Appendix 1: The institutions’ assessment of vulnerability

Last published: 12 September 2025

Appendix to the Risk and Vulnerability Analysis (ROS) Report 2025.

Payment service providers' assessment of operational risk and security risk is summarised below, based on their annual reporting to Finanstilsynet, along with other institutions’ assessments of risks and vulnerabilities associated with ICT operations.1)

The summary is divided into nine topics and includes assessments from 170 institutions:

  1. Governance and control
  2. Integrity
  3. Change management
  4. Operations
  5. Security
  6. Data protection
  7. ID theft
  8. Internal irregularities
  9. Money laundering

The institutions are asked to assess their situation/maturity relating to each of the risks described in the form and indicate whether they assess the risk to be very high, high, moderate or low. If the risk is assessed to be high, the institution is asked to state the reason for this. The institutions are also asked to assess whether the risk is considered to be increasing, decreasing or stable, and to provide a brief description of the measures implemented during the past year, and an assessment of whether the measures are deemed sufficient. In addition, the institutions are asked to specify which factors entail the highest risk. A further description of how to complete the questionnaire can be found below the tables.

The tables summarise the results of the survey. The institutions’ responses are indicated by colour codes. Green expresses low vulnerability, yellow medium vulnerability and brown high vulnerability and red very high vulnerability. No colour indicates that the institution did not reply.

The trend, i.e. whether the vulnerabilities are considered to be increasing, stable or decreasing, is expressed in the far-right column of the tables and represents the average of the institutions’ assessments. A horizontal arrow (where the interval is -0.2 to +0.2) indicates a stable trend. Arrows that point up indicate that vulnerability is considered to be increasing (the interval +0.2 to +1), and arrows that point down indicate that vulnerability is considered to be decreasing (the interval -0.2 to -1). For each question, an arithmetic mean of the institutions' responses is calculated.

Note:

1) See section 2, third subsection of the Regulations on Payment Services Systems. Finanstilsynet has also asked a selection of other institution to give an assessment of risks and vulnerabilities associated with ICT operations. The deadline for reporting was 14 February 2025. 

Appendix and Report