longer be notified under section 4-6 of the Financial Supervision Act and the notification regulation, although financing companies must continue to notify ICT outsourcing under those national rules. Altinn form KRT-1121 has been revised to reflect these changes, and the notification regulation is amended to clarify it does not apply to DORA ICT service agreements, update a statutory cross-reference to section 4-6, and remove the requirement to attach documentation to ICT outsourcing notifications. For operational reporting, incidents must be submitted via Altinn form KRT-3190 from 1 July 2025; the authority has published both an incident reporting guide (including reportable events, deadlines and voluntary reporting of significant cyber threats) and a separate user guide covering how to complete the form.