The Financial Supervisory Authority of Norway mandates Altinn reporting for DORA serious ICT incidents and significant cyber threats from 1 July 2025

The Financial Supervisory Authority of Norway has issued user guidance confirming that, from 1 July 2025, firms must report serious ICT-related incidents via Altinn form KRT-3190 and report significant cyber threats under the Digital Operational Resilience Act (DORA) via Altinn form KRT-3191. The forms are available in Norwegian and English, and firms are encouraged to report in English. Reporting in KRT-3190 is designed as a staged process, starting with an initial notification and continuing through follow-up submissions created by copying the most recent submission from the Altinn archive; previously reported incident data can be amended. Only organisations (not individuals) can submit, and no specific internal role is required for the reporter; an email acknowledgement is provided with any follow-up questions. Banks that are part of certain groups or alliances may submit aggregated reports, listing the covered entities’ names and LEIs and ensuring the “type of financial entity” is the same across the entities included. Incidents reported before 1 July 2025 that still lack a final report should continue to be reported using the previous process. If firms experience problems using Altinn, a contingency Excel template should be used, and reporting for that incident should continue in Excel once started; the same fallback approach can be used for significant cyber threat reporting.