Jump to main content Go to search page

Risk and vulnerability analyses 2026

Finanstilsynet's annual Risk and Vulnerability Analysis (RVA) provides an overall assessment of ICT-related risks and vulnerabilities in the Norwegian financial sector. The analysis is based on Finanstilsynet's supervisory activities, the institutions' reporting, analyses of incidents and assessments of developments in the global threat landscape.

1. Summary 

Overall, the financial infrastructure in Norway is considered to be robust and secure. In 2025, institutions' operational stability and the availability of payment services were satisfactory and consistent with the past few years. This indicates that the institutions have good defences against digital attacks. 

The cyberthreat level is considered to be high. Organised criminals, nation-state threat actors and the increasing use of artificial intelligence contribute to a level of risk that places high demands on institutions' governance, emergency preparedness and operational response capabilities. Norwegian security authorisations assess that the risk of malicious cyber operations against Norwegian institutions and the financial industry is increasing, from both criminal and nation-state actors. Geopolitical changes and wars in Europe and the Middle East cause a heightened threat level. 

Finanstilsynet assesses the overall level of preparedness in the financial industry to be sound. At the same time, it needs to be continuously developed to meet constant changes in the complex threat landscape. Robust preparedness and effective cooperation are vital to handling serious incidents in the financial system. Experience from actual incidents and exercises underscores the importance of collaboration between institutions, service providers and authorities to mitigate consequences and ensure swift recovery.

Rapid developments in generative and autonomous artificial intelligence create opportunities for efficiency gains and innovation but also introduce new threats and vulnerabilities. This technology enables faster and more automated identification and exploitation of technical vulnerabilities and challenges established security and vulnerability management models. 

Supply and value chain risk is among the most critical vulnerabilities in the financial sector. Extensive outsourcing, complex value chains and service provider concentration increase the risk that incidents may have consequences across institutions. The geopolitical situation has heightened uncertainty regarding the dependence on international service providers. Issues related to data access, regulatory compliance, predictability and concentration risk in the service provider market are key risk factors. The institutions have an independent responsibility for securing their systems and services, also when ICT operations are fully or partially outsourced to a third party.

The introduction of DORA (Regulation on Digital Operational Resilience in the Financial Sector) has contributed to heightened attention and a more structured approach to digital operational resilience. Nevertheless, supervisory activity shows that many institutions are still at an early stage, and that further efforts are required to operationalise regulatory requirements both internally and in their interaction with critical third-party service providers.

Fraud still poses a significant risk in the financial sector. Although the total amount defrauded declined in 2025, the threat landscape remains serious. Effective combating of fraud requires strong preventive measures, the ability to detect and address fraud, as well as cooperation and information sharing across stakeholders.

The number of reported ICT incidents in 2025 was somewhat lower than the previous year, and no incidents had implications for financial stability. At the same time, the incident landscape indicates that errors related to breaches of data integrity, especially in connection with changes and manual processes, can have serious consequences. Incidents at global cloud providers represent a more prominent part of the risk landscape and illustrate the dependence on international infrastructure. 

Overall, the 2026 Risk and Vulnerability Analysis shows a risk landscape that requires institutions and their ICT service providers to further strengthen governance of ICT activities, enhance ICT security and intensify work on both preventive and recovery measures to address the evolving cyberthreat landscape. The analysis underscores the need for holistic and operational ICT risk management, stronger control of supply chains, more realistic preparedness testing, and further development of digital operational resilience in line with the DORA regulatory framework.

2 The threat landscape

2.1 The cyberthreat landscape

The cyberthreat level is considered to be high and constantly evolving. Organised criminal groups represent the most likely operational threat, while nation-state actors pose the most serious threat in terms of potential consequences. The rapid development of new technology creates new vulnerabilities and threats. New technology is used both in cyberattacks and in defensive systems.

The geopolitical situation is characterised by heightened international tension and conflicts. This further exacerbates the threat level and may lead to an increase in cyberattacks, in both scope and intensity. Changes in relations between the US and its allies contribute to a higher risk exposure for Norwegian financial institutions using US systems and tools, such as cloud services. Issues related to concentration risk and service provider dependency, compliance with the EU's General Data Protection Regulation (GDPR) and access to own data and ICT solutions are relevant risk factors. Any risk-mitigating measures, such as adjustments to architecture and/or the use of alternative solutions, may entail significant costs and increased complexity for the institutions.

The Norwegian Police Security Service (PST), the Norwegian Intelligence Service (NIS) and the Norwegian National Security Authority (NSM) all point to a continued significant threat from nation-state actors.

PST expects Norwegian businesses to be exposed to cyber operations in 2026, and highlights Russia, China, North Korea and Iran as key threat actors. They state that the purpose of the attacks may range from intelligence gathering and reconnaissance, influence, sabotage and disruptive activity to financial gain.

The Intelligence Service assesses that Russia will continue and may escalate the use of covert means as part of a prolonged confrontation with the West. Such means may include influence, sabotage and cyber operations, including through the use of proxies.

NSM emphasises that the security policy situation requires a further strengthening of systematic security efforts, including contingency planning for serious incidents and regular exercises and tests. It is therefore important that institutions base their contingency testing and recovery plans on worst-case scenarios.

Nordic Financial CERT (NFCERT) points out that the war in Ukraine, the conflict in the Middle East, rising tensions in the Taiwan Strait and heightened international trade policy frictions can affect both the level and direction of malicious nation-state cyber operations and event-driven hacktivism. This may contribute to making the threat landscape less predictable. NFCERT assesses that the cyber threat level facing the financial sector remains high but stable. They highlight organised criminal groups among the most likely threats, for example through ransomware attacks and other forms of cybercrime. At the same time, it is emphasised that nation-state actors will increasingly be able to employ criminal methods, tools and infrastructure, which adds to the complexity and makes it more challenging to detect and manage incidents and attribute them to the relevant threat actor.

Due to developments in the cyberthreat landscape, it is important to analyse how attacks are carried out. Threat actors increasingly combine multiple attack methods, exploit dependencies across value chains and carry out attacks with greater frequency, broader scope and a higher degree of simultaneity. This contributes to increasing the potential consequences of attacks that affect key functions in the financial sector.

2.2 Developments in artificial intelligence

The rapid developments in artificial intelligence (AI) bring many benefits but also entail new risks and vulnerabilities. AI has the potential to provide major efficiency gains for financial institutions, customers and society. At the same time, there are clear signs that developments in generative and autonomous AI, such as the much-discussed Claude Mythos from Anthropic, may entail a significant shift in the threat landscape related to the financial industry's use of ICT. Such technologies make it easier to identify and exploit technical vulnerabilities in software, with a markedly shorter interval between discovery and operational exploitation than before. This will place high demands on the institutions, which must have sufficient capacity to develop and implement a large number of corrections and security updates. There could be a heightened risk that established security and vulnerability management models, which are largely based on manual prioritisation and periodic updates, do not provide sufficient protection.

This development reinforces the need for measures that reduce institutions' exposure to technical vulnerabilities. Examples of measures may include segmenting networks, isolating critical components, implementing compensating controls, improving patching procedures and automating additional processes. At the same time, this leads to increased governance challenges related to residual risk, preparedness and operational resilience associated with the use of ICT services.

2.3 The threat to service providers and value chains

Complex supply chains and high concentration in the service provider market remain a key risk. Financial institutions are exposed to ICT risk through long and complex supply chains. Threat actors may target service providers that support critical services without the institutions themselves being the direct targets of the attack. Such indirect attacks can lead to disruptions affecting multiple financial institutions at the same time, make incident management more challenging and heighten the risk of adverse consequences. This underscores the importance of institutions allowing for incidents outside their direct control. Institutions' widespread use of shared technical solutions and a limited number of service providers create structural vulnerabilities and may increase the risk of sector-wide consequences in the event of incidents involving critical actors.

The institutions should be attentive to the potential consequences of service provider dependencies. Incidents at key service providers may have an impact across multiple institutions and, at worst, undermine confidence in the financial system. The institutions must continue to ensure a holistic approach to third-party risk management, maintain comprehensive oversight of critical dependencies and establish adequate preparedness for incidents occurring in the value chain.

2.4 Insiders and social engineering

Threat actors increasingly exploit digital identities and established relationships of trust between institutions, employees, customers and service providers, targeting people rather than technical systems. Through targeted social engineering such as phishing and impersonation of, for instance, executives, partners or public authorities, fraudsters attempt to exploit employees as a gateway to ICT systems. Such attacks may bypass established security measures and have serious consequences in the form of financial losses and weakened trust, even if there are no underlying technical vulnerabilities.

Finanstilsynet has not identified any circumstances that indicate a significant change in risk. The most likely threat is posed by self-motivated insiders with financial motives. This underscores the need for continuous awareness-raising, training and clear control mechanisms within the institutions.

2.5 Other risks and vulnerabilities

Operational technology (OT)

Systems and devices supporting building automation1), physical security, cooling, ventilation, backup power, sensors, alarms and other technical support functions in buildings and operational facilities are examples of operational technology. OT may affect the institution's risk profile and introduce new vulnerabilities. If such solutions interface with the institution's ICT environments, they become part of the institution's overall attack surface and may be affected both directly and indirectly, including through compromised remote access or the exploitation of known vulnerabilities in internet-facing edge devices.2) The vulnerability is exacerbated by the fact that OT components often have a long lifespan, may have limitations in patching and upgrading, and are more dependent on service providers and integrators for maintenance and changes.

Issues related to the institution's own buildings, operational facilities, physical security solutions and associated OT/ICT interfaces, as well as to the OT interfaces at ICT service providers and subcontractors, constitute key exposure points. Incidents can occur due to compromised or insufficiently secured access, misconfigurations, unauthorised changes or exploitation of known vulnerabilities in internet-facing components. Such conditions can affect critical support functions such as cooling and access. The threat landscape also includes some hacktivist groups and more specialised groups that have shown interest in exploiting OT as an attack vector.

OT incidents can lead to operational deviations, reduced availability and extended recovery time, which can have an impact on operational stability and service quality. Institutions must ensure clear ownership of OT-related matters, strict management of connectivity and remote access, life-cycle management of software, hardware and firmware, and oversight of how relevant service providers and subcontractors manage and remediate vulnerabilities.

Quantum technology

Developments in quantum technology represent both opportunities and a serious long-term risk for the financial industry. A key risk associated with the future exploitation of quantum technology is 'Harvest Now, Decrypt Later (HNDL)', where threat actors may collect encrypted information today for later decryption once quantum technology becomes available.

Finance Norway has, in collaboration with the industry, published a 'Roadmap for a quantum-safe financial industry'3), which describes a common, structured and risk-based starting point for how institutions, financial infrastructures and relevant service providers can prepare for the transition to quantum security. The roadmap highlights the need for early action, identification and visibility of cryptographic dependencies and the prioritisation of measures based on data protection horizons and criticality. The report also refers to international recommendations that critical data should be quantum-safe by 2030, and that all data should be quantum-safe by 2035.

This is in line with Finanstilsynet's call for institutions to already begin identifying relevant threats through a practical mapping of the use of vulnerable cryptography in systems, services, infrastructure and supply chains.

Shadow IT and shadow AI

The term 'Shadow IT' refers to the development, establishment and use of ICT solutions outside the institution's established ICT governance, architecture and internal control. The use of powerful AI-based development tools, automation of work processes and decision support (for example scripts, robots, workflows and agentic solutions) as well as tools that allow the user to create applications without having programming knowledge, increases the risk that such solutions are established quickly without the institution's ICT function being involved. This may result in inadequate oversight of systems and data flows, insufficient documentation and concealed system and data dependencies, with adverse effects on change management and operational control.

Shadow AI refers to the use of generative AI tools outside established governance frameworks, whereby the institution's data is processed in solutions capable of storing, reusing or autonomously acting based on that information. The recent development of AI solutions has highlighted the risks and vulnerabilities associated with shadow AI. Shadow AI can lead to a higher risk of data leakage, loss of intangible assets, lack of traceability and verifiability, as well as model and decision-making risk. Unclear contract terms can lead to loss of control over personal data and violations of the General Data Protection Regulation (GDPR). The use of agentic solutions may further increase the risk of actions being taken without sufficient human control.

Inadequate governance of shadow IT and shadow AI can lead to hidden system and data dependencies, weaken digital operational resilience and complicate effective incident management and recovery. A lack of documentation, ownership, and lifecycle management can make incident management and recovery difficult and have serious consequences for the institution's ability to maintain operational and business continuity.

To reduce this risk, the institution must make sure to maintain oversight of all ICT and AI solutions in use, including unauthorised solutions, and ensure that these are included in the institution's overall framework for ICT risk management in line with other ICT systems.

3. Emergency preparedness in the financial system

Effective emergency preparedness in the financial system increases the ability to prevent and manage serious incidents, thus mitigating the consequences for the financial system and its users. Robust contingency solutions and appropriate organisational structures are a prerequisite for this work and must involve all relevant actors.

Several serious incidents have shown that good cooperation between actors is important. Reporting of incidents to Norges Bank and Finanstilsynet within their respective areas of responsibility provides a basis for assessing the seriousness of the incident and the possible need for follow-up by the authorities.

In addition to the contingency measures undertaken by the industry and the authorities, the self-preparedness of consumers and institutions4) is important. 

3.1 Requirements for institutions' emergency preparedness

The individual institution's contingency solution constitutes the first line of defence against serious ICT incidents in the financial infrastructure. Institutions' work on ICT security and sound contingency plans and exercises are essential in ensuring a robust financial system. DORA sets extensive requirements concerning institutions' work on digital operational resilience in terms of both proactive measures to prevent incidents from occurring and reactive measures to mitigate the consequences if incidents do occur. The requirements are intended to contribute to high digital operational resilience among institutions and to ensure that the Norwegian financial infrastructure remains robust.

As an integral part of the ICT risk management framework, institutions should have a robust and comprehensive programme for testing digital operational resilience, enabling them to restore operations and ICT solutions after digital attacks and operational incidents. A key element of this work is the implementation of business impact analyses (BIA). Such analyses shall form the basis for contingency plans and the implementation of measures based on business criticality and priorities and aligned with the institution’s risk tolerance.

In their incident management and recovery plans, institutions must identify relevant scenarios, including those involving serious and long-term business disruptions. The scenarios should be based on threat information and experience from previous business disruptions. They should include cyberattacks, degradation in the provision of critical or important functions to an unacceptable level, data centre failures, terrorist attacks, failures in electronic communication infrastructure and large-scale power outages. As part of contingency planning, institutions should establish independent contingency solutions for handling worst-case scenarios in order to be able to maintain minimum functionality in a crisis situation. Finanstilsynet is aware that some institutions are in the process of establishing such solutions.

DORA further requires designated institutions of particular importance to the financial system to conduct advanced (threat-based) testing of the entity's ICT tools, systems and processes based on TLPT (threat-led penetration testing). Such security testing is used to assess whether institutions are able to resist, detect and handle serious cyberattacks against their most important digital services. The testing is conducted by simulating advanced attacks based on updated threat and intelligence information. DORA's provisions on TLPT are based on the TIBER framework,5) and Norges Bank and Finanstilsynet will continue their cooperation from TIBER-NO.

As part of the requirements for ICT risk management, institutions are also required to have contingency measures (exit plans) for situations where ICT service providers are unable to deliver agreed ICT services that support critical or important functions. As part of their exit plans, institutions should also have plans outlining alternative solutions. The plans should be reviewed regularly and tested.

3.2 Collaboration to enhance preparedness

In addition to the institutions' own measures, effective cooperation between stakeholders, both in preventive efforts and in incident response, is necessary to maintain adequate preparedness within the industry.

Collaboration and information sharing across the industry, for example through Nordic Financial CERT (NFCERT), help increase awareness of cyberthreats and improve institutions' digital operational resilience. Joint efforts to establish contingency solutions may in some cases be appropriate or necessary, for example in relation to shared services in the payment system or the use of shared ICT service providers.

Together with NFCERT, Finanstilsynet fills the role as sectoral response environment (SRE)6) to manage ICT security incidents in the financial sector. The framework for handling cyberattacks and cyber incidents7) was updated in 2025 and outlines how institutions, sectoral response environments (SREs) and the National Cyber ​​Security Centre (NCSC) should work together to respond to incidents.

To promote rapid communication and coordination across countries, European authorities have established the European Systemic Cyber ​​Incident Coordination Framework (EU-SCICF). Finanstilsynet has been designated as the national point of contact, and Norges Bank is an observer. The framework is also designed to promote a common understanding of cyber risk, trends, the evolving threat landscape and the conduct of training exercises. A working group for operational resilience in the Nordic and Baltic regions, Working Group Operational Resilience (WGOR), has also been established, in which both Norges Bank and Finanstilsynet participate. 

The Financial Infrastructure Crisis Preparedness Committee (BFI)8) will help ensure good coordination in the event of severe threats or incidents in the financial infrastructure. Key institutions and service providers in the financial infrastructure and various government bodies are represented on the committee, headed by Finanstilsynet. In the event of severe incidents in the industry, BFI has proven to be able to be operational at a few minutes' notice. BFI conducts an annual emergency preparedness exercise which in 2025 was an integral part of "Exercise Digital 2025".

Systemic ICT risk and financial stability

Norges Bank, Finanstilsynet and representatives from the financial industry have developed a framework for assessing systemic ICT risk. The framework was put into use in 2025 and is being further developed in 2026. The close interconnections between financial institutions, shared infrastructure and critical service providers implies that digital incidents may escalate rapidly. A disruption in one system or at one actor may spread to other institutions or services. Systemic ICT risk therefore arises not only from isolated incidents but also from simultaneous incidents and prolonged strain. For example, persistent operational problems, repeated security incidents or long-term pressure on critical systems and service providers may reduce the availability of critical financial services and amplify the overall consequences of digital incidents.

Work on preparedness in the payment system

In November 2023, the Ministry of Finance established the mandate for a working group to assess the preparedness of the entire digital payment system. The working group, which consisted of representatives from the Ministry of Finance, Norges Bank, Finanstilsynet and the industry, delivered three interim reports, the most recent in February 2025. In the latest report, the working group proposed 18 measures to make the payment system more resilient to severe scenarios.9) The report proposed that some of the measures should be followed up by the Ministry of Finance, some by Norges Bank, some by Finanstilsynet and some by the industry itself.

Two of the measures are intended to strengthen preparedness for scenarios where, for example, a bank loses access to its core systems and customer data. Further assessment is required to arrive at a specific recommended solution, and the Ministry of Finance has therefore established a project to examine solutions for independent bank contingency response,10) involving representatives from the Ministry of Finance, Norges Bank, Finanstilsynet and the industry.

Finanstilsynet has been given responsibility for two of the 18 measures, one of which concerns the need for alternative solutions for customer identification in a situation where BankID is unavailable.

Strong dependence on BankID

BankID is widely used for authentication, payments, digital signing, issuance and renewal of mobile banking credentials, biometrics and other security credentials, as well as card payment authorisation.


In November 2025, Finanstilsynet asked several banks to report on their preparedness related to BankID and possible alternatives to BankID that customers can use for logging in to online banking and mobile banking services and for authorising payments in a situation where BankID is unavailable.


The review of the banks' responses indicates that preparedness is generally adequate to handle short-term disruptions where BankID is unavailable, whether the incident originates at BankID centrally or within the individual bank's infrastructure. A BankID outage lasting several days would have significant consequences for services such as payments, customer authentication, signing and customer onboarding. Alternative solutions have been established, but they are largely dependent on BankID to be activated and have limited functionality.


Several banks also lack adequate alternatives to BankID for corporate customers. Payments that require dual authorisation, as well as the administration of users and access rights in corporate online banking, appear to be particularly vulnerable in the event of a BankID outage.


All banks refer to established contingency and business continuity plans, and exercises and tests are conducted regularly. The tests appear to primarily focus on short-term disruptions and to a lesser extent address prolonged or sector-wide scenarios.


In the event of a short-term outage, authentication and straightforward payments can largely be maintained, but will require increased manual work and strain on customer service. If there is a prolonged outage, new customer relationships, renewal of security credentials and digital signing will largely come to a halt. Payment flows will be reduced, especially for corporate customers, and there is a risk of systemic implications and weakened confidence in the payment system.


Finanstilsynet's assessment is that overall, the current level of preparedness is adequate for short-term outages, while robustness in the event of a prolonged BankID outage is insufficient. BankID appears to be a clear 'single point of failure', reinforced by concentration risk in shared infrastructure and service providers. Based on this analysis, Finanstilsynet will consider whether there is a need to impose additional requirements for banks' contingency solutions.

4. Finanstilsynet’s observations

4.1 Supervision of ICT and payment services in 2025

In 2025, Finanstilsynet conducted 17 inspections focusing on ICT and payment services at eight banks, two investment firms, one insurance undertaking, one investment firm, one mortgage credit institution, one electronic money institution, two real estate agencies and one debt collection agency.

The inspection reports are published on Finanstilsynet's website (in Norwegian only). Finanstilsynet would like to highlight the following topics:

Adaptations to DORA

The implementation of DORA was a central topic in 2025. Finanstilsynet’s supervisory activity indicates that institutions’ efforts to align their operations with DORA have progressed from a planning and mapping phase to implementation. The inspections show that the institutions have, to varying degrees, started to adapt their governance, procedures and control functions to the new and more detailed requirements set out in DORA. Most institutions have carried out gap analyses and established governance documents through dedicated projects, but experience from inspections shows that this work in many cases is conducted at an overarching level.

The inspections indicate that the transition from plans to practical implementation of the requirements is an ongoing process. In particular, challenges were observed in translating regulatory requirements into operational processes that function across the organisation. Finanstilsynet also pointed out that the institutions to varying degrees have assessed how the DORA requirements affect established roles, reporting lines and interactions with critical third-party service providers.

Finanstilsynet expects the institutions to continue their efforts to adapt their governance model, risk profile and organisation in accordance with DORA. The requirements must also be translated into processes for use within the institutions and in their interaction with critical third-party service providers.

Preparedness and continuity

Finanstilsynet has observed greater maturity in institutions' work on business impact analyses (BIA). Inspections in 2025 showed that this is something most institutions have in place, and that the analyses increasingly are of good quality and provide a better basis for identifying business-critical services, dependencies, and acceptable recovery times. Finanstilsynet also observes that institutions are making more extensive use of structured and documented work processes, and that the analyses are increasingly aligned with the actual risk landscape and business priorities.

Finanstilsynet sees a need for the analyses to be used more as a guiding tool for making priorities within preparedness and continuity. Requirements and tolerance limits defined in the impact analysis that are not sufficiently operationalised may lead to control procedures, tests and exercises not providing the necessary assurance that critical services can be maintained or restored within set timeframes.

In inspection reports, Finanstilsynet points out that contingency and continuity tests are not always based on realistic scenarios or documented recovery requirements. In several cases, it was also observed that findings and weaknesses identified through tests and exercises were not followed up systematically. Preparedness and continuity work must encompass both the institution's own ICT services and outsourced services, and critical and important service providers must be involved in relevant exercises and tests. This is a prerequisite for assessing whether overall emergency preparedness and recovery capabilities are sufficient.

Finanstilsynet expects the institutions to ensure that requirements established in its impact analysis are operationalised and actively used to govern preparedness and continuity efforts, including through testing, exercises and the follow-up of identified weaknesses, for both their own and outsourced ICT services.

ICT operations

Change and incident management

During several inspections, deficiencies were identified in the institutions' change management process. In many cases, Finanstilsynet pointed out that weaknesses in the testing and control of changes increase the risk of business disruptions and severe incidents. Inadequate or insufficiently defined change management procedures may lead to changes being implemented without adequate risk understanding or without the necessary controls being in place.

Finanstilsynet further observed that the institutions to varying degrees had clear frameworks for how changes should be categorised and handled. Unclear criteria for pre-approved changes may contribute to changes with higher risks than anticipated being implemented through simplified processes and without sufficient testing and control, which may increase the risk of business disruptions.

Effective change management requires comprehensive and documented processes that cover the entire change process, from assessment and testing to implementation and follow-up. Finanstilsynet has emphasised the importance of viewing change management in conjunction with other aspects of ICT operations, including incident management and vendor management, to ensure that the institution has a comprehensive view of how changes affect stability and risk over time.

Finanstilsynet expects the institutions to have established and documented change management processes that are adhered to and followed up through adequate testing, control and coherent follow-up across ICT operations.

Third-party ICT risk

Insufficient control of the supply chain

A high degree of outsourcing of ICT operations leads to increased dependence on service providers and their subcontractors and imposes clear requirements on the institution's governance of ICT services rendered by service providers. Inspections in 2025 revealed shortcomings in institutions' vendor management. Some of the shortcomings were related to institutions not taking sufficient ownership of services delivered by third parties and do not adequately define requirements or comply with established procedures. Several institutions had not sufficiently ensured that requirements for security, availability and continuity were also made applicable to subcontractors, and that the requirements were subject to systematic review.

Finanstilsynet has further observed that institutions, to varying degrees, use available documentation, such as independent audit reports and reporting by service providers, as a basis for their own assessments and control actions. Insufficient monitoring of service providers' controls may result in significant risks not being identified or addressed. Finanstilsynet emphasises that institutions have an independent responsibility for ensuring that the entire supply chain complies with requirements set out in regulations and governing documents.

Finanstilsynet expects the institutions to have established procedures for comprehensive monitoring of both service providers and subcontractors by setting clear requirements, conducting their own controls and ensuring that identified deviations are followed up with appropriate measures.

Decentralised follow-up of ICT service providers

At several inspections in 2025, Finanstilsynet pointed out that vendor management requirements were not properly embedded in the institutions' standards and procedures. Insufficient formalisation of requirements may lead to unclear expectations for service providers, inconsistent follow-up practices and a heightened risk of non-compliance with regulations.

At the same time, the inspections demonstrated that decentralised follow-up of ICT services may result in differing levels and quality of the follow-up of outsourced activities. When responsibility for vendor management is distributed across several units or roles in the organisation, the risk of inconsistency, varying quality and weaker total overview of third-party ICT risk increases.

Finanstilsynet emphasises that the contract owner must have sufficient competence and resources to ensure ongoing follow-up of vendor management. This includes the ability to assess service providers' reporting, follow up deviations and ensure that agreed requirements are complied with.

Finanstilsynet expects that vendor management requirements are clearly defined and integrated into the institutions' standards and procedures, that contract owners have the necessary competence and resources, and that decentralised follow-up is supported by a common framework and overarching control to ensure that vendor management is of consistent quality.

4.2 Institutions' assessment of critical aspects related to ICT operations

In discussions with Finanstilsynet, institutions and ICT service providers have highlighted several critical aspects related to ICT operations.

Governance and DORA

The DORA framework has had a significant impact on institutions and related environments and sets clear requirements for how ICT risk management should be embedded in corporate governance. Extensive updates of procedures, documentation and expertise have been required, as well as clearer roles and responsibilities relating to the governance of ICT operations. At the same time, the institutions' governance models have become more systematic, with better documentation and tools that strengthen the basis for decisions made by senior management and the board of directors, as well as the work performed by the auditors. In addition, ongoing innovation from technology providers places pressure on institutions and calls for mature risk assessment practices.

Skills and skills management

The institutions report that it has become easier to recruit ICT expertise. Access to security expertise has improved due to greater interest in the security field and more individuals completing relevant studies. This is partly driven by geopolitical conditions. The institutions report heightened awareness of the importance of adequate ICT expertise within the risk and compliance control functions.

Vendor management

Since many institutions in the financial sector largely use the same ICT service providers, questions arise as to whether they can streamline their follow-up by collaborating. Institutions rarely share experience from inspections, although some banks see the benefit of more systematic cooperation. The follow-up of subcontractors is described as challenging, and this is where many incidents occur. The institutions' register of information (RoI) is actively used as a basis for the governance of third-party relationships.

Geopolitical conditions

Several institutions believe that the use of foreign ICT service providers entails geopolitical risks for the Norwegian financial industry. The institutions assess that dependence on service providers subject to the laws of other states, government intervention and security policy priorities could weaken national control over critical functions, especially in the event of international conflicts, sanctions or changes in export and trade policy frameworks. The institutions emphasise that a lack of national control may affect the availability, data protection and continuity of financial services and increase the risk of data disclosure obligations or service interruptions that are not compatible with Norwegian regulatory requirements or societal interests. Furthermore, institutions have increased their focus on mitigating these risks by assessing exit options, including contractual exit rights, migration to alternative providers and access to data in standardised formats. It is a prerequisite that the institution has an overview of alternative service providers and sufficient internal expertise. Institutions point out that the ability to terminate or relocate services in a controlled manner is a key tool for maintaining operational resilience and flexibility in a more unpredictable geopolitical landscape.

Emergency preparedness and crisis management

Inspections often reveal a lack of comprehensive contingency exercises, as institutions focus primarily on failover scenarios. Exercises, such as simulated ransomware attacks, have provided valuable lessons. The institutions pointed out that large exercises carried out in 2025 provided much insight, but that they are resource-intensive and will not be conducted annually.

Incidents at global cloud providers, including several business disruptions in Microsoft Azure in 2025, underscore the need for rapid access to the right expertise from the provider, as local teams do not always have sufficient insight or scope of action.

Shadow IT

Shadow IT is mentioned as an emerging problem, especially related to data movement and the use of AI tools outside established control mechanisms.

4.3 Summary of the institutions' risk and vulnerability reporting

Finanstilsynet has collected risk and vulnerability assessments of ICT operations for 2025 from payment service providers and other institutions, in accordance with the Regulations on Payment Services Systems and the Financial Supervision Act. For further details, please see appendix 1.

Areas with the highest risk

The institutions were asked to state which conditions they perceive to constitute the highest risks. As in the reporting for 2024, most of the institutions point to fraud and cyberattacks. Many highlight the risk of fraud through social engineering, including the use of AI. There is also a risk of ransomware attacks, attacks through supply chains and attacks carried out by nation-state actors.

Risks related to the management of third-party ICT risk and the challenge of keeping track of long supply chains appear to be given greater attention in the institutions’ assessment for 2025 than for 2024. The institutions refer, among other things, to concentration risk among critical service providers and limited visibility and control in value chains and note that switching core banking providers or undertaking large-scale migrations may increase operational risk.

The institutions emphasise regulatory compliance as one of the largest risk areas. The introduction of DORA and the simultaneous introduction of other regulations, such as requirements related to anti-money laundering, are perceived as resource intensive. New processes must be established and followed up, which may heighten both administrative and operational risk.

Governance

A large majority of the institutions still estimate the overall risk associated with governance as low. The proportion that considers that their ICT systems provide a sound basis for managing and controlling operations has decreased somewhat, to around three-quarters, but still shows a stable trend. Close to nine in ten institutions state that they comply with the principle of the three lines of defence in the ICT domain, which is a slight increase from the previous year. However, about one in three assess the risk of inadequate follow-up and remediation of findings from reviews of ICT operations as moderate.

Within ICT security, more than eight in ten also consider the risk to be low when it comes to documented goals and security procedures, which is roughly on a level with the previous year. A corresponding proportion state that they use recognised standards for ICT security, and that they have guidelines ensuring that controls for ICT security risk are regularly reviewed.

Close to eight in ten respondents say that they generally have established processes for risk analysis, that employees are familiar with the processes, and that information included in risk assessments is collected on an ongoing basis. This is approximately at the same level as the previous year.

Just under nine in ten institutions report that ICT management reports the results of risk assessments to senior management on an annual basis. Furthermore, eight in ten report that they maintain oversight of business-critical ICT equipment and software. A large majority also assess that the processes for developing procedures and control mechanisms are well established, and that their ICT service agreements ensure adequate audit and access rights.

A clear majority consider that they possess strong legal, technical and professional procurement competence, which is on a par with the previous year. Ongoing monitoring of service providers is also assessed to be satisfactory by most, although a minority report that the risk is moderate. The institutions also indicate that they have somewhat less comprehensive overview of the controls carried out in the various lines of defence, and just over one-third assess the risk as moderate or high.

A large majority consider the risk associated with payment services to be moderate. This proportion has decreased somewhat compared with 2024. Seven in ten institutions state that they can quickly contact users if there is suspicion of errors or fraud.

Internal misconduct

Feedback suggests that the institutions remain vigilant about the risk of internal misconduct, but the risk is assessed as somewhat lower in 2025 than the previous year. While well over half of the institutions assessed the risk as moderate in 2024, a slight majority assessed the risk as low in this year's reporting. Logging and reporting still appear to represent somewhat higher risk, where the majority report moderate or high risk. At the same time, the responses indicate that key control measures, such as the segregation of duties (the 'four eyes principle') and monitoring of employees' personal account dealing, are well established, as around three-quarters of the institutions assess the risk as low.

ID theft

Several institutions state that identity theft remains a key risk area. This year's reporting provides a more varied picture than earlier. More than two-thirds assess the risk of an attacker taking over and misusing a user-ID as low, and only a few assess the risk as high. With respect to the risk of misuse of a customer-ID, the assessments are more mixed. Approximately one-third assess the risk as low, and one-fourth assess it as high. The latter represents a clear decrease from the previous year, when more than one third assessed the risk as high.

At the same time, it is evident that key control measures are well established in the industry. Well over three-quarters require strong customer authentication for online shopping, and a large majority assess the risk as low with respect to the delivery, use and deletion of customers' authentication credentials. Most institutions also report that they have established controls to prevent skimming and other card fraud.

ICT support for anti-money laundering and counter-terrorist financing

ICT support for anti-money laundering and counter-terrorist financing has previously been an area where institutions assessed the risk as significant. The positive trend continued in 2025, and the institutions now assess the risk as low or moderate. With respect to whether the ICT systems provide a comprehensive view of the customer and customer behaviour, a clear majority assess the risk as moderate, while the proportion considering the risk to be low increased from just under one in three for 2024 to more than four in ten for 2025.

The institutions state that they have improved the accuracy of disclosing suspicious activities. Almost four in ten assess the risk as low, and only a few consider it to be high. In comparison, one-third of the institutions assessed the risk as low for 2024. At the same time, three-quarters assess the risk of failing to recognise suspicious patterns as moderate or high, which is approximately the same level as in 2024.

Institutions' trust in sanction screening systems has continued to increase. Nearly half assess the risk as low that the screening system will fail to accurately identify listed individuals and entities, compared with just under four in ten in 2024. Only one institution considered the risk to be high in 2025.

Operations

More than half of the institutions generally assess operational risk as low. However, compared to the institutions' reporting for 2024, several institutions have reported high risk in response to several questions related to operations.

The risk of downtime is most frequently identified by institutions as elevated. Close to three in four institutions have responded that they assess the risk as moderate or high. With respect to measures to mitigate the identified risk, several institutions have stated that they have conducted or updated existing risk analyses and business impact analyses.

About half of the institutions consider the risk to be moderate or high that agreements with ICT service providers will not provide adequate support if the institution wishes to change provider or move to in-house solutions. A couple of institutions state that current agreements do not satisfactorily regulate such cases, emphasising that they have ongoing processes to review agreements to minimise risk. In this connection, several institutions point out that, based on DORA, they have initiated processes to meet regulatory requirements when entering into agreements and reviewing existing agreements.

Change management

Change management is an area where roughly half of the institutions consider the risk to be low. As in 2024, most institutions consider the risk associated with the complexity of ICT systems to be high. However, more than half of the institutions assess the risk as moderate or high. Institutions that assess the risk as stress that key systems are based on older or self-developed solutions, which can pose challenges with respect to knowledge and competence. In addition, some institutions point out that maintaining an oversight and control of interrelationships and system dependencies is challenging. Institutions that have assessed the risk as high have, among other things, initiated risk-mitigating measures by clarifying service and system responsibilities within the organisation.

Approximately three in four institutions consider the risk that new regulatory requirements will require changes to their systems as moderate or high. This is approximately the same level as in the reporting for 2024. The institutions that assess the risk as high refer to the implementation of DORA, which has resulted in increased reporting and consequently a need for updates of systems and procedures.

Security

More than half of the institutions assess security risk as low. Close to half of the institutions assess the risk associated with access to ICT security expertise as moderate, including the expertise needed to set requirements for service providers and monitor deliveries. The Institutions refer to the establishment of security requirements for service providers, the introduction of better security procedures and the strengthening of internal security competence among risk-mitigating measures.

Approximately two in five institutions assess the risk as moderate or high as regards whether they have a sufficiently comprehensive programme for testing digital resilience. This applies in particular to the requirement that systems and applications supporting critical or important functions are to be tested at least annually. Three institutions have responded that they assess the risk as high, one of which states that it does not have an overarching strategy or programme for testing across the organisation. They also state that the tests conducted are not centrally coordinated, and that not all tests are performed annually, although the institution has initiated a project to establish a holistic solution for testing.

Data protection

More than two in three companies assess the risk of compromising the integrity of data in their own systems as low, while approximately four in five institutions report that the risk associated with data protection is low.

As in the reporting for 2024, logging of accesses to data and systems is the area where most institutions report moderate or high risk. A lack of control in this area can lead to failure to follow up unauthorised access or attempted unauthorised access to data or systems. One institution assesses the risk as high owing to the lack of automatic notification of unauthorised access. However, the institution states that the matter will be handled through service providers.

Close to two in five institutions report moderate or high risk related to the protection of logs and may consequently seem to have challenges ensuring that logs cannot be altered or deleted, and that timestamps are correct and/or synchronised. Measures to reduce the risk include clearer guidelines for log protection and the establishment of a process for operationalising these.

One in four institutions assess the risk as moderate or high with regard to whether network security zones are adequately configured based on the classification of data and systems. This suggests that a significant proportion of the institutions see weaknesses in how their network is segmented and secured. One of the institutions reporting high risk explains that there is still a small residual risk that unauthorised individuals could be able move between different segments of the network. As a risk-mitigating measure, the institution is restricting user access.

5. Fraud

Payment service providers, i.e. banks, credit institutions, electronic money institutions and payment institutions, and branches of such institutions headquartered in other EEA states, report fraud statistics to Finanstilsynet every six months. The results and trends are presented in separate reports on Finanstilsynet's website. Key findings from 2025 are described below.

5.1 Fraud in 2025

After several years of strong growth, 2025 saw a marked decline in the total fraud amount11) compared with the previous year. The figures reported show that total losses due to fraud amounted to NOK 962 million in 2025, down approximately 22 per cent, see table 5.1. The decline was particularly evident in the first half of the year, while the level of fraud rose sharply again in the second half, mainly related to account transfers. Developments vary across institutions, with some reporting a significant decline in fraud losses, while others report an increase. Institutions also cite targeted attacks by fraudsters and the implementation of preventive measures as reasons for the variation.

The overall decline in fraud in 2025 applied to both card payment fraud and account transfer fraud. Card payment fraud amounted to NOK 340 million in 2025, a reduction of approximately 22 per cent. Fraud involving account transfers represented NOK 622 million, down approximately 21 per cent compared with 2024.

In percentage terms, trends were therefore relatively similar across fraud types, unlike in 2024, when the increase was driven primarily by card payment fraud. Measured as a proportion of total transaction value, the fraud amount represented 0.0018 per cent in 2025, down from 0.0020 per cent the previous year.

 Table 5.1 Total losses from fraud. Amounts in NOK million.

Period

Value of fraudulent transactions for account transfers (online banking, etc.)

Value of fraudulent transactions with payment cards reported by the card issuer

Total fraudulent transactions

Fraudulent transactions in per cent of total transaction value

2025

622

340

962

0.0018%

2024

790

437

1,227

0.0020%

2023

648

281

929

0.0014%

2022

395

219

614

0.0013%

 Source: Finanstilsynet

5.2 Measures to detect and prevent fraud

Market participants are continuously working on measures to detect and prevent fraud and intercept a significant proportion of fraud attempts. In 2024, fraud attempts in connection with account transfers and card payments for a total of NOK 2,964 million was prevented. In 2025, this figure rose to NOK 3,537 million, mainly as a result of a higher number of intercepted fraud attempts relating to card payments.

In addition to stopping fraud once transactions have been initiated, institutions also prevent fraudulent activity before transactions are executed. In addition, telecom providers have implemented measures to stop fraudulent activity via SMS and phone calls. Such preventive measures are not included in the reported figures, and the overall level of fraud that has been prevented is therefore higher than shown in the statistics.

5.3 Social engineering

Social engineering, whereby the fraudster manipulates the account holder into making a card payment or account transfer, remains the most common form of fraud. The figures reported to Finanstilsynet show that total losses due to fraud declined from NOK 667 million in 2024 to NOK 514 million in 2025, see figure 6.2.

With respect to card payment fraud, the fraud amount was down from NOK 94 million in 2024 to NOK 64 million in 2025, while there was a decline from NOK 573 million to NOK 449 million for account transfer fraud during the same period.

Table 5.2 Losses from social engineering fraud. Amounts in NOK million.

Social engineering, type of payment

2022

2023

2024

2025

Card payments

22

26

94

64

Account transfers

269

442

573

449

Total

290

468

667

514

Source: Finanstilsynet

In most cases, such fraud is based on the criminal manipulating the victim into carrying out actions they would not normally undertake, typically by appearing authoritative or trustworthy. The aim is to make the victim disclose information, authorise transactions or otherwise give the fraudster access or control.

Fraudsters are increasingly using artificial intelligence (AI) to enhance the efficiency and sophistication of their attacks. AI-based tools can automate parts of an attack, tailor content to different recipients and quickly change tactics if an attack is detected or stopped. Fake emails, messages or phone calls can appear legitimate and be difficult to identify. Advances in AI also mean that actors with limited technical expertise can carry out more sophisticated attacks than before.

Phishing remained the most widespread form of fraud in 2025. Telephone scams (vishing) also pose a major threat. These attacks rely heavily on social engineering, with fraudsters posing as legitimate entities in order to gain access to BankID details or to carry out payments. Phishing is particularly widespread in digital channels, where fraudsters use fake payment links, QR codes and registration in digital wallets. These methods are constantly being refined to improve accuracy and reduce the risk of detection.

The use of so-called money mules remains a key method for carrying out fraudulent transactions. A money mule is a person who allows their bank account or identity to be used to receive and transfer money derived from criminal activities, thereby contributing to covering the fraudsters’ tracks. There has been an increase in the misuse of accounts belonging to minors for this purpose, and newly established customer accounts are being used as money mules almost immediately after they are opened. In addition, previously inactive accounts are reactivated to facilitate fraudulent transactions.

5.4 Measures against financial crime

In 2025, the police launched a digital platform for reporting fraud.12) This solution lowers the threshold for reporting fraud and helps establish a more comprehensive and accurate data basis for the fight against financial crime. Fraud is a significant societal challenge, and extensive underreporting has previously made it difficult to assess its scope and trends. The digital solution contributes to an increase in reported cases and an improved picture of the situation, while enabling reports to be cross-referenced across police districts, thereby strengthening efforts to identify patterns, interconnections and perpetrators.

Throughout 2025, several projects within the regulatory sandboxes of the Norwegian Data Protection Authority and Finanstilsynet aimed to strengthen the fight against financial crime by exploring possibilities for data sharing within current regulations and assessing any needs for regulatory development. The sandbox projects have clarified the scope for information sharing between institutions under current regulations and have, in some cases, demonstrated that existing regulations could restrict effective information sharing.

On commission from the Ministry of Finance, Finanstilsynet has proposed amendments to the provisions of the Financial Institutions Act and the Financial Institutions Regulations concerning confidentiality and information sharing.13) In Finanstilsynet’s consultation document, it is proposed to simplify and broaden the scope for information sharing through amendments to the Financial Institutions Act and new regulatory provisions. Among other things, a new general statutory authority is proposed, allowing institutions to share confidential information where necessary to prevent or detect financial crime and other serious criminal activity. The consultation document is based, among other things, on the experience gained from the sandbox projects and is currently being considered by the Storting (Norwegian parliament).14)

The EU has introduced new requirements for instant credit transfers in euro15) intended to improve both the efficiency and security of payment systems. A key measure is the introduction of payee verification, where the name and IBAN must match before the transfer can be finalised. The measure is intended to reduce the risk of both incorrect credit transfers and fraud and is based on experience from existing schemes in Europe that have already yielded positive results, such as the Norwegian KAR Register.16) From 2027, the requirements will also apply to credit transfers outside the euro area.

Financial crime is increasingly characterised by professional and organised criminals who exploit digital solutions and operate across sectors and systems. This poses a challenge to both public authorities and private actors, as each often has only partial insight into the threat landscape. Stronger cooperation between the public and private sectors is therefore highlighted as a key prerequisite for more effective prevention and combating of financial crime.

A working group led by Økokrim (the Norwegian National Authority for Investigation
and Prosecution of Economic and Environmental Crime) has assessed the current arrangements for public-private partnerships and notes that, while existing forms of cooperation are beneficial, they do not fully meet the needs arising from a more complex and rapidly changing threat landscape. The working group highlights that insufficient and fragmented information sharing, legal frameworks and capacity constraints may limit the potential for early identification of criminal patterns and actors.

Building on existing cooperation, the establishment of the Cooperation Unit17) has been proposed as a pilot project under the leadership of Økokrim. The unit will collect and analyse relevant information and facilitate more structured information sharing between relevant public and private actors, aiming to ensure earlier prevention and more targeted measures against financial crime.

6. Incidents

Serious failures in ICT systems can have severe consequences for the financial infrastructure, accessibility to critical services and trust in the financial sector.

DORA, together with its associated level 2 legislation, came into force in Norway on 1 July 2025 and sets requirements for the classification and reporting of operational and security incidents. The new rules include thresholds for when an incident shall be reported.

Incident reporting should help Finanstilsynet quickly gain a correct understanding of the situation, including its scope and severity. In addition, the reporting plays a crucial role in ensuring an accurate and timely assessment of the risk level in the financial sector and in uncovering patterns and connections that may be challenging for individual institutions to detect.

The way institutions, including their service providers, handle incidents is critical to ensuring rapid recovery, appropriate measures for affected customers and effective preventive action.

6.1 Incidents in 2025

A total of 313 ICT incidents were reported in 2025, 14 of which were security incidents18) and 299 operational incidents. Figure 6.1 shows a slight decrease in reported incidents compared with the previous year. Of these, 198 were reported before and 115 after DORA came into force. The decrease in the second half of the year is believed to be partly attributable to the fact that certain incidents that institutions would previously have reported are no longer subject to reporting requirements under the DORA thresholds.

91 of the incidents reported after 1 July concerned Norwegian financial institutions reporting to Finanstilsynet. The remaining 24 were from branches of foreign institutions, where reports were forwarded from the home state authorities, via the European financial supervisory authorities, to Finanstilsynet.

Few incidents affected operational stability, especially in the second half of the year. At the same time, several / a higher number of incidents affecting data integrity were reported, for example incorrect account balances due to duplicated transactions. Although the errors in most cases were corrected quickly, Finanstilsynet takes a particularly serious view of incidents that affect data integrity.

Many of the reported incidents are due to inadequate change management, where the changes either contain errors, are insufficiently tested or have unforeseen effects when put into production. 

Figure 6.1 Number of reported ICT incidents

Source: Finanstilsynet
For more detailed information on the data used, see appendix 2. 

DORA allows third-party providers, on certain conditions, to report serious incidents on behalf of multiple institutions. All cooperating groups/alliances expressed a preference for the option to report on an aggregated basis. However, Finanstilsynet observes that banks in alliances/groups have increasingly reported incidents at a common supplier separately since DORA came into force, even when the incident had similar consequences for the banks in the group/alliance. This has raised the number of reports received without an increase in the number of underlying incidents.

6.2 Security incidents

The number of reported security incidents was reduced from 20 in 2024 to 14 in 2025.

Many institutions reported incidents where an external ICT provider had been compromised, and where leaked data from the attacks had been published on the dark web. Customer data or sensitive customer information was not leaked. However, the leaks included internal documents such as agreements, contact information for employees and internal policies, procedures and guidelines. Although customer data was not directly compromised in these attacks against service providers, the incidents resulted in a significant amount of work to map the consequences and implement measures to strengthen institutions' defences.

Five of the security incidents were Distributed Denial of Service (DDoS) attacks reported by various institutions at different times.

An investment firm reported that a fake website had been published in the firm's name.

6.3 Incidents in systems for detecting money laundering and terrorist financing

20 incidents were reported concerning deviations in institutions' electronic solutions for transaction monitoring to detect money laundering and terrorist financing. Most of these incidents were reported by multiple institutions due to the same error at a common service provider. The number of independent incidents were thus significantly lower. Inadequate transaction monitoring was reported for some of the transactions due to product or system changes, as well as deficiencies in sanctions screening as a result of system changes. The incidents in 2025 affected a limited number of transactions during specific periods of time. One incident was also reported related to the development of a new anti-money laundering system where it was revealed that the service provider was using subcontractors from countries that had not been approved by the institution.

6.4 Incidents at global cloud providers

Incidents at global cloud providers have become a more prominent part of the incident landscape for Norwegian financial institutions. There were a number of incidents related to Microsoft Azure in 2025. A network change in the Microsoft Azure environment led to reduced availability of payment services for several Norwegian banks. Furthermore, problems arose after a change in Microsoft's 'Azure Front Door service', affecting parts of the BankID service and access to many banks' websites. An OT19) incident in Microsoft Azure West caused problems with the cooling system in a data centre and affected the availability of some Norwegian payment services. Such incidents have affected banks, insurers and investment firms simultaneously and illustrate how incidents at a supplier can have severe consequences across the financial sector.

6.5 Incidents by type of institution

Figure 6.2 provides an overview of the number of incidents by type of institution and by operational incidents and security incidents. The incidents are described in further detail below.

Figure 6.2 Reported incidents in 2025 compared to 2024 by type of institution

 Source: Finanstilsynet

Banks

260 of the incidents in 2025 were reported by banks. Relatively few operational incidents affected the availability of payment services, and operational stability remained strong, particularly in the second half of the year. The decline in the second half of the year is partly due to the DORA thresholds for reporting incidents but also reflects a period of generally high operational stability.

The banks, however, reported several incidents that affected data integrity, including incorrect account balances due to duplicate transactions. The incidents that occurred affected different banks and varied in scope. Some of the incidents affected more than half a million transactions. A common feature of these incidents was that interruptions to automated processes were compensated for by manually initiated runs without due consideration to the built-in duplicate controls in the automated processes.

Operational incidents were also reported as a result of the banks' migration projects to new platforms with new service providers and technical mergers between banks. In several cases, incidents at global cloud providers led to reduced access to banking services. A serious incident at a central payment infrastructure provider affected services related to payment cards but had limited implications for Norwegian customers as BankAxept was not affected.

Security incidents reported by banks were DDoS attacks and a cyberattack targeting an ICT service provider.

Payment institutions

Seven incidents were reported by payment institutions, of which one security incident was related to a DDoS attack against a subcontractor that affected payment card transactions.

Finance companies

No incidents were reported by finance companies.

Securities sector

Significantly fewer incidents were reported by the securities sector in 2025 than in 2024, with 21 reported incidents compared with 47 the previous year. The decline was partly due to fewer reports from Verdipapirsentralen ASA (Euronext Securities Oslo), which reported only one incident in 2025. The incident was a severe operational incident that resulted in the third securities settlement being postponed from Friday to Monday morning. It was deemed severe because the secondary operating solution did not function as intended when the primary solution failed.

Regulated marketplaces reported three incidents related to incorrect opening hours, connectivity issues resulting in a backlog of trades and problems with reporting.

Other reports on operational incidents were dominated by problems with access to online trading in financial instruments, brief service disruptions related to services on the marketplaces and in the KAR Register20), as well as failure to record telephone calls. One investment firm reported that the extensive power outage in Spain (and Portugal) in April 2025 had caused problems with share trading.

One security incident was reported in the securities sector, where a firm reported a fake website in the firm's name.

Insurance undertakings

18 incidents were reported by insurers. Of these, three were security incidents, including one DDoS attack and two attacks related to the compromise of an ICT service provider that resulted in data leaks published on the dark web. Operational incidents included lack of access to telephone and online customer services, including issues with BankID, as well as duplicated and incorrect payments. Two insurers reported problems with BankID following an incident at a global cloud service provider.

Furthermore, both possible and actual confidentiality breaches were reported, where vulnerabilities allowed customers to access other customers' data. In all cases, only a limited amount of data was exposed.

Debt collection agencies

Debt collection agencies reported seven operational incidents that occurred after system or parameter changes, resulting in discrepancies in the case processing workflow. The discrepancies were related to errors in payment deadlines or invoiced amounts, or breaches of confidentiality, allowing customers to view other customers' data.

6.6 Analysis of incidents as a measure of availability

The reported incidents varied in severity. With respect to incidents resulting in reduced availability of payment services and customer services, Finanstilsynet has assessed and weighted their severity based on various factors. Emphasis has been placed on the timing of the incident, the duration of the disruption, the number of affected institutions and customers, and whether alternative services are available to meet customer needs. When considering alternative services, the availability of web-based services is assessed if mobile app services do not function. The fact that the alternatives may not offer the same range of services is also taken into account, for instance that mobile payment solutions often do not provide all the services available through web-based solutions. Taken together, the assessments form an index shown on the vertical axis in figure 6.3. The index is presented as a time series to track developments over time.

The analysis shows that the availability of payment services and customer solutions in 2025 was approximately on a level with the previous year and has been virtually unchanged since 2021. Overall, service availability was considered satisfactory in 2025. 

Figure 6.3 Incidents causing reduced availability for users. Weighted by estimated impact*

* The vertical axis scale is an index based on the weighting of each incident. A lower index value indicates a lower occurrence of operational disruptions with consequences for users. For more detailed information on the data used, see appendix 2. 

Source: Finanstilsynet 

Finanstilsynet’s general observation

Finanstilsynet's general observation is that online/mobile banking and payment services are the areas most prone to incidents. Furthermore, incidents affecting settlement/clearing or systems for detecting money laundering and terrorist financing occur less frequently but are of greater severity. Incidents tend to follow value chains rather than individual areas. This means that a technical error often impacts several business areas simultaneously.

7. Risk associated with vulnerabilities in institutions’ ICT operations

Figure 7.1 summarises Finanstilsynet's assessment of the most critical vulnerabilities in the financial sector. These vulnerabilities are classified based on the likelihood of a severe adverse incident occurring and the severity of the resulting consequences for each institution. The observations and assessments underlying this classification are detailed in table 7.1.

In this year's report, Finanstilsynet assesses that vulnerabilities related to institutions' or their service providers' defences against cyberattacks and fraud (referred to as cybercrime in previous reports) still represent one of the most significant risks associated with their use of ICT. As a result of improvements in institutions' defences against cyberattacks and fraud, the risk is assessed as somewhat reduced compared with the previous year. This development can be seen in the context of increased focus on security measures, better incident management and more targeted efforts to address known attack methods and fraud. Based on the current cyberthreat landscape, malicious actors may continue to exploit vulnerabilities, and the consequences of severe incidents may still be severe.

Vulnerabilities associated with governance models, internal control and vendor management are also regarded as significant risks, with the overall risk considered moderate. For these areas, this year's assessment shows a reduction in the level of risk. This can, among other things, be linked to more systematic monitoring of service providers, clearer requirements and better integration of governance and control mechanisms. At the same time, supervisory experience shows that a lack of competence, particularly in control functions, can still contribute to significant weaknesses in service providers' internal controls not being detected or adequately followed up.

At inspections, it has been revealed that the test scenarios on which the institutions have based their contingency testing are inadequate in relation to the requirements set out in DORA, which means that tests and exercises do not provide sufficient assurance that critical services can be maintained or restored within the institution's established timeframes. Against this background, the risk associated with institutions' preparedness and crisis management is assessed as somewhat higher than last year.

Due to the international security situation, including changes in the global operating environment and increased uncertainty related to certain supplier markets, supplier risk is assessed as high. This development reinforces the need for sound assessments of concentration risk and the dependence on individual service providers, as well as the ability to manage changing conditions over time.

With respect to change management, the risk is assessed to be approximately in line with 2024, remaining at a medium level. This reflects that many incidents have been linked to inadequate management of changes in ICT environments, and that inspections have revealed shortcomings in the planning, testing and follow-up of changes. The risk associated with ICT operations is assessed as approximately unchanged and still at a medium level.

With respect to skills and skills management, the risk is assessed as somewhat higher, although access to expertise in the security field in Norway has improved. The increase is primarily due to institutions' dependence on expertise from foreign ICT service providers.

This year's assessment shows that several areas have seen a positive development in risk, while efforts related to preparedness and crisis management, skills and skills management and supplier risk contribute to the overall ICT risk being assessed to be broadly unchanged from the previous year. 

Figure 7.1 Finanstilsynet's assessment of vulnerabilities and risks

Source: Finanstilsynet

Table 7.1 Vulnerabilities that could represent a risk of adverse incidents

Area 

  

Vulnerabilities that may represent a risk of adverse incidents (the degree of risk, probability and consequences are shown in figure 7.1) 

Trend 

Governance model and internal control 

  

An inadequate overview of which controls are included in the institution’s internal control environment and how the controls should be performed, monitored and audited may result in factors that represent an operational risk not being identified and risk-mitigating measures in line with the institution’s risk tolerance not being implemented. 

Decreasing

Skills and skills management 

A scarcity of resources in Norway within operations, architecture, security and new technology, as well as inadequate skills management, may lead to institutions being unable to meet current and future skill needs. Problems and errors that occur may be difficult to resolve. Dependence on foreign assistance may increase. 

Increasing

Vendor management 

  

Complex supply chains, with multiple service providers and subcontractors in the value chain, demanding cooperation models (strategic, administrative and operational) and a lack of expertise may result in weaker monitoring and control over critical and outsourced ICT services. 

Decreasing 

Defences against digital attacks and fraud.

Inadequate security testing, security updates, training and awareness among employees, and insufficient monitoring of activities in its own technical infrastructure, including networks and systems, may result in criminals inflicting damage on the institution through digital attacks. Fraud related to the use of financial services can also inflict losses on the institution.   

Decreasing

ICT operations 

  

Complex integration between systems from different service providers, integration between old and new systems, multiple integration points between systems, increased functionality in self-service channels and increased use of cloud services may result in challenges in maintaining stable and secure operations. 

Unchanged 

Emergency preparedness and crisis management 

Inadequate analyses of the consequences of a crisis, inadequate training and exercises in crisis management, inadequate test scenarios, shortcomings in disaster recovery solutions/backup solutions and inadequate backup solutions may result in challenges for institutions when it comes to maintaining critical ICT services in the event of severe disruptions at operating locations. 

Increasing 

Supplier risk

  

Given the geopolitical situation, service providers may, for various reasons, be prevented from maintaining deliveries of critical ICT services, especially from abroad, which may result in challenges in maintaining stable and secure operations. 

Increasing

Change management 

  

Development at a fast pace, where quality is sacrificed at the expense of time, may result in functional errors in applications and systems, and in security holes not being identified. Inadequate control of changes to configurations within operations may result in interruptions to critical business processes and the institution being exposed to cyberattacks. 

Unchanged 

 

 

Notes:

1) Building automation includes governance, regulation and monitoring systems for technical installations in buildings and data centres, such as ventilation, heating, cooling, access control and operational monitoring.
2) An edge device is a network or system component at the outer edge of an IT environment, often internet-facing, that connects external networks with internal IT and OT environments.
3) Finance Norway's roadmap for a quantum-safe financial industry (pdf) (in Norwegian only)
4) Advice on self-preparedness, Norwegian Directorate for Civil Protection (DSB) – Self-preparedness advice
5) See information page at Norges Bank
6) Finanstilsynet, along with Nordic Financial Cert (NFCERT), has been designated by the Ministry of Finance as sectoral response environment (SRE) and sectoral response environment under the Cyber Security Act.
7) National framework for handling cyberattacks and cyber incidents
8) See topic page on BFI
9) Working group proposes measures to strengthen emergency preparedness in the payment system (in Norwegian only)
10) Independent bank contingency response project (in Norwegian only)
11) For an explanation of the term 'fraud amount', see 'About the report' in 'Fraud statistics for the first half of 2025' (in Norwegian only)
12) Økokrim’s news article on a digital solution for reporting fraud (in Norwegian only)
13) Finanstilsynet’s consultation document (in Norwegian only)
14) Prop. 39 L (2025–2026), Consideration by the Storting (in Norwegian only)
15) Regulation (EU) 2024/886 as regards instant credit transfers in euro (IPR)
16) About the KAR Register (in Norwegian only)
17) Report on public-private partnerships for the prevention and detection of financial crime
18) Security incidents are defined as intentional events, i.e., events where the purpose is to harm/attack. Operational incidents are defined as unintentional events caused by errors or deficiencies.
19) See chapter 7.2
20) See footnote 17.

Appendix and report

  • Appendix 1: Institutions' reporting on risk and vunerability (pdf)

To the top of the page expand_less
To the top of the page expand_less