Norges Bank Financial Infrastructure Report 2026: What Nordic PSPs Must Track

Last updated: June 2026

Read the Norges Bank Financial Infrastructure Report 2026 as a status update and you will miss the part that lands on your desk. It reads reassuring on day one and demanding on day two: Norges Bank says the Norwegian payment system runs well, with stable operations and few disruptions, then spends most of its pages on why that record is harder to keep, and on the preparedness work it now expects from banks, payment service providers and points of sale.

For a reporting or operations team in Norway, or a Nordic group settling kroner through Norwegian rails, this is not advisory wallpaper. Published on 10 June 2026 alongside Retail Payment Services 2025, it is the public output of Norges Bank’s oversight role and sets the supervisory tone for the year. The themes that matter this round are concentration risk, mandatory threat-led penetration testing, a slipping instant-payments timeline, and self-preparedness when a rail fails.

Related reading: our SEPA instant payments regulation guide for how the euro-area instant settlement rules compare with the Norwegian model.

What the Norges Bank Financial Infrastructure Report 2026 is, and why it carries weight

The report is one of Norges Bank’s recurring financial-stability publications, the one in which the Bank assesses vulnerabilities and risks in the financial infrastructure. The legal anchor is the Central Bank Act, which tasks Norges Bank with promoting a stable financial system and an efficient and secure payment system. The Payment Systems Act adds a sharper role: licensing and supervising the interbank systems for clearing, settlement and fund transfers, exercised through reporting requirements and supervisory meetings, against the international CPMI-IOSCO principles for financial market infrastructures.

This is where teams outside Norway misread it. It is an oversight report, not a direct prudential supervision file and not a binding circular: the Bank issues no per-firm capital or reporting demands through it. What it does is signal which fault lines it treats as material, and that signal feeds straight into continuity planning, vendor due diligence and the next supervisory dialogue.

Two verdicts: efficient today, exposed tomorrow

The report splits in two. The first finding is that the infrastructure is efficient, with stable operations and few disruptions, and the numbers back it. Norges Bank’s settlement system, NBO, turned over an average of around NOK 359 billion a day in 2025. The Norwegian Interbank Clearing System, NICS, handled roughly 9.6 million transactions a day. Norges Bank’s survey data show that mobile payments at points of sale increased from 30 percent in March 2025 to 37 percent in March 2026, and NBO migrated to the ISO 20022 messaging standard during 2025.

The second verdict is the one to act on. Norway faces an escalating threat environment that raises the risk of serious incidents, shaped by geopolitical tension and fast-moving technology, including artificial intelligence.

Concentration risk is the real headline for reporting teams

The sharpest operational message is about concentration. The report warns that several critical functions depend on a small number of providers of cloud services, system software and core systems, and that many firms run the same security software and providers, so a single weakness can spread across the market at once.

For continuity reviews, the practical test is whether one provider quietly sits behind several payment rails that look independent on the organisation chart. Bits AS, the banks’ infrastructure body, contracted Mastercard Payment Services Infrastructure to run NICS, so one technical operator now sits behind the shared clearing system most Norwegian retail payments pass through before settling in NBO. The trap is treating outsourcing registers as a tick-box: a register that lists three suppliers but resolves to one cloud region or one core-banking vendor is reporting diversification that does not exist.

DORA, TIBER-NO and threat-led penetration testing

The report ties resilience to the digital operational resilience rules. Norway has implemented the EU Digital Operational Resilience Act, Regulation (EU) 2022/2554, through the EEA framework in the DORA Act and DORA Regulation, both in force from 1 July 2025. With those rules in force, the report states that TLPT is mandatory for designated entities, with Finanstilsynet designating entities on quantitative or qualitative criteria and Norges Bank providing input. In Norway this runs through the TIBER-NO framework, with Finanstilsynet and Norges Bank coordinating, and the report points to those entities being prioritised in spring 2026.

Two things teams get wrong. Threat-led penetration testing is not a routine vulnerability scan or annual pen test: DORA defines TLPT as a controlled, bespoke, intelligence-led red-team test of critical live production systems, and Norges Bank’s 2026 report frames the initial Norwegian population as the 15 to 20 largest financial-sector entities with critical-infrastructure responsibility. The EU text does not drop into Norway untouched: Norway sits in the EEA, so the operative instrument is the Norwegian implementing act, delivered through TIBER-NO rather than directly through an EU mechanism. Our guide to DORA threat-led penetration testing covers the scoping and tester-independence rules the Norwegian framework mirrors, and our DORA ICT incident reporting guide covers the reporting duty alongside it.

Instant payments, NBO INST and the TIPS timeline

The instant-payments story is where the report turns candid. NBO INST is Norges Bank’s planned service for instant payments in NOK, using the Eurosystem’s TIPS solution as the settlement platform. The report says adapting that platform to settle Norwegian kroner is more extensive than previously assumed, and that the progress plan is being revised.

For a PSP, the read is plain. A revised timeline does not mean instant payments stall; it means the settlement leg is on a moving date, so contingency and reconciliation should not assume 24/7/365 finality before the operator confirms it. Our explainer on the ECB T2 extended-hours roadmap sets out the Eurosystem settlement dependencies underneath.

Self-preparedness: what the report expects at the point of sale

One full theme is what the report calls self-preparedness for payments: both payers and payees should be able to fall back on several different forms of payment if one fails. For points of sale, it sets out concrete contingency measures, including more than one card solution, QR-code payment requests and cash reserves for change.

Cash carries the fallback role. The report finds cash still matters for contingency and for people who cannot or prefer not to pay digitally, while warning that current cash provision has weaknesses, partly because some in-store cash services drop out when the BankAxept backup solution is activated. The common error is to read this as a consumer note. For firms that support acquiring, terminal services or point-of-sale operations, it is a continuity signal: Norges Bank recommends that points of sale consider offline payments, backup cash register systems, alternative communication lines, emergency power and rehearsed contingency plans.

The forward agenda: quantum, stablecoins and a possible wholesale CBDC

The report closes with three watch items. It asks firms to move to post-quantum cryptography before a cryptographically relevant quantum computer arrives, calling that transition planned and gradual but far from done. It finds stablecoins still lack features of a general-purpose means of payment and play a negligible role in Norwegian payments today. And it records that Norges Bank judged at the end of 2025 that a CBDC was not warranted for now, while flagging a wholesale CBDC need if asset tokenisation becomes prevalent. Our coverage of ECB Project Agora tracks how a wholesale tokenised model is being tested in the euro area.

Frequently Asked Questions

Is the Financial Infrastructure Report 2026 binding on Norwegian banks and PSPs?

No. It is Norges Bank’s oversight report, not a binding circular or per-firm decision. It signals which vulnerabilities the Bank treats as material; binding obligations come from the underlying laws, such as the Payment Systems Act and the national digital operational resilience act.

Which systems does Norges Bank actually oversee or operate?

Norges Bank operates NBO, its settlement system where interbank payments reach finality, and oversees clearing and settlement systems including NICS under the Payment Systems Act. NICS itself is technically operated by Mastercard Payment Services Infrastructure under contract to Bits AS.

Does DORA apply in Norway, and who has to run threat-led penetration tests?

Norway is an EEA state, so the EU Digital Operational Resilience Act enters Norwegian law through the DORA Act and DORA Regulation, both in force from 1 July 2025. The report says threat-led penetration testing is mandatory for designated entities, run through TIBER-NO and coordinated by Finanstilsynet and Norges Bank, with Finanstilsynet designating the organisations initially subject to the requirement in spring 2026 and Norges Bank prioritising the 15 to 20 largest financial-sector entities with responsibility for critical infrastructure.

When will NBO INST instant payments go live?

The report gives no firm date. NBO INST is being built on the Eurosystem TIPS platform, and adapting it to settle Norwegian kroner is more demanding than assumed, so the progress plan is being revised. Do not commit product timelines to a confirmed instant-settlement go-live date.

Does the report signal a Norwegian CBDC or a ban on stablecoins?

Neither. Norges Bank judged at the end of 2025 that a CBDC was not warranted for now, while keeping open a wholesale CBDC if asset tokenisation becomes prevalent. It finds stablecoins still lack features of a general-purpose means of payment and play a negligible role today.

Related Articles

• SEPA Instant Payments Regulation – How the euro-area instant credit transfer rules work, for comparison with the Norwegian model.
• DORA TLPT for Designated Entities – The scoping, tester-independence and frequency rules behind threat-led penetration testing that TIBER-NO mirrors.
• DORA ICT Incident Reporting – The incident classification and reporting duty that runs alongside the resilience-testing regime.
• ECB T2 Extended Hours Roadmap – How the Eurosystem settlement platform and its hours shape instant-payment liquidity.
• ECB Project Agora – How a wholesale tokenised settlement model is being tested, relevant to the report’s CBDC watch item.

Key Takeaways

• The Financial Infrastructure Report 2026, published 10 June 2026, is Norges Bank’s oversight output under the Central Bank Act and the Payment Systems Act, not a binding circular.
• The infrastructure is efficient today: NBO turned over around NOK 359 billion a day in 2025, NICS handled roughly 9.6 million daily transactions, and mobile carries 37 percent of point-of-sale payments.
• The central warning is concentration risk: critical functions depend on a small number of cloud, software and core-system providers, and many firms run the same security software.
• Threat-led penetration testing is mandatory for designated entities through TIBER-NO under the Norwegian DORA Act and DORA Regulations, with Finanstilsynet designating the first organisations in spring 2026 and Norges Bank prioritising the 15 to 20 largest financial-sector entities with critical-infrastructure responsibility.
• NBO INST instant payments on the Eurosystem TIPS platform face a revised timeline, and self-preparedness, including offline fallbacks and cash, is a continuity expectation at the point of sale.

Sources and References

• Norges Bank, “An efficient and secure payment system in more turbulent times” (press release, 10 June 2026): https://www.norges-bank.no/en/news-events/news/Press-releases/2026/2026-06-10-fi/
• Norges Bank, Financial Infrastructure Report 2026 (landing page): https://www.norges-bank.no/en/news-events/publications/Financial-Infrastructure-Report/financial-infrastructure-2026/
• Norges Bank, Financial Infrastructure Report 2026 (web report): https://www.norges-bank.no/en/news-events/publications/Financial-Infrastructure-Report/financial-infrastructure-2026/web-report-financial-infrastructure-2026/
• Norges Bank, Oversight of payment systems: https://www.norges-bank.no/en/topics/financial-stability/Oversight/oversight-payment-systems/
• Norges Bank, Retail Payment Services 2025: https://www.norges-bank.no/en/news-events/publications/retail-payment-services/retail-payment-services-2025/
• Norges Bank, Reports on financial stability (report series and Central Bank Act mandate): https://www.norges-bank.no/en/topics/financial-stability/reports-financial-stability/
• Finanstilsynet, DORA implementation in Norway (DORA Act and DORA Regulation, in force 1 July 2025): https://www.finanstilsynet.no/tema/dora/
• Regulation (EU) 2022/2554 (Digital Operational Resilience Act, DORA), EUR-Lex: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022R2554

Reading the 2026 report as a worklist

The work in this report is in the second half. Map the shared dependencies behind your payment rails before the oversight authority does. Confirm whether you sit among the designated entities for threat-led penetration testing and scope TIBER-NO accordingly. Hold your instant-payments roadmap loosely while the NBO INST timeline is reopened, and treat offline fallback and cash as continuity measures the report now recommends.

Disclaimer: The information on RegReportingDesk.com is for educational and informational purposes only. It does not constitute legal, regulatory, tax, or compliance advice. Always consult your compliance officer, legal counsel, or the relevant supervisory authority for guidance specific to your institution.