Norway: A Corporate Compliance & Investigations Overview

Norway’s corporate compliance and investigations market has been impacted by recent geopolitical changes, a growing volume of new regulation and increasingly visible enforcement. These factors are reshaping what companies must do, what is expected of them, how fast they must respond, and the consequences of getting it wrong. For businesses operating in Norway, whether largely domestic or those with international exposure, compliance has transitioned from a function largely delegated to lower-level roles to one that warrants active board management.

Economic and Political Context

Norway’s open, export-oriented economy makes its business community sensitive to geopolitical developments. The ongoing conflict in Ukraine and the resulting expansion of EU sanctions, which Norway has progressively implemented into domestic law, have had a profound effect on Norwegian companies, particularly those involved in international trade, shipping and energy. For companies in northern Norway in particular, geographical proximity and longstanding commercial ties to Russia have translated into direct legal exposure as new restrictions have been introduced at pace.

The annual threat assessments published in early 2026 by the Norwegian Police Security Service (PST), the Norwegian National Security Authority (NSM) and the Norwegian Intelligence Service (Etterretningstjenesten) reinforce a picture of elevated risk: hybrid threats targeting critical infrastructure, attempts to circumvent export controls through third-country intermediaries, and increased intelligence activity against Norwegian business interests. These assessments are increasingly treated not as background reading, but as direct inputs to corporate risk management and crisis planning.

Activity Levels and Key Trends

Across the practice area, several themes are generating the highest volume and most complex advisory work.

Sanctions and export controls have become “always-on” compliance obligations. The pace of new EU sanctions packages, and Norway’s domestic implementation of them, has led to a marked increase in internal reviews and investigations, often triggered by bank queries, transaction due diligence or auditor concerns. Norway’s export control authority (DEKSA) is clear that all actors bear an independent duty to ensure their own compliance. The defence sector’s rapid growth has also brought export controls, including Norway’s “catch-all” controls, into focus for a broader range of companies.

Financial crime and anti-money laundering (AML) remain central enforcement themes. The Norwegian Financial Supervisory Authority’s (Finanstilsynet) supervisory inspections continue to identify weaknesses in how institutions apply risk-based approaches, conduct customer due diligence and monitor transactions. For corporates, AML and beneficial ownership deficiencies increasingly surface not just as regulatory risks but as commercial friction: failed onboarding, delayed transactions and rejected counterparties. The duty to file suspicious transactions reports with the Norwegian National Authority for Investigation and Prosecution of Economic and Environmental Crime’s (Økokrim) Financial Intelligence Unit is a statutory baseline, but the operational challenge is building the processes that detect the relevant activity in the first place.

Internal investigations or reviews are becoming more frequent and more demanding, commonly triggered by whistle-blowing reports, suspected financial crime, regulatory enquiries or audit findings. The Norwegian Bar Association (Den Norske Advokatforening) revised its guidelines for private investigations in 2023 (updated in December 2024), reflecting the growing use and increasing maturity of such investigations.

Sustainability reporting and supply-chain due diligence are now generating sustained compliance workload in Norway. Corporate Sustainability Reporting Directive (CSRD)-based sustainability reporting entered into force on 1 November 2024 and is being rolled out in phases, with the Financial Supervisory Authority conducting control of sustainability reporting for issuers listed on a regulated market. At the same time, the regulatory perimeter is evolving: the Financial Supervisory Authority notes EU-adopted changes to CSRD threshold values in December 2025 and signals that Norwegian legislative follow-up may affect which companies remain in scope from the 2026 reporting year. Further, the Consumer Authority’s supervision of companies’ compliance with the Transparency Act has moved from guidance to supervisory controls and the use of economic sanctions for repeated non-compliance, with an increased emphasis on more specific reporting and the substance of the underlying due diligence work.

Cybersecurity incidents often require co-ordinated, multi-track responses spanning IT/security, legal, compliance, HR and external communications.

New and Upcoming Legislation with Direct Client Impact

Several regulatory changes introduced since mid-2025 are having a direct compliance impact on Norwegian businesses.

Norway’s Digital Operational Resilience Act (DORA), in force from 1 July 2025, introduces structured requirements for how financial entities manage digital and ICT risk, including how they handle and report major incidents, and how they contract with and oversee technology providers. The timelines for incident reporting are tight, and compliance requires operational readiness, not just policy documentation.

The Digital Security Act entered into force on 1 October 2025 and implements the NIS Directive in Norwegian law, setting baseline security and incident-handling requirements for providers of essential services and certain digital services.

Security Act ownership-control rules continue to be a key deal-execution consideration for acquisitions involving Security Act-covered businesses. Implementing regulations to operationalise the 2023 ownership-control reforms have been consulted and remain under consideration, and parties should monitor for entry into force as this may affect notification mechanics, information-sharing constraints and potential administrative sanctions.

Challenges and How to Overcome Them

A recurring challenge for Norwegian businesses is regulatory fragmentation. CSRD, the Transparency Act, AML/KYC obligations, sanctions compliance, DORA, the Digital Security Act and beneficial ownership requirements often rely on the same underlying corporate “compliance infrastructure” – supplier and customer data, ownership information, contracts, and governance documentation. Treating these workstreams as separate projects tends to create duplication and control gaps. A more sustainable approach is to build an overarching compliance framework/structure with cross-functional co-ordination, but with separate risk profiles and targeted (and where necessary also separate) management of different compliance areas.

The pace of change, particularly regarding sanctions and cybersecurity requirements, challenges traditional annual review models. Norway has continued to implement new Russia-related sanctions packages in 2025–2026, and regulated entities also face incident-handling and notification expectations under the Digital Security Act framework. Many organisations may therefore need to strengthen their periodic compliance reviews with more frequent monitoring of regulatory developments.

Finally, investigation readiness varies significantly. In whistle-blowing matters, Norwegian employers are required to have internal whistle-blowing routines (including procedures for the employer’s handling of reports). Companies that have established and tested clear internal protocols for how to respond when a whistle-blower report, data breach or regulatory enquiry arrives are consistently better placed than those that must improvise under pressure. This includes knowing in advance who takes charge, how relevant documents and data are preserved, and when external legal counsel is engaged.