Strengthening digital resilience in Norway's financial sector: the impact of DORA

• The Norwegian Ministry of Finance has presented legislative proposals to enhance digital operational resilience in the financial sector and regulate the crypto-assets market, implementing the EU's DORA, MiCA, and TFR II into Norwegian law
   
• Key obligations include that companies must conduct ICT risk assessment, report security incidents to the Financial Supervisory Authority, and maintain a register of services procured from ICT providers.
   
• The board and CEO are responsible for overseeing ICT risk management and establishing a process for handling ICT-related incidents. They can be held personally liable for non-compliance with the DORA-act. 
   
• The new DORA Act represents a major shift in enhancing digital operational resilience within the Norwegian financial sector, emphasizing transparency, accountability, and the authority to impose substantial fines

Today, Norway has a fragmented regulation on cybersecurity for financial institutions. The Financial Institutions Act (Norwegian: "Finansforetaksloven") requires financial institutions to operate in a prudent manner. The Securities Trading Act (Norwegian: "Verdipapirhandelloven") mandates measures to limit operational risk and ensure effective control and security arrangements for information and processing systems. Since 2003, the ICT Regulation (Norwegian: "IKT-forskriften") has set requirements for risk management, documentation of risk analyses, protection of equipment and systems, maintenance security, procurement procedures for ICT systems, and deviation handling. It also ensures that financial institutions have the right to control and audit their ICT providers. 

The financial sector's reliance on digital solutions and third-party ICT providers has grown significantly, leading to increased complexity in service production and contractual relationships. Many financial institutions operate cross-border, and the market for ICT services is characterized by globalization and consolidation. Norway's financial sector is highly digitized and integrated with Nordic and European markets, offering substantial benefits but also introducing risks and vulnerabilities. Severe ICT system failures can threaten both financial stability and national security.

While Norway's financial infrastructure is robust, the evolving digital threat landscape, including geopolitical tensions and rising digital crime, has underscored the need for enhanced digital resilience. Norwegian financial institutions have long adhered to stringent ICT security regulations, but there has been no harmonized European framework. DORA, which has applied from 17 January 2025 in the EU, aims to consolidate and expand pan-European rules on ICT risk management in the financial sector. DORA includes comprehensive requirements for risk management, incident handling, resilience testing, and information sharing, and provides a framework for European-level oversight of critical ICT providers. This harmonized approach is essential for managing cross-border technology risks and maintaining financial system stability.

The scope of the new DORA Act encompasses a wide range of financial institutions, including credit institutions, payment institutions, e-money institutions, investment firms, providers of services related to crypto-assets, insurance and reinsurance undertakings, pension institutions, credit rating agencies, and third-party ICT service providers. This regulation covers all entities previously subject to the ICT Regulation, except for financing institutions, debt collection agencies, and real estate agencies.

With the new DORA Act, the future of the ICT Regulation remains uncertain. The consultation paper suggests two options; continuing the ICT Regulation with simplified requirements to ensure consistency with DORA, or fully or partially applying DORA's requirements. However, the new regulatory requirements should not be more extensive than those in the current ICT Regulation, and the Ministry of Finance does not rule out the need for further simplifications.

Another key question is the relationship between the upcoming Digital Security Act (Norwegian "Digitalsikkerhetsloven") and the DORA Act. Section 5 of the Digital Security Act states that if security and notification requirements in another act or regulation are at least equivalent to those in the Digital Security Act, the requirements of the other act or regulation shall apply. Banking and financial market infrastructure are explicitly mentioned as sectors with security and notification requirements equivalent to those in the Digital Security Act, through the ICT Regulation. DORA has more comprehensive requirements than the ICT Regulation and will thus take precedence over the Digital Security Act.

Firstly, the board and the CEO will bear significant responsibility for adhering to the requirements of the DORA Act. This includes overseeing the management, organization, and control of the company's ICT risk (Art. 5), ensuring that senior ICT staff report test results to the management (Art. 13), establishing a process for handling ICT-related incidents (Art. 17), and implementing procedures for ICT risk management (Art. 28). In the event of a breach of any of these provisions, board members and the CEO can be held personally liable.

Secondly, the law stipulates that companies must report security incidents to the Financial Supervisory Authority (Norwegian: "Finanstilsynet"), which will act as the competent authority. However, for businesses also covered by the Digital Security Act, the Ministry may establish provisions for incident reporting to, and information sharing with, other recipients besides the Financial Supervisory Authority. If reporting to other authorities becomes relevant, the reporting obligations should be coordinated.

Thirdly, financial entities must maintain a register of services procured from ICT providers. The register shall be available to the supervisory authority upon request. Companies must report new agreements to the supervisory authority at least annually and inform of any planned agreements that will support critical or important functions, as well as when a function becomes critical or important. The Financial Supervisory Authority shall issue guidelines for the frequency and format of reporting. The guidelines are expected to standardize and simplify the process. In addition, the Ministry has proposed a provision to establish additional requirements for reporting and information on agreements with ICT providers.

The new DORA Act represents a major shift in enhancing digital operational resilience within the Norwegian financial sector. By incorporating comprehensive requirements for risk management, incident handling, resilience testing, and information sharing, the DORA Act aims to ensure that financial institutions are well-equipped to manage cyber-related risks and cyber threats.

Moreover, the new DORA Act introduces stringent responsibilities for the board and the CEO, mandating their active involvement in overseeing cyber risk management and incident reporting. The requirement for maintaining a register of ICT service providers and reporting new and planned agreements further underscores the importance of transparency and accountability.

The new DORA Act also allows for the imposition of administrative fines on individuals and entities. The Ministry has proposed a fine limit of NOK 50 million, emphasizing the importance of compliance. 

As the financial sector continues to evolve and face new challenges, the new DORA Act provides a robust framework to safeguard against ICT disruptions and enhance the overall cyber resilience of financial institutions. The new DORA Act will be a crucial step towards maintaining the stability and integrity of the financial system in Norway.