Hjem / Innsikt / Norway takes steps towards Digital Operational Resilience and Crypto-Asset Regulation

Norway takes steps towards Digital Operational Resilience and Crypto-Asset Regulation

In an era of rapid digitalisation and increasing use of cryptocurrencies, the Norwegian government has taken decisive steps to enhance and unify EU Regulations within the financial sector in accordance with Norway's obligations under the EEA Agreement. On March 7, 2025, the Ministry of Finance presented two legislative proposals, Prop. 54 LS (2024–2025) and Prop. 55 LS (2024–2025), for the implementation of the EU’s Digital Operational Resilience Act (DORA), Markets in Crypto-Assets Regulation (MiCA), and Transfer of Funds Regulation II (TFR II) into Norwegian legislation.
austin-distel-EMPZ7yRZoGw-unsplash

Digital Operational Resilience (DORA)

The DORA Act (lov om digital og operasjonell motstandsdyktighet i finanssektoren), proposed in Prop. 54 LS, aims to unify ICT security requirements for the financial sector in Norway with those established by DORA, which have been in effect in the EU since 17 January 2025. DORA seeks to harmonise ICT security requirements within the EU and enhance the digital operational resilience of the financial sector by ensuring that financial institutions and their ICT providers have robust systems to handle cyberattacks and technological disruptions.

The new DORA Act covers a broad spectrum of financial institutions such as banks, investment companies, pension funds, crypto-asset service providers, and insurance firms. Although Norwegian financial institutions are already subject to stringent ICT security regulations, the proposed DORA Act will introduce more detailed, unified, and comprehensive requirements for Norwegian companies. These include frameworks for risk management, incident reporting and handling, testing of digital resilience, sharing of information, and oversight of ICT providers, which shall be reported to the Norwegian Financial Supervisory Authority. The DORA Act also imposes personal liability obligations on board members to ensure a company’s adherence to the DORA Act.

According to the Ministry of Finance, the DORA Act will help minimise the consequences and costs of ICT disruptions and ensure that the financial sector can withstand, respond to, and recover from cyber incidents. Norwegian companies affected by the DORA Act must prepare for a significant transition process, involving thorough reviews of systems, ICT contracts, and documentation routines, as well as extensive employee training.

Crypto-Asset Regulation (MiCA and TFR II)

Prop. 55 LS introduces a legislative proposal to incorporate EU’s MiCA Regulation into a new act in Norway (No.: Lov om kryptoeiendeler – “kryptoeiendelsloven”).

It is proposed that the MiCA Regulation will apply directly as Norwegian law. This marks a significant shift in the regulation of crypto assets in Norway, where currently, specific laws targeting crypto assets are limited to KYC regulations and rules for providers of crypto exchange and custody services. However, crypto assets are not entirely «unregulated» under Norwegian law; general legal principles such as contract law, taxation law, company law, and criminal law apply to all holders and providers of crypto assets. This has led to a regulatory environment that is uncertain and differs from the rest of Europe.

The implementation of MiCA will regulate issuers of crypto assets in the Norwegian market, setting requirements for transparency, KYC, and other conditions before a crypto asset can be offered to the public within the EU (EEA area). It will thus harmonise crypto asset regulation with the rest of the EU, allowing actors with a MiCA licence from other EEA countries to offer their services in Norway.

MiCA provides a comprehensive framework for the issuance, public offering, and trading of crypto assets, along with rules for service providers related to these assets. It aims to promote innovation, protect investors, and ensure market integrity and financial stability. Currently, Norwegian legislation only regulates providers of exchange and custody services for virtual currencies. With MiCA, a broader range of actors, including issuers of crypto assets and providers of related services, will be subject to specific regulations.

In addition to MiCA, the Ministry of Finance proposes amending the Norwegian Anti-Money Laundering Act to directly incorporate the TFR II directive as Norwegian law. TFR II sets out requirements for crypto asset service providers to collect, verify, and store information about senders and recipients of crypto asset transfers. In short, crypto asset service providers will be subject to the same anti-money laundering requirements, including reporting obligations to authorities, as traditional payment service providers once TFR II applies as Norwegian law.

Ending remarks

The implementation of DORA, TFR II, and MiCA in Norway represents a significant development for Norway’s financial sector. While there are challenges related to compliance costs and technological adaptation, the regulations also offer substantial opportunities for growth and innovation, as well as maintaining the integrity of the financial system in Norway.