Norweigan Government Announces Proposal to Implement DORA and TFR II in Norwegian Law

On March 7, 2025, the Norwegian government published Prop. 54 LS (2024–2025), a legislative proposal to incorporate EU’s Digital Operational Resilience Act (DORA) into Norwegian law. This proposal transposes the DORA Directive (EU) 22/2556 and Regulation (EU) 22/2554 into Norwegian law by directly incorporating them into a new act—referred to as the DORA Act—in accordance with Norway’s obligations under the EEA Agreement. 

Additionally, the legislative proposal amends the Anti-Money Laundering Act to implement Regulation (EU) 2023/1113, also known as the Transfer of Funds Regulation (TFR II).  TFR II broadens the scope of existing obligations pertaining to money transfers by also including crypto-asset service providers.

DORA

The Norwegian financial sector has for many years been subject to regulations and supervision intended to maintain a high level of ICT security, regardless of whether the financial institutions manage their own ICT systems or rely on external providers. Notably, the 2003 ICT Regulations impose comprehensive requirements for risk management, incident handling, and the use of ICT providers. 

DORA aims to harmonize ICT security requirements for financial institutions across Europe. While current Norwegian regulations and supervisory practices already adhere to many of the same principles, implementing DORA in Norwegian law will nonetheless raise the bar for companies in Norway’s financial sector. DORA is designed to bolster the digital operational resilience of the financial industry by imposing strict obligations on both financial institutions and their ICT service providers, ensuring robust ICT risk management and enhancing the ability to withstand, respond to, and recover from cyber incidents. Compared to the existing Norwegian ICT Regulations, DORA introduces more detailed and comprehensive provisions that will significantly affect Norwegian financial institutions and their IT suppliers. The framework will be supplemented by technical standards issued by the EU Commission. 

The legislative proposal stresses that companies subject to DORA should prepare for a substantial transition effort, including thorough reviews of their systems, contractual agreements, and documentation, as well as extensive employee training. 

The proposal is expected to be reviewed by Parliament during the spring session, with the new act likely coming into effect on July 1, 2025. 

TFR II

In May 2023, Regulation (EU) 2023/1113, known as TFR II, of the European Parliament and of the Council, was adopted to update the information requirements for money and crypto-asset transfers and to amend Directive (EU) 2015/849 (the Fourth Anti-Money Laundering Directive). TFR II was incorporated into the EEA Agreement on February 20, 2025, by decision of the EEA Committee. 

TFR II replaces TFR I (Regulation (EU) 2015/847), which governs banks’ and payment service providers’ obligations—an arrangement already implemented in Norway in the Anti-Money Laundering Regulations (regulations to the Anti-Money Laundering Act). 

TFR II broadens the scope of existing obligations under TFR I by also including crypto-asset service providers, reflecting revised FATF recommendations from 2019 that address the money laundering and terrorist financing risks associated with virtual currencies and their service providers.  

TFR II sets out requirements for service providers to collect, verify, store, and transfer information about the senders and recipients of both money transfers and crypto-asset transfers. These requirements already apply to traditional money transfers under TFR I, but as mentioned above, TFR II broadens the scope to cover service providers handling crypto assets as well. In addition, TFR II introduces reporting obligations for crypto-asset service providers, meaning they are subject to anti-money laundering requirements in the same way as traditional payment service providers. 

In Prop. 54 LS (2024–2025), the Norwegian government proposes amending the Norwegian Anti-Money Laundering Act to directly incorporate TFR II by reference. This step will introduce more extensive reporting obligations for both payment and crypto-asset service providers.  

Additionally, the legislative proposal includes amendments to the Anti-Money Laundering Act that expand the range of crypto-asset service providers subject to reporting requirements. Currently, only those providing exchange and wallet services must comply with these reporting obligations. 

TFR II is a key element of the EU's broader effort to regulate the crypto-asset market. Along with Regulation (EU) 2023/1114 on Markets in Crypto-Assets (MiCA), it establishes a new, pan-European regulatory framework for crypto-assets. Historically, this market has seen only limited oversight, but the introduction of TFR II and MiCA will subject it to financial regulatory standards similar to those applied to traditional markets for financial instruments, payment methods, and money transfers.

The proposal is expected to be reviewed by Parliament during the spring session, with the amendments likely coming into effect on July 1, 2025.  

For more detailed insights or tailored advice on how Prop. 54 LS (2024–2025) might impact your operations, please contact us. We are here to help you navigate the evolving landscape of ICT and digital asset regulation.