Asset Management | Compliance – ICT/DORA: Finanstilsynet publishes 2026 Risk and Vulnerability Report

Finanstilsynet published its annual ICT Risk and Vulnerability Report (ROS 2026) on 4 May 2026. The report concludes that Norway’s financial infrastructure is robust — but that the digital threat level is high and continuously developing. For Norwegian asset managers subject to DORA, the report is more than background reading: it directly reflects what Finanstilsynet observed during 17 supervisory inspections in 2025 and signals where its inspectors will be focusing in the year ahead. It also has direct relevance for asset managers under Norway’s ICT Regulations and under their general governance obligations.

Why this matters — and for whom

All asset managers, investment firms and other financial entities covered by the Norwegian ICT Regulations (“IKT-forskriften”) — including sub-threshold AIFMs — are subject to the operational continuity and security requirements of § 3. Finanstilsynet’s findings about contingency planning, change management and vendor oversight are equally relevant to these entities.

Authorised AIFMs and UCITS management companies are subject to the Norwegian Act on Digital Operational Resilience of 2025 (the “DORA Act”), which implements DORA in Norway. For these firms, ROS 2026 is a direct supervisory signal.

Even where a firm falls outside both DORA and the ICT Regulations, Finanstilsynet’s supervisory observations about governance models, third-party risk and the use of AI tools reflect general expectations for all regulated entities. Firms should consider ROS 2026 as part of their broader annual risk assessment process.

The headline findings

Norway’s financial sector held up well operationally in 2025 — operational stability was satisfactory and no ICT incident threatened financial stability. The good news ends there, however. The digital threat level is nonetheless assessed as high and continuously evolving. Organised criminal groups, state-sponsored actors (Russia, China, North Korea and Iran are singled out), and the rapid proliferation of generative and autonomous AI are all contributing factors. Geopolitical tensions — the war in Ukraine, the conflicts in the Middle East, friction in the Taiwan Strait, shifts in US trade policy — are explicitly identified as amplifiers of ICT risk for Norwegian firms that rely on international, particularly US-based, technology providers.

DORA – ICT risk management framework

Finanstilsynet’s inspections identified recurring deficiencies in ICT risk management frameworks that map directly onto the requirements of DORA Articles 5–16. Three areas stand out:

Shadow AI. The use of generative AI tools outside established governance frameworks — processing firm data in solutions that may store or act on that information autonomously — creates data leakage, GDPR and model-risk exposures. Finanstilsynet explicitly flags this as an emerging problem. Firms should review whether their DORA policies cover AI tool usage and should maintain an inventory of all AI tools in use, including unauthorised ones.
Business impact analysis and crisis scenarios. Contingency tests are too often based on unrealistic scenarios (primarily short, isolated failures). Finanstilsynet expects scenario planning to include prolonged outages – including multi-day BankID unavailability, simultaneous cloud provider disruptions and sector-wide events. BankID is identified as a clear “single point of failure”; while primarily a banking issue, it illustrates the need for asset managers to reflect shared infrastructure concentration risk in their own BIAs.
Change management gaps. Change management processes were frequently found to be deficient – changes implemented without sufficient testing or risk assessment, unclear criteria for pre-approved changes, and inadequate follow-up on identified weaknesses. DORA Article 9 requires a comprehensive ICT risk management framework; firms should ensure their change management controls are genuinely operative, not just documented.

DORA – ICT third-party risk management

Supervisory inspections in 2025 found that firms were not taking sufficient ownership of their vendor chains. The findings are directly relevant to the obligations under DORA Articles 28–44:

Inadequate sub-contractor oversight. Several firms had not imposed adequate security, availability and continuity requirements on sub-contractors, and had not subjected those requirements to systematic controls. Firms should ensure that obligations flow down the entire chain — not just to the primary vendor.
Failure to use available documentation. Finanstilsynet observed that firms were not making sufficient use of audit certificates and vendor reporting as the basis for their own assessments and controls.
Geopolitical vendor risk. Dependence on foreign ICT vendors — particularly those subject to other jurisdictions’ laws and export controls — is now an explicit risk factor. DORA Article 28 requires firms to assess substitutability and maintain exit plans; Finanstilsynet expects those plans to be realistic and regularly tested. Firms should also consider the risk of data disclosure orders or service interruptions driven by non-Norwegian regulatory demands.
Concentration risk. Where multiple firms use the same critical providers, an incident at one vendor can cascade across the sector simultaneously. Firms should be able to demonstrate in their Information Register and third-party risk assessments that they have considered — and mitigated — concentration exposure.

ICT Regulations – operational continuity

Section 3 of the Norwegian ICT Regulations requires firms to maintain robust operational continuity and recovery capabilities. ROS 2026 reinforces this with pointed observations: contingency tests are too often based on unrealistic scenarios, identified weaknesses are not systematically remedied, and critical suppliers are insufficiently involved in exercises and tests. Finanstilsynet expects firms to conduct contingency testing that genuinely stress-tests their ability to recover within defined timeframes.

The report also notes that several incidents in 2025 — including multiple disruptions to Microsoft Azure affecting Norwegian payment services and the BankID platform — underline the importance of having clear escalation paths and the right competence available when cloud providers experience problems. Local teams cannot always resolve these incidents independently; firms should verify that their escalation arrangements with critical providers are adequate and tested.

BAHR comments

The ROS 2026 is not a theoretical document — it reflects what Finanstilsynet actually observed during supervisory inspections in 2025, and it signals where inspectors will be focusing in the year ahead. Three things stand out for asset managers:

First, the bar for third-party oversight has risen materially. Documenting your vendor relationships in the Information Register is necessary but not sufficient — Finanstilsynet expects active, competent and consistent follow-up all the way down the sub-contractor chain. Contract owners must have the competence to evaluate vendor reporting and follow up on deviations.

Second, the AI risk narrative has arrived in earnest. Firms that have not yet addressed shadow AI usage — whether through updated policies, approved tools lists or data classification frameworks — are exposed both under DORA and GDPR. Given Finanstilsynet’s explicit focus on this area, a gap here is likely to attract attention during inspections.

Third, contingency planning needs to graduate from theory to practice. If your firm’s crisis scenarios do not include prolonged outages, simultaneous cloud provider disruptions or multi-day recovery timelines, the testing programme needs revisiting before Finanstilsynet comes knocking. Critical suppliers must be involved in exercises, not just consulted after the fact.

The full report is available here. For further background on DORA implementation for Norwegian asset managers, please refer to our previous newsletters here.