Fintech & digital payments rules in Norway (2026)

The act incorporating EU Regulation 2022/2554 (Digital Operational Resilience Act) took effect 1 July 2025, replacing Finanstilsynet's existing ICT regulation for all supervised financial entities including payment institutions and e-money institutions. It mandates ICT risk-management frameworks, incident reporting, resilience testing, and oversight of third-party ICT providers, with fines up to NOK 50 million for breaches.

The Ministry of Finance tabled the bill 'Lov om kryptoeiendeler (kryptoeiendelsloven)' to incorporate EU Markets in Crypto-Assets Regulation (MiCA) into Norwegian law via an EEA incorporation clause. Entry into force was anticipated from 1 July 2025 with a 12-month transitional period for the approximately 13 virtual-asset service providers already registered with Finanstilsynet.

Parliament passed the Cybersecurity Act on 23 December 2023 implementing EU NIS Directive obligations on operators of essential digital services, including payment infrastructure. It imposed mandatory security measures and incident-notification duties for fintech and payment firms, complementing PSD2's existing security requirements.

A wholly rewritten Financial Contracts Act took effect, fully implementing PSD2's private-law provisions and extending strong consumer-protection rules to all digital payment services. It tightened liability rules for unauthorised transactions, capped consumer liability, and brought investment services within scope, replacing the 1988 Act.

Following a 2019 government green light, Finanstilsynet opened its regulatory sandbox with a February 2020 application deadline, allowing fintech firms to test innovative payment and financial products under supervisory guidance before full licensing. The sandbox provided a structured route to identify required licences and compliance obligations for novel digital-payment business models.

A modernised Central Bank Act took effect 1 January 2020, reinforcing Norges Bank's statutory mandate for licensing and oversight of interbank payment systems and financial market infrastructure. It clarified the division of supervisory responsibilities between Norges Bank and Finanstilsynet for systemic payment systems.

From 14 September 2019, Norwegian banks were required to provide standardised API interfaces to licensed third-party payment service providers, and strong customer authentication became mandatory for online transactions. This operationalised open banking in Norway, enabling authorised fintech payment-initiation and account-information services to access bank accounts on customers' behalf.

Amendments to the Financial Institutions Act and Payment Systems Act (Prop. 110 L 2017–2018) and the new Regulation on Payment Services Systems (forskrift 15 Feb 2019 no. 152) created two new Finanstilsynet licence categories: payment initiation service providers (PISP) and account information service providers (AISP), transforming Norway's payment-services licensing regime.

Norway's new Anti-Money Laundering Act (implementing EU's 4th and 5th AML Directives) took effect 15 October 2018, requiring all virtual-currency exchange and custodial-wallet providers to register with Finanstilsynet and conduct customer due diligence. This was Norway's first formal AML regulatory requirement specifically targeting crypto-asset businesses.

Act of 10 April 2015 no. 17 created a single, modern licensing and prudential framework for all financial entities — banks, payment institutions, and e-money institutions — supervised by Finanstilsynet. It became the primary vehicle for transposing subsequent EU directives (PSD2, EMD2) and established the capital and governance requirements for fintech licence categories.

Act No. 48 of 19 June 2009 (in force 21 December 2009) transposed EU Payment Services Directive 2007/64/EC, introducing for the first time a dedicated Finanstilsynet payment institution licence allowing non-bank entities to provide payment services. This broke the bank monopoly on payment services and laid the licensing groundwork that PSD2 later built upon.

Act of 17 December 1999 no. 95 established Norges Bank's authority to license and oversee interbank payment systems and financial market infrastructure, setting Norway's foundational legal framework for systemic payment oversight. It remains the primary statute governing systemically important payment systems and the legal basis for Norges Bank's ongoing oversight role.