Norway Warns Financial Institutions Face More Complex Risks Despite Stable Operations

Norway Warns Financial Institutions Face More Complex Risks Despite Stable Operations

By
Key Takeaways
  • Cyber Threats Continue to Intensify: Finanstilsynet says Norway's financial sector continues to face a high cyber threat level driven by organized criminal groups, nation-state actors, geopolitical tensions, and the rapid evolution of artificial intelligence.
  • Third-Party Dependencies Are Emerging as a Critical Risk: The regulator identifies outsourcing, complex ICT supply chains, and concentration among service providers as some of the sector's most significant vulnerabilities, warning that disruptions at a single provider can affect multiple institutions simultaneously.
  • DORA Implementation Has Progressed but Remains Incomplete: While financial institutions have made significant progress implementing the Digital Operational Resilience Act (DORA), supervisory inspections found many are still working to translate regulatory requirements into effective operational practices.
  • Artificial Intelligence Creates Both Opportunity and New Security Challenges: Finanstilsynet says generative and autonomous AI can improve efficiency but also accelerate the discovery and exploitation of software vulnerabilities while introducing governance risks through unauthorized AI adoption.
  • Operational Stability Remained Strong Despite Persistent Risks: Norwegian financial institutions reported slightly fewer ICT incidents in 2025 than the previous year, with no reported incidents affecting financial stability, although the regulator says institutions must continue strengthening resilience as the threat landscape evolves.
Deep Dive

Norway's financial sector entered 2026 from a position most regulators would envy. Payment services remained stable throughout the previous year, operational disruptions stayed broadly in line with recent experience, and none of the ICT incidents reported in 2025 threatened financial stability. That stability, however, is not what concerns the Norwegian Financial Supervisory Authority.

In its 2026 Risk and Vulnerability Analysis, published Wednesday, Finanstilsynet concludes that the financial sector is operating against a threat landscape that is becoming more difficult to control, not because institutions have become weaker, but because the risks surrounding them have become more interconnected. Organized cybercriminals, nation-state actors, geopolitical tensions, artificial intelligence, and growing dependence on shared technology providers are converging to create vulnerabilities that increasingly extend beyond the boundaries of any single institution.

The report repeatedly returns to the same conclusion. Digital operational resilience is no longer determined solely by an institution's own cybersecurity controls. It depends just as much on the resilience of the cloud platforms, software providers, telecommunications infrastructure, payment systems, and other third parties that now underpin much of the financial sector.

That evolution has elevated supply-chain risk into one of the regulator's principal concerns. Finanstilsynet warns that extensive outsourcing, increasingly complex value chains, and concentration among a relatively small number of ICT service providers mean a single operational failure or cyber incident can affect numerous financial institutions simultaneously. Those dependencies have become even more consequential as geopolitical uncertainty raises new questions about access to international technology providers, data governance, regulatory compliance, and concentration risk. Regardless of how extensively services are outsourced, the regulator stresses that responsibility for protecting critical systems and services remains with the financial institution itself.

Artificial Intelligence Is Changing the Pace of Cyber Risk

Artificial intelligence features throughout the report less as a technological innovation than as a force accelerating existing security challenges. Finanstilsynet acknowledges that generative and autonomous AI can improve efficiency and support innovation across the financial sector. At the same time, it warns that the technology is making it faster and easier to identify and exploit technical vulnerabilities, reducing the time between the discovery of software weaknesses and their potential exploitation.

The regulator also identifies a more subtle governance challenge arising from AI adoption itself. The growing use of unauthorized AI applications and technology solutions outside established governance frameworks, described in the report as "shadow AI" and "shadow IT", an create hidden data dependencies, increase the risk of information leakage, weaken operational oversight, and complicate incident response. As organizations deploy increasingly powerful AI-enabled tools, Finanstilsynet argues that maintaining visibility over where those systems are used has become an essential element of ICT risk management.

The same emphasis on operational discipline appears in the regulator's assessment of the EU's Digital Operational Resilience Act (DORA), which came into force in Norway in July 2025. According to Finanstilsynet, most institutions have moved beyond initial planning by completing gap analyses and updating governance documentation. Supervisory work, however, suggests many organizations are still in the early stages of translating those requirements into day-to-day operational practices, particularly when coordinating resilience efforts with critical third-party providers.

Inspections carried out during 2025 also found that contingency planning and resilience testing do not always reflect realistic disruption scenarios or clearly defined recovery objectives. In several cases, weaknesses identified during testing were not followed up systematically, and critical outsourced service providers were not consistently incorporated into preparedness exercises despite their importance to operational continuity.

The regulator reported similar findings in its review of vendor management practices. While institutions have made progress in strengthening oversight of outsourced ICT services, inspections identified continuing weaknesses in monitoring subcontractors, applying governance requirements consistently across organizations, and independently validating service-provider controls. Finanstilsynet reiterates that institutions retain full responsibility for ensuring their supply chains comply with regulatory requirements regardless of how technology services are delivered.

Beyond technology, the report reflects the growing influence of geopolitics on operational resilience. Institutions told Finanstilsynet they increasingly view dependence on foreign ICT providers as a potential source of risk should international conflicts, sanctions, export controls, or government intervention disrupt critical services. Many are placing greater emphasis on exit strategies, migration planning, and maintaining alternatives that would allow essential operations to continue if those dependencies become untenable.

Fraud remained another major area of focus, although reported losses declined during 2025. Financial institutions reported fraud totaling NOK 962 million, approximately 22% lower than the previous year. Even so, Finanstilsynet cautions that the threat continues to evolve as criminals increasingly use AI to improve phishing campaigns, telephone scams, and other forms of social engineering, reinforcing the need for strong preventive controls and closer cooperation across the financial sector.

The sector reported 313 ICT incidents during 2025, including 14 security incidents and 299 operational incidents. While the overall number declined slightly from the previous year and no incident affected financial stability, Finanstilsynet notes that data-integrity failures, including duplicate transactions that produced incorrect account balances, remain an important operational concern. Many of those incidents were linked to weaknesses in change management rather than malicious cyber activity.

The report also highlights several incidents involving Microsoft Azure that disrupted payment services, BankID authentication, and access to banking websites, illustrating how outages at global cloud providers can simultaneously affect multiple institutions across the financial system.

Finanstilsynet concludes that the financial sector's overall ICT risk profile has changed little from the previous year. Improvements in governance, internal controls, and cyber defenses have been offset by increasing concerns over supplier concentration, geopolitical uncertainty, preparedness, and dependence on specialized expertise. The regulator's assessment is that maintaining resilience will require stronger ICT governance, more realistic preparedness testing, closer oversight of supply chains, and continued implementation of DORA as the cyber threat landscape continues to evolve.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.

Oops! Something went wrong