Rules Navigator

GRIP Country Guides: Norway

Graphic outlining Norway on a map.
Graphic: GRIP

GRIP

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

A first port of call for firms wishing to do financial services business in Norway. This guide covers regulation, compliance and best practice.

Regulators

  • Financial regulator: Finanstilsynet – The Financial Supervisory Authority of Norway
    The Financial Supervisory Authority of Norway supervises banks, insurers, finance companies, investment firms, markets for financial instruments, securities depositories, estate agents, e-money institutions, auditors and accountants, etc.
  • Data protection authority: Datatilsynet – Norwegian Data Protection Authority
    The Norwegian Data Protection Authority is an agency of the Norwegian Government responsible for managing the Personal Data Act 2000 regarding privacy concerns. 

Banking ecosystem

  • Largest banks: DNB Bank, Nordea, Handelsbanken, and Sparebank 1 SR-Bank.
  • Central bank: Norges Bank. The bank has executive and advisory responsibilities in the area of monetary policy, manages Norway’s foreign exchange reserves and the Government Pension Fund Global and is responsible for promoting efficient and robust payment systems and financial markets. In addition, the Bank has the sole right to issue Norwegian banknotes and coins.
  • Currency: Norwegian krone (NKr).

Norwegian economy

  • The Norwegian economy is a combination of free market activity and significant government ownership and intervention. The government controls key areas, such as the vital petroleum sector, and maintains control over some large-scale state enterprises – some fully owned and some publicly traded – but where the government has controlling interests. 
  • Norway is not a member of the European Union but is linked to the EU through the European Economic Area agreement (EEA). The country is, with some exceptions regarding fish and agricultural products, fully integrated in the EU’s internal market and free travel through the EEA and Schengen agreements.
  • The country adheres to the EU’s sanctions against Russia, including those with an economic focus. 

Expert snapshot

Eight questions in collaboration with Andreas Bjørklund, Banking & Finance Managing Associate, and Dag Thomas Hansson, Corporate / M&A lawyer at CMS in Oslo, Norway.

1. Who are the main regulators for financial services in Norway and how would you describe their appetite for regulating the markets?

The primary regulator for financial services is the Financial Supervisory Authority (Finanstilsynet), responsible for issuing licenses and supervising licensed firms and activities. It’s regulatory attitude is characterized by a focus primarily on consumer protection and systemic risk. It generally acts in alignment with international standards, and cooperates closely with European regulators.

2. What are the main sources of regulatory laws in your jurisdiction?

Substantially all EU financial regulations are applicable in Norway, with certain local adaptations and additions where EU law permits. The main sources of law are the Norwegian Financial Institutions Act (Nw. finansforetaksloven), the Norwegian Securities Trading Act (Nw. verdipapirhandelloven) and the Norwegian Anti-Money Laundering Act (Nw. hvitvaskingsloven), with their underlying regulations (Nw. forskrift).

The Financial Supervisory Authority issues circulars which provide important guidance on how to understand important regulatory obligations. Regulatory guidance from EU regulators such as EBA, ESMA and EIOPEA is also an important source of information shaping policy and decision making in a number of important areas.

3. How can firms outside of Norway do financial services business in your country?

Firms established and licensed in the European Economic Area (the EEA, consisting of the European Union plus Norway, Liechtenstein and Iceland) generally have passporting rights into Norway under applicable EU regulations. This usually entails a right both to provide services from their home state, and to establish a branch in Norway with minimal “red tape”. Providing financial services in Norway is therefore quite straightforward for European firms.

It is generally hard for firms established outside the EEA to provide financial services in Norway. For certain types of licenses, it is possible for non-EEA firms to apply for a Norwegian license. However, this happens quite rarely and is generally not advisable. Establishing a Norwegian (or EEA) subsidiary and applying for a license for the subsidiary is often the preferred, and in many cases the only, option.

4. What types of activities require a license in your jurisdiction?

Most activities typically classified as financial services require a license. The most important licensed activities are;

  • underwriting and offering insurance;
  • providing credit;
  • taking deposits;
  • providing investment advice portfolio management services;
  • brokering and executing securities transactions;
  • intermediation of credit and insurance;
  • managing investment funds; and
  • providing payment services including foreign exchange transactions.

5. What are your top three enforcement actions? Briefly explain why the firms were censured.

  • The largest fine imposed in the financial services industry is one of NKr 400m (approx. $36.2m) levied against DNB, Norway’s largest bank and integrated financial services group, for significant deficiencies in its anti-money-laundering framework and activities.
  • The largest fine imposed for data privacy breaches is a fine of NKr 65m ($5.9m) against Grindr, a dating app primarily for gay and bisexual men. The fine was due to the disclosure of Grindr users’ personal data to third parties for behavioral advertising without a legal basis for such sharing.
  • The Financial Supervisory Authority recently notified Sparebank 1 Østlandet, a large Norwegian bank, that it intended to fine the bank NKr 30m ($2.7m) for significant deficiencies in its anti-money-laundering framework and activities. The fine has not been issued as the final decision is subject to comments from the bank first.

6. What is the regulatory attitude to crypto? 

Cautious, but with only a few tools present and available to actually regulate cryptocurrency activities. Cryptocurrency exchanges active in Norway are currently required to register with the Financial Supervisory Authority, and must follow anti-money laundering regulations, but crypto activities are otherwise not subject to special regulation.

The crypto regulatory environment is set to change upon the entry into force of the EU Markets in Crypto Assets Regulation (MiCAR). We expect the regulatory position to be made clearer once the new regulatory framework has been applied and has bedded in.

7. Where does business stand on ESG? 

Because Norway is a member of the EEA, substantially all EU regulation on ESG is applicable in the country (though often with a certain delay in its implementation). There has thus been a significant volume of ESG-related regulation targeted primarily at financial services firms in the last few years. And other business sectors are currently preparing for entry into force of new due diligence and reporting requirements.

ESG is generally viewed as an important objective by most large businesses.

And ESG is a priority for the regulator, which is especially focused on policing possible cases of “greenwashing.”

8. What is your government’s position on data privacy? What are the biggest concerns?

Data privacy is viewed as important in Norway by the government, regulator, business community and interest groups alike.

The main source of data privacy regulation is the EU’s General Data Privacy Regulation (GDPR), implemented through the Norwegian Personal Data Act (Nw. personopplysningsloven).

GDPR is strictly supervised, with an active and well-resourced regulator in the Norwegian Data Protection Authority (Nw. Datatilsynet).

Compliance

Money laundering

In September 2023, a report by the International Monetary Fund (IMF) found that Nordic and Baltic banks should take efforts to strengthen their anti-money-laundering and counter-terrorism financing (AML/CFT) supervision framework further.

The report, which covers Denmark, Estonia, Finland, Iceland, Latvia, Lithuania, Norway, and Sweden, said that a more effective monitoring of cross-border financial flows would provide a deeper understanding of their external ML threat environment and the evolving cross-border related risks.

Norway is ranked fourth in Transparency International’s 2023 Corruption Perceptions Index, and is by that metric one of the least corrupt countries globally.

Data

Data protection

In October 2024, the Norwegian government set out a new national digitization strategy with the aim of making the country the most digitized in the world by 2030.

The strategy includes measures to restructure and modernize the public sector by creating simpler and more connected public services for people to use. It will also include initiatives in a number of other areas such as business development, combating crime, digital infrastructure, green and digital transition, inclusion and screen use for children and young people.

Another key element to the strategy is privacy, where the government will ensure privacy in all digitization up to 2030. By then, all relevant IT solutions in the public sector must have built-in privacy, and citizens’ privacy will be safeguarded by big tech companies.

“I am happy that the strategy defines privacy as a prerequisite for success with digitalization. Privacy is, as is also emphasized in the strategy, a human right,” said Line Coll, Director of Datatilsynet – the Norwegian Data Protection Authority.

In June 2024, the Nordic data protection authorities (DPAs) in Denmark, the Faroe Islands, Finland, Iceland, Norway, Sweden and Åland came to a new agreement to join forces on children’s data protection in gaming, Al, and administrative fines.

Meta marketing ban

In September 2023, Datatilsynet won a case in the Oslo District Court against Meta over behavioral marketing. The authority had urged Meta to stop illegal behavior-based marketing on Facebook and Instagram, saying that this involves a very intrusive monitoring of users.

Meta, however, did not cease these marketing activities, which led to the authority imposing a compulsory fine of NKr 1m ($93,761) for every day the ban was breached.

Meta asked the Court to suspend the decision, but the Oslo District Court fully sided with the Norwegian Data Protection Authority.

Meta then submitted several administrative complaints, and the matter was taken to the European Data Protection Board – which extended the ban in November 2023, and made it permanent across the EU and EEA.

Data scraping and AI training

The Norwegian Data Protection Authority and multiple other data supervisory authorities internationally have issued a new statement on illegal data scraping.

A first statement was issued in 2023, and the group has since then had dialog with some of the largest social media companies (SMCs).

The countries said that they “want to emphasise their expectation that all companies, not just SMCs, protect the publicly accessible personal information that they host against unlawful scraping,” and that failing to implement adequate safeguards or comply with laws could face enforcement action. That includes those who use scraped data to train AI.

“SMCs and other organizations that use scraped data sets and/or use data from their own platforms to train AI, such as Large Language Models, must comply with data protection and privacy laws as well as any AI-specific laws where those exist.”

The data supervisory authorities include Norway, Argentina, Australia, Canada, Colombia, Hong Kong, Jersey, Morocco, Mexico, New Zealand, Great Britain, Switzerland, Monaco, Israel, and Guernsey.

Employment legislation

The primarily regulation governing employment in Norway includes the following acts:

  • The Working Environment Act;
  • The Holiday Act;
  • The National Insurance Act;
  • The Occupational Pension Act; and
  • The General Application of Wage Agreements Act.

It is worth noting that unions play an vital role in the labor market, and a significant number of Norwegian undertakings are bound by collective bargaining agreements.

For more laws, regulations and rights, visit Arbeidstilsynet, the Norwegian Labour Inspection Authority.

Technology

Cybersecurity

In November 2022, representatives from 36 countries and the EU met to continue their work to fight ransomware, and issued a joint statement after their second International Counter Ransomware Initiative (CRI) Summit, convened by the White House.

Since the first meeting in autumn 2021, the CRI members have been working on five core goals:

  • increase resilience;
  • disrupt ransomware cartels;
  • counter money laundering;
  • build partnerships with private sector cyber firms; and
  • strengthen international cooperation.
Graphic: Martina Lindberg

Norway is a CRI member.

Notable regulatory actions and fines by Datatilsynet

September 2024: The University of Agder in Kristiansand in Norway was fined NKr 150,000 ($13,870) for breaching requirements for security and internal control when processing personal data while using Microsoft Teams.

An employee at the university discovered documents with personal data in open Teams folders – open for all employees to access and in some cases open even to students.

The information included personal details about employees, students and external parties. Around 16,000 registered users were affected, with information about exam preparation for 568 students, with some information going back to 2014.

October 2023: Dating app Grindr was fined Nkr 65m ($5.9m) – the biggest fine to date issued by Datatilsynet. Grindr, which is a location-based dating app aimed at gay, bi, trans and queer people, was found sharing information about the users’ GPS locations, IP addresses, mobile phone advertising ID’s, age and gender with several third parties for marketing purposes.

Grindr appealed the decision, and it was taken to the Personal Protection Board, which Grindr also tried to sue for the “disproportionately large” fine. But the Oslo district court upheld the fine in July 2024.

June 2022: An infringement fee of NKr 5m ($454,621) was issued to Trumf for not providing sufficient security for the processing of the trading history of its members.

Members were able to register other people’s account numbers on the their profile and thus gain access to shopping histories.

September 2021: Infringement fee of NKr 5m ($454,621) was issued to the toll company Ferde for, among more, had illegally transferred personal information about Norwegian motorists to China.

The materials on the GRIP website are for general information purposes only and do not constitute legal advice. While reasonable care is taken to ensure accuracy, the materials may not reflect the most current legal developments. Always consult a qualified lawyer for specific legal matters. 

, , , ,

You may also like