For corporations involved in international business, in the past 12 months crisis management practices and trends have focused on four main topics in particular:

• sanctions and export controls in light of the still-evolving geopolitical risks;
• human rights risks in the supply chain;
• cyber-related incidents and cybercrime; and
• security risks and export controls.

Sanctions and Export Controls in Light of the New Geopolitical Risks

Since the invasion of Ukraine in 2022, there has been a dramatic escalation of sanctions, which has impacted businesses worldwide. This has also affected the business community in Norway, both those engaged in international business in general and in particular those operating in northern Norway, due to the geographical proximity to and trade with Russia. In this respect, the authors note that Norway has also implemented particular carve-outs from the EU sanctions in order to allow some continued trade with Russia within the fisheries and aquaculture sectors, including exemptions allowing for Russian fishing vessels to dock at certain Norwegian ports in northern Norway.

In light of the rapid developments of new rules and regulations, as well as the focus from the authorities, there has been an escalation in matters relating to investigations and potential enforcement of sanctions and export control matters within the jurisdiction. This trend is further reinforced by the annual threat assessments published by Norway’s security and intelligence services (the Police Security Service (PST), the National Security Authority(NSM), and the Intelligence Service), which over the past year have consistently highlighted an elevated risk of hybrid activity, including cyber-operations and potential sabotage targeting critical infrastructure, as well as continued attempts to circumvent sanctions and export controls through concealed procurement networks and third-country intermediaries. Businesses are increasingly expected to treat these threat assessments as operational inputs to their crisis management and compliance frameworks, rather than background reading.

Continued Focus on Human Rights Risks in Supply Chains

A focus on human rights risks continues to be seen, particularly in international supply chains following the Transparency Act of 2021, which poses both legal and reputational risks to Norwegian businesses. Under the Norwegian Transparency Act, operators are required to conduct comprehensive due diligence in their supply chains to identify, assess and address human rights risks. Following such measures, businesses have in fact discovered risks requiring mitigation. Both the media and non-governmental organisations have put questions to businesses, which, under the Norwegian Transparency Act, they are required to answer, addressing potential adverse impacts on human rights.

Cyber-Related Incidents and Cybercrime

The aforementioned increase in international tensions due to the geopolitical environment has led to a heightened focus on national security and geopolitical risks among Norwegian businesses, making the Security Act, export regulations and sanctions assessments key focus areas in M&A transactions, cross-border agreements and investments. Norwegian businesses are also acknowledging the increasing risks of cyber-attacks and intelligence activities by foreign states and companies, as well as by organised criminal groups or private individuals. In light of these risks, both the government and companies are increasingly focusing on the importance of a robust digital infrastructure and on crisis management plans in case of cyber-attacks. According to the White Paper on Total Preparedness, “The National Cyber Security Centre under NSM plays a key role in assisting public and private organisations in their preventive security work and ensuring contact between the various environments. The capacity of NSM has been strengthened to meet the ever-increasing need for advice and guidance, in line with the more serious threat and risk picture in accordance with NSM’s expanded mandate.”

The Act on Digital Security entered into force in 2025 (implementing the EU NIS 1 Directive), introducing concrete requirements for risk assessments, security measures and incident reporting for businesses providing critical functions. This Act has required companies to implement technical and organisational measures and establish incident response capabilities.

Security Risks and Export Controls

In a geopolitical landscape where the defence sector is rapidly expanding, there are more and more operators that need to consider export controls. Norwegian export controls also consist of “catch all” controls where a licence may be required if an item is exported to an area where there is war or where war is imminent. As there has been an increase in wars and conflicts during the past year, this has resulted in more challenging cases relating to export controls. Further, for operators within the defence sector there are also increased security risks and hybrid threats.

Lastly, in January 2025, the Norwegian government presented a White Paper on Total Preparedness (Meld. St. 9 (2024-2025)), emphasising increased co-ordination, exercises and capacity building across the entire crisis spectrum, from natural events to hybrid threats, crisis and war. A key element is the establishment of a new cross-sectoral structure for preparedness planning, with formalised involvement of the private sector and voluntary organisations in preparedness councils and vulnerability assessments.

Recognising that much of Norway’s critical infrastructure is privately owned, this development requires closer integration between public authorities and businesses in crisis management. For companies, particularly those operating critical infrastructure, this has meant more active participation in joint exercises, systematic information sharing with authorities, and involvement in national preparedness planning. The increased focus on hybrid threats, including cyber-operations, disinformation and unwanted foreign economic influence, has made situational awareness and cross-sectoral co-ordination key priorities.

The key practice trends and shifts mentioned in 1.1 Market Comparison have meant that all sectors are in fact exposed to risk, except for businesses solely working locally in Norway, where there is still minimal exposure (though such businesses may still be vulnerable to cybercrime).

With respect to the four main factors and trends highlighted in 1.1 Market Comparison, the most exposed sectors are:

• the maritime sector (including insurers, service providers and vessel owners), due to the massive escalation in sanctions and geopolitical risks;
• businesses handling or owning critical information or digital infrastructure, due to geopolitical and hybrid threats as well as related security and cyber-risks ‒ these businesses are also particularly affected by the new Act on Digital Security and increased expectations for participation in national preparedness structures; and
• businesses with international complex supply chains (including the energy sector), due to the related human rights, compliance and sanctions risks.

Some Norwegian legislation primarily addresses the need to identify risks and vulnerabilities and to prepare for crises accordingly (eg, the Health Emergency Preparedness Act), while other legislation primarily regulates the situation after a crisis has occurred (eg, the Police Act). Certain laws are directed at public authorities (eg, the Civil Protection Act). Further, there is a distinction between laws that are quite general in scope of application (eg, the Police Act) and laws with a sectoral approach (eg, acts within the health sector).

Internal investigations (eg, due to a crisis) are not regulated by special procedural law in Norway. However corporate investigations are governed by various Norwegian laws and regulations, eg:

• the Working Environment Act;
• the Companies Act;
• the Penal Code;
• the Liability Act;
• the Accounting Act; and
• data protection laws.

Also, the Norwegian Bar Association has issued a set of indicative guidelines (the Bar Association Guidelines for Private Investigations, updated in 2023) applicable to lawyers’ work that relates to external independent private investigations.

There are also numerous laws restricting public authorities’ competence if a crisis has occurred, including the Police Act of 1995 and the Constitution of 1814. 

General Regulations Protecting Society and Critical Infrastructure in Times of War and Crises

The Civil Protection Act of 2010 aims to protect society, critical infrastructure and the environment in cases of war, natural disasters and other incidents with adverse impacts on Norway, its citizens and assets. It outlines the role of the government, municipalities and civil society in preparing for and mitigating the consequences of such risks should they occur. The Act on Business and Industry Preparedness of 2011 seeks to alleviate supply chain-related consequences of crises, in particular in times of war, by regulating the collaboration between public authorities and business operators.

Sector-Specific Acts Regulating Crisis Management

Numerous sector-specific acts regulate crisis management, such as the Health Emergency Preparedness Act of 2000 and the Communicable Diseases Control Act of 1994 relating to health crises. The oil emergency system is largely regulated by the Regulation relating to Petroleum Product Storing for Emergency Purposes of 2006, which gives the authorities wide-ranging powers to manage oil supply crises. Nuclear and radiological emergency preparedness is governed by the Act on Radiation Protection of 2000 and its regulations, while environmental emergency responses in the event of acute pollution is regulated by the Pollution Control Act of 1981.

Protection of National Security Interests

The Security Act of 2018 gives Norwegian authorities power to address national security risks by preventing the transfer of critical assets and infrastructure to state and non-state actors that may pose a security risk. Amendments made in 2023 increased the government’s power to address such risks, including by extending the scope of the foreign direct investment (FDI) notification regime. Alongside existing sanctions and export controls, the Security Act provides an important tool for controlling foreign ownership in Norway.

The way in which the aforementioned laws are enforced during crises depends on the crisis in question. Some laws have been enforced quite extensively and have given rise to lawsuits against the government – for instance, the Diseases Control Act during the COVID-19 pandemic. Others are applied on a more regular basis, with less controversial outcomes.

Health-Related Amendments Following COVID-19

Following the COVID-19 pandemic, several amendments were made to laws on crisis management in the case of health crises, including extended powers for the Norwegian government to isolate infected persons (new Section 4-3 a of the Communicable Diseases Control Act).

Increased Number of Private Investigations Leading to Amendments in Guidelines

The Bar Association Guidelines for Private Investigations were also recently amended, prompted by (inter alia) an increased number of private investigations in both the public and private sectors.

Increased Focus on Financial Crimes

The Norwegian Ministry of Justice and Public Security is strengthening the government’s response to financial crime and related crises, through (among others) extending the government’s powers of confiscation.

Increased Government Control of Foreign Investments

A new regulation under the Security Act’s provisions on ownership control was issued in 2025. The regulation gives Norwegian authorities greater control over investments and M&A deals involving businesses vital to national security, including increased restrictions for information sharing prior to a transaction being approved.

Implementation of New Requirements to Safeguard Critical Digital Infrastructure

A law on digital security came into force in 2025. The law implements the EU NIS 1 Directive and stipulates an obligation for companies providing critical functions (such as energy, transportation, health and financial services) to, among others:

• perform risk assessments;
• have adequate security measures in place; and
• report security breaches.

The government is working on further legislative amendments to increase control over critical digital infrastructure; following the expert committee’s report dated 28 February 2025, legal updates are expected, strengthening the government’s ability to control the influence of foreign countries on such infrastructure.

The expected impacts of these amendments on crisis management remain to be seen. Several amendments are aimed generally at increasing the public authorities’ powers if a crisis occurs, while others are aimed more at preserving and strengthening the rights of private companies and individuals (eg, the revised Bar Association Guidelines for Private Investigations).

There has been no significant litigation funding or class action activity affecting crisis-related disputes in Norway.

The Overall Responsibility for Crisis Management

The overall responsibility for co-ordinating crisis management and preparedness actions lies with the Ministry of Justice and Public Security, as well as with other ministries in relevant sectors (eg, the Ministry of Health and Care Services with regards to pandemic preparedness and response). Additionally, numerous public entities have been established under the responsible ministries, including the NSM, the Norwegian Directorate for Civil Protection (DSB), and three newly established committees for emergency preparedness and crisis management in the health sector.

Sector-Specific Authorities and Agencies

To a large extent, the government monitors and evaluates crisis response efforts on a sectoral basis.

The oil security system is generally governed by the Ministry for Trade, Industry and Fisheries, which is responsible for the security of supply of fuel, emergency preparedness and crisis management within the sector. The Norwegian Radiation and Nuclear Safety Authority (under the Ministry of Health) bears the responsibility of preparedness actions related to nuclear accidents.

There have been suggestions of establishing more cross-sectoral structures to strengthen the co-ordination of preparedness work. Local governments (municipalities and counties) are often consulted in such processes, and also have specific responsibilities in relation to certain aspects of crisis management – for instance, with respect to facilitating the work of the Norwegian Civil Defence. However, since many crisis management questions warrant a State-level approach, the role of local governments may be subordinated in some cases.

In Norway, crisis management operates within national frameworks and there are no state or cantonal layers as in federal systems.

The government’s White Paper on Total Preparedness calls for stronger whole-of-society preparedness and closer, more structured involvement of the private sector at both national and local levels. The White Paper mentions, for example, that companies covered by the Regulations on Industrial Safety (Nw. forskrift om industrivern) are obliged to establish an industrial safety system. When deemed necessary based on a company’s risk or location, the Norwegian Industrial Safety Organisation may order companies other than those initially covered by the regulations to establish an industrial safety system.

It is worth noting that although the PST operates under a single national mandate, it maintains a presence across all police districts, meaning that the security dimension of corporate crisis management is not purely centralised, and companies can engage with threat awareness and preventive security measures through their local PST contact.

Several bodies exercise significant crisis management oversight in Norway including the following.

National Level

• Norwegian Directorate for Civil Protection: primary oversight authority for civil protection and societal security.
• Norwegian Directorate of Health: oversees health emergencies.
• Norwegian Water Resources and Energy Directorate: monitors natural disaster risks (floods, landslides, avalanches).
• Norwegian Coastal Administration: oversees maritime emergency preparedness.

Regional Level

• County governors: co-ordinate preparedness across sectors and municipalities, linking national policy with local implementation.
• Police districts: exercise operational co-ordination during crises.

Local Level

• Municipal Emergency Preparedness Councils: provide local co-ordination, bringing together authorities, emergency services, voluntary organisations, and private sector representatives

There is no independent body that continuously oversees crisis management preparedness by companies or public entities. Nevertheless, in 2022 the government established a provisional commission responsible for the assessment of overall crisis response and preparedness in Norway, which culminated in an Official Norwegian Report (a type of preparatory work) in 2023 (NOU 2023: 17). The government has also signalled that such a commission will be established at regular intervals in the years to come (Meld St 9 (2024–2025) p 43).

The Petroleum Safety Authority (PSA) is an independent government regulator within the Norwegian petroleum industry; it is responsible for safety and emergency preparedness in the industry.

Crisis response actions from public authorities should, in many cases, be made available to the public under the Public Administration Act and the Freedom of Information Act. In addition, certain laws and regulations require public authorities to make contingency plans available to the public – for instance, Section 15 of the Civil Protection Act.

Crisis response actions from private entities and individuals are generally not subject to reporting and transparency requirements. However, certain aspects of crisis response actions may in some cases follow on from audits or other disclosure or reporting obligations – for instance, under the Transparency Act (see 6.7 Communication With Affected Parties), reporting of data breaches, reporting of serious workplace accidents to the Norwegian Labour Inspection Authority, and notification of acute pollution or risk of acute pollution. For listed companies, disclosure obligations may also apply under the Securities Trading Act.

In Norway, crisis management efforts and obligations are sectoral-based to a large extent. As outlined in 2.1 Legal Framework, the Health Emergency Preparedness Act and the Communicable Diseases Control Act establish key requirements in the health sector with regards to (inter alia) emergency preparedness plans.

In the finance sector, the Financial Institutions Act of 2015 requires financial institutions to have contingency plans that ensure financial stability during crises. With respect to infrastructure, the Regulation on the Quality of Electricity Supply of 2004 contains specific requirements relating to (inter alia) the resilience of the electricity supply system. Other sector-specific regulations also apply. Other examples include atomic/radiological emergency preparedness (Radiation Protection Act), and acute pollution (Pollution Control Act).

Actions required by such sectoral regulations are subject to inspections and audits by responsible authorities – for example, the Financial Supervisory Authority. Reporting obligations for private entities may also apply – for instance, under Section 21-1 of the Financial Institutions Act.

The Act on Digital Security entered into force on 1 October 2025, implementing the NIS 2 Directive and imposing obligations on entities delivering critical functions, including requirements for risk analyses, adequate security measures, and reporting of security breaches. Furthermore, the government has announced its intention to propose a new cross-sectoral Act establishing common requirements for “fundamental security” for critical societal functions (linked to the NIS 2 Directive and the CER Directive), which may include requirements for risk assessments, security measures, emergency preparedness, incident management, and notification of serious incidents/crises. The Act’s scope and concrete obligations are currently being assessed, and the government is also considering whether the scope should be broader than the directives themselves.

In January 2025, the Ministry of Justice and Public Security submitted an emergency plan to the Norwegian Parliament which (inter alia) includes plans on how to involve the private sector to a greater extent in relation to crisis management response plans. Parliamentary consideration has emphasised that private actors own large parts of critical infrastructure and must be involved more systematically (Innst. 242 S (2024-2025)). In particular, the Ministry has suggested including private parties (alongside governmental bodies) in a new cross-sectoral structure for assessments and emergency planning in civilian sectors (Meld St 9 (2024–2025) p 44–45). Additionally, a cyber-emergency preparedness arrangement is being established between relevant authorities and the business sector for major cyber-incidents, and the government has been encouraged to establish emergency preparedness agreements between private and public health services (Innst. 242 S (2024-2025)). Thus, there are certain pre-structured public-private co-operation frameworks for crisis prevention and response, but the exact execution of such co-operation remains to be seen.

The government has announced that a long-term plan for civil preparedness would be established, with work commencing in 2025 (Meld St 9 (2024–2025) p 40). The plan is to be based on risk assessments from preparedness councils and updated in line with the risk landscape, aimed at better co-ordination and dimensioning of resources (Innst. 242 S (2024-2025)). There are certain sector-specific national crisis management plans and policies – for instance, in the health sector, to ensure energy security and in relation to nuclear accidents. The structure and implementation of existing plans vary from sector to sector – however, the main elements of the plan are to clarify responsibilities in the event of a crisis, establish notification and reporting routines, and facilitate co-operation between relevant stakeholders in the event of an emergency.

During a crisis, different government entities usually co-ordinate efforts based on their respective areas of responsibility. For instance, the Ministry of Finance has an overall responsibility for crisis management in the event of a crisis within the financial sector. However, certain responsibilities may be delegated to subordinated agencies – for example, the Financial Supervisory Authority. The Ministry of Justice and Public Security has a co-ordinating role for preparedness and emergency response in the area of public security; in 2017, the Ministry established an instruction for the ministries’ work on public security in order to ensure effective inter-agency collaboration (FOR-2017-09-09-01-1349). The crisis management system includes key elements such as the government, the ministries, the Crisis Council, lead ministries, and the Crisis Committee/Crisis Support Unit, with co-ordination taking place through municipal/regional/national channels, sectoral channels, and co-ordination conferences.

The government is establishing preparedness councils at national, regional, and local levels. All municipalities are now required to have or be affiliated with a municipal preparedness council to ensure clear lines of responsibility and better dialogue with relevant actors in crises (Innst. 242 S (2024-2025).

The recommended approach is typically to appoint a crisis management team which manages various workstreams. In multi-jurisdictional investigations, local legal advisors are normally appointed as and when needed. This ensures a co-ordinated approach across jurisdictions whilst ensuring compliance with local law.

Norwegian law imposes no general obligation for companies to self-report all crises. However, specific reporting requirements exist for particular incident types. For instance, personal data breaches must be reported to the Data Protection Authority within 72 hours. Health, safety, and environmental incidents require immediate or prompt reporting to the relevant authorities.

Entities subject to anti-money laundering legislation are obliged to send a suspicions activity report to the Financial Intelligence Unit (FIU) at the National Authority for Investigation and Prosecution of Economic and Environmental Crime (Økokrim).

Whilst there is no legal obligation to self-report, authorities actively encourage companies to report suspected corporate crime and co-operate with investigations, as early disclosure may positively influence subsequent enforcement decisions.

Large international companies in Norway will commonly have a crisis management set-up and structure similar to international players in the USA, UK and continental Europe. Small to medium-sized companies in Norway will typically have a more streamlined set-up tailored to the relevant sector and national regulatory exposure.

In general, the key components of an effective crisis management strategy would include the following.

• a risk assessment, which takes into consideration key risks of whether a crisis would occur and in what areas (including regulatory exposure, where regulated entities would, for instance, require certain types of internal controls and reporting requirements);
• a crisis management strategy and team, including designating roles and responsibilities to follow up on a potential crisis;
• a communication plan, including roles and responsibilities for the various types of crisis situations;
• a contingency plan, setting out a detailed step-by-step plan for the various types of crisis situations;
• external and internal reporting requirements, as well as key stakeholders ‒ in this context, certain types of incidents would have a firm reporting deadline, eg, with respect to a data breach or potential risks of money laundering for obliged entities; and
• training and awareness in contingency plans to ensure active preparedness.

Nevertheless, the content and scope of crisis management plans naturally vary based on (inter alia) the sector, the size of the company and what types of risks the company is exposed to.

In some cases, public authorities are also authorised to establish crisis management plans for private companies – if so, the content of the plan is usually regulated by law (see, for example, Section 20-6 of the Financial Institutions Act).

It is advisable and common to have committees responsible for certain types of crises. The composition of the committee typically depends on the type of crisis. For instance, a regulatory breach is commonly led by the general counsel or another member of the legal team, while a security breach is generally led by the head of security or chief operations officer. The board of directors has the overall responsibility, and a severe crisis situation is typically escalated to the board of directors.

The steering committee often has the overall responsibility of the prevention and management of crises, reporting to the board of directors. Such committees may have a subordinated crisis management team or task force responsible for the effective implementation of crisis management plans established by the crisis committee. Small and medium-sized companies may not have the same formal governance structures in place, and therefore tend to handle crisis situations on more of an ad hoc basis (thus relying heavily on external support), while larger corporations can generally handle more of the key functions internally with external support on project management and regulatory matters.

Personal Liability

Under Norwegian law, representatives of the company, including board members, the CEO, as well as shareholders, may be held personally liable for damage caused by their actions or omissions on behalf of the company. Personal liability is particularly relevant if the company is in financial distress, if the damage is caused to the company, or if a claim against the company would otherwise be futile or not compensate for the loss incurred.

Section 17-1 of the Companies Act provides that board members, including the chairperson of the board, as well as the CEO or shareholders, may be held personally liable for financial damage which they, in their role as representatives of the company, intentionally or negligently have caused to others.

When a company enters financial distress, the legal and practical areas of responsibility imposed on both the board and management become significantly stricter.

Mechanisms to Mitigate Individual Liability

It is quite common for companies to take out insurance to cover potential civil liability. Such insurance may cover, inter alia, liability for the company as a legal entity or for the board of directors, or other types of professional liability. Some insurance policies also cover legal and litigation costs. However, insurance companies are prohibited from offering insurance that covers criminal liability sanctions imposed on the insured, such as fines, as this would undermine the deterrent purpose of the law. This is distinct from crime insurance, which covers the company’s own losses suffered as a victim of a crime, and which remains entirely permissible.

Companies may form permanent or ad hoc crisis committees (or both), depending on the size of the company and risks inherent in the business. Such committees typically include senior executives or heads of departments, but may in some cases also include less-senior employees with more hands-on experience from different parts of the corporation. Some companies may also appoint independent members (for instance, external legal counsel), while other companies choose to appoint external members to the crisis management team. Crisis committees usually report directly to the board of directors and/or senior management, but tend to have significant autonomy with regards to crisis prevention and response actions.

Composition of Teams

Crisis management teams may consist of heads of departments and members of senior management, as well as less-senior employees within various areas of the corporation, so that immediate response actions may be more easily implemented across the entire corporation in the event of a crisis. In some cases, the company may also choose to appoint an external member – for instance, legal counsel. The relevant crisis situation often influences the composition of the committee.

Roles and Positions

Within the committee and team, there is generally always at least one member with project management responsibility, and with a direct reporting line to the steering committee. This can be the chief compliance officer, general counsel or external counsel. The relevant functions and resources as part of the task force may vary. As mentioned at 3.2 Internal Governance, a regulatory breach commonly involves significant resources from the legal team, while a security breach typically involves significant contributions from the security team. The communications team is also usually involved in the preparedness of any crisis situation.

Frequency

The frequency of meetings may be daily or weekly, with a report to the steering committee weekly or bi-weekly. The type and urgency of the relevant crisis naturally determines the frequency of the meetings.

Communication and Stakeholder Management

It is important to control access to communications during a crisis. This is important both to control the narrative, and to prevent undue media attention. Typically, only the crisis management team and those they report to have access to all information, while other details will be restricted to prevent unnecessary access.

Larger corporations may have experienced internal crisis management teams, but it is common to seek external assistance. This is often because a company will typically not encounter as many crisis situations as an external crisis management specialist advising many different corporations on various types of crises around the world. External counsel can often be helpful in both setting up and managing a crisis situation, depending on the need for resources and the expertise the relevant company has. The more urgent and complex the crisis situation is, the greater the need for external expertise.

In addition, engaging external experts may be particularly relevant to investigations and evaluations in the aftermath of a crisis – for instance, by appointing an independent commission. When selecting such external experts, the criteria typically include expertise and experience with the type of crisis in question, ie, expertise in data privacy in the event of a cyber-attack. A notable example is the appointment of an independent commission after a fire on the vessel Scandinavian Star, which culminated in a report to the Norwegian Parliament regarding the cause of the crisis, responsibilities, etc.

Digital Operational Resilience Act (DORA), effective in Norway from 1 July 2025, establishes mandatory requirements for ICT service agreements, including pre-contractual assessments, ongoing monitoring obligations, and specific contractual provisions. Supplier risk management must be integrated into the overall risk management framework under DORA.

The European supervisory framework for critical ICT service providers grants authorities the power to obtain information and conduct inspections of systematically important suppliers in the financial sector.

Under the Transparency Act, companies may request documentation from suppliers regarding human rights and working conditions, even in the absence of explicit contractual audit rights. Supplier assessment follows risk-based criteria and take into account high-risk sectors, goods, countries, and the company’s own experience.

Metrics used by companies to assess the success of crisis management efforts typically include:

• response and recovery time;
• effectiveness of communication;
• financial impacts;
• operational continuity;
• employee and customer safety;
• supply chain stability; and
• feedback from stakeholders.

Continuous improvements to crisis management strategies are typically made by conducting post-crisis reviews and receiving feedback from key stakeholders. A “lessons learned” workshop would often be part of a post-crisis review.

The board holds primary responsibility for ESG matters and their integration into corporate strategy, forming part of its general oversight function.

The Transparency Act requires due diligence assessments aligned with the OECD Guidelines for Multinational Enterprises. Companies must identify and assess actual and potential adverse impacts on fundamental human rights and decent working conditions throughout their value chains.

Evaluations demonstrate that the Transparency Act has increased awareness and led to concrete improvements in human rights and working conditions. ESG metrics are increasingly incorporated into KPIs and variable remuneration structures for management.

The Transparency Act requires companies to implement appropriate measures to cease, prevent, or mitigate adverse consequences to human rights and decent working conditions. Where a company causes or contributes to actual harm, it must take steps to remediate the damage.

Companies must ensure or co-operate in restoration and compensation where required, though civil society organisations have noted that the precise scope of remediation duties requires further clarification.

General obligations under the Working Environment Act apply, though the specific scope of remediation and welfare obligations during emergencies remains an evolving area of Norwegian law.

Robust monitoring systems and employee training are examples of key elements for identifying a crisis – and its legal implications – faster.

Some crises are identified immediately due to the nature of the breach, such as a cyber-incident blocking access. Other types of crisis situations develop over time – for instance, where the initial indication is an unclear and unsubstantiated whistle-blowing report alleging potential corrupt practices, this may turn out to be part of a larger-scale corruption matter during the course of the investigation. The pace and urgency will therefore depend on the nature of the crisis.

In certain areas (for instance, data breaches, incidents affecting critical digital services under the Digital Security Act or suspicions of money laundering for obliged entities), clear tools and reporting lines will be set up to deal with the identification and reports of such incidents, and such tools will also be subject to authority-led inspections to check compliance.

The types of frameworks and models used for crisis management would very much depend on the company and exposure to crises; see also 3.1 Crisis Management Plans and 3.2 Internal Governance on the contents of a crisis management plan.

Some companies use NS-EN ISO 22361, which is an international standard for strategic crisis management. Certain guidelines have also been published by public authorities in Norway, which may be used as benchmarks for crisis management practices. For example, the DSB published guidelines for crisis management following the COVID-19 pandemic, as well as a more general guideline for crisis communication. Additionally, some authorities have established guidelines or benchmarks for certain specific crises – for instance, the Data Protection Authority regarding data privacy breaches. The NSM also provides guidance on ICT security through its Basic Principles for ICT Security, which companies may use as a “toolbox” for preventive technical and organisational measures.

Many companies also engage external expertise (eg, legal counsel) to stay updated on best practices within the relevant industry, from those with experience in managing cross-border investigations and crisis management teams. In practice, many Norwegian companies combine elements from the systematic health, safety and environment framework required under the Internal Control Regulation with crisis management and business continuity planning.

Companies typically identify and assess potential risks that could lead to a crisis through analysing the risks related to the sector and jurisdiction(s) in which the company operates, as well as other factors relevant to the company’s risk profile (for more on the type of risk assessment often conducted, see 3.1 Crisis Management Plans). This analysis may include data analysis of past crises, identifying relevant regulatory exposure as well as key risks and vulnerabilities. In some instances, this may also involve engaging with industry organisations, public authorities and other stakeholders. Relevant risk factors in preparing for a crisis may consist of:

• legal and regulatory risks;
• operational risks; and
• financial and reputational risks.

All of these must be taken into account in the risk identification and assessment process.

Preventative measures commonly implemented to mitigate risks may include:

• robust compliance programmes tailored to the relevant risks and exposure; and
• incident response plans to ensure preparedness for various types of crisis situations.

Simulation exercises are used in employee training, and may include practical scenarios where there is a risk of corruption that may lead to a crisis for the company, or simulated phishing emails in order to prevent cybersecurity attacks. There may also be sector-specific simulation exercises within certain sectors – for instance, exercises in the oil and gas sector or pandemic response exercises in the health sector. In the financial sector, the Financial Supervisory Authority expects firms to regularly conduct exercises to test how recovery plans can be applied in a real crisis.

Most companies (typically larger companies) promote and organise crisis prevention and response training for employees. Such training may consist of information sharing about crisis prevention, as well as response plans and protocols, discussions and simulation exercises (see 4.4 Crisis Simulation). Training sessions should be tailored so that high-risk functions receive more bespoke training than general employees. Training is usually conducted by the chief compliance and risk management officers (or similar), and in some cases by external advisers. Under the Internal Control Regulation, companies must ensure that employees have sufficient knowledge and skills in systematic health, safety and environment work, which in practice includes crisis and incident response competence.

Companies usually adopt crisis management plans and procedures (see 3.1 Crisis Management Plans). Some companies also have risk management policies outlining the company’s approach to risk identification, assessment and mitigation, and such policies are sometimes made publicly available. Such policies and procedures are effectively implemented by, inter alia, communication, training and raising of awareness, and integration with daily operations and tools. Common policies and procedures in Norwegian companies include crisis leadership policies, crisis communication plans, incident response procedures, personal data breach procedures, whistle-blowing procedures (mandatory written procedures under the Working Environment Act), and health, safety and environment incident/accident procedures.

The most critical challenge for a company faced with a crisis is that a lot of important actions must be taken immediately, and a company with no prior experience of a crisis would not know how to effectively prioritise each step. Therefore, having a decent contingency plan or incident response plan would significantly streamline the process in a crisis situation, and would also reduce the risk of actions being taken that adversely affect the company.

Relevant enforcement authorities that companies and management must deal with in relation to potential legal liability include:

• the Police Force (Politiet), responsible for criminal investigations and enforcement;
• the National Authority for Investigation and Prosecution of Economic and Environmental Crime (Økokrim), responsible for criminal investigations and enforcement related to economic and environmental crime;
• the Labour Inspection Authority (Arbeidstilsynet), responsible for labour rights, health and safety;
• the Data Protection Authority (Datatilsynet), responsible for data protection and privacy;
• the Directorate for Civil Protection (DSB), responsible for civil protection and emergency preparedness;
• the Competition Authority (Konkurransetilsynet), responsible for competition law enforcement;
• the Environment Agency (Miljødirektoratet), responsible for environmental laws and regulations;
• the Financial Supervisory Authority (Finanstilsynet), responsible for banking, insurance and other areas of financial market regulations;
• the Tax Administration (Skatteetaten), responsible for tax matters; and
• the Norwegian Ocean Industry Authority (Havindustritilsynet), responsible for health, safety and environment in the maritime and petroleum industries.

Additionally, for entities within the scope of the Digital Security Act, which entered into force on 1 October 2025, the NSM and designated sector supervisory authorities play a central role in overseeing compliance with digital security requirements.

The frequency and nature of co-operation with enforcement authorities and regulators vary based on the purpose of the contact and applicable laws. In some cases, companies are obliged by law to immediately report certain types of crises to responsible authorities – for instance, in the case of a data privacy breach or a suspicious activities report. In other cases, an internal investigation would often be conducted before informing the authorities. In competition law matters, companies may benefit from the leniency programme by self-reporting cartel participation and fully co-operating with the Competition Authority, potentially obtaining immunity or reduction of fines.

A litigation risk assessment would normally be conducted by external legal counsel – for example, a thorough evaluation of legal risks and liabilities may be needed in order to assess potential settlement options. Key factors in assessing exposure include the company’s preventive compliance measures, which are expressly considered when imposing corporate criminal liability under the Penal Code.

It is common to engage external legal counsel with experience in managing crisis situations. Some companies do have in-house crisis management teams (mainly larger companies).

The criteria used to select external legal counsel usually include relevant expertise and experience within the legal field the crisis relates to, as well as experience with crisis management in general.

The Norwegian Bar Association has issued guidelines on private investigations – while they do not directly apply to all types of fact-finding exercises, they do provide a good overview of best practices in investigations.

Further, there are procedural requirements for civil disputes or criminal investigations. In civil litigation procedures, companies also have a general duty of truth and disclosure under Section 21-4 of the Dispute Act, as well as more specific disclosure obligations under Sections 21-5 and 26-5 of the Dispute Act (although they are significantly less far-reaching than discovery obligations in the USA, for example). The Dispute Act also provides for pre-trial evidence preservation measures under Chapter 28, enabling parties to secure evidence that is at risk of being lost or compromised before formal proceedings commence. Thus, a company’s failure to gather and preserve relevant documentation and evidence may, in some cases, violate such procedural obligations, despite the absence of any general statutory obligation to preserve evidence. 

Naturally, internal practical procedures for gathering and preserving documentation and evidence vary based on the company and documentation in question. Many entities have comprehensive documentation and reporting systems with detailed logs and records, while others rely to a greater extent on manual information gathering from employees. 

It is possible to enter into settlement arrangements for litigation proceedings which are derived from a crisis situation.

It is fairly common for insurance policies to be adopted by companies to cover potential civil liability. Such insurance policies may cover, inter alia, the liabilities of the company as a legal entity or of the board of directors, or other types of professional liability. Some insurance policies may also be related to specific sectors or risks – for example, insurance related to environmental damage or insurance for cases where the company has been exposed to financial crime. Some insurance covers legal and litigation costs, while some companies also take out a separate insurance covering legal assistance. Cyber-insurance has become increasingly common, typically covering incident response costs, business interruption, regulatory fines and third-party liability arising from data breaches and cyber-attacks. Insurance companies are, however, prohibited from providing insurance covering criminal liability (Section 7-1 of the Insurance Business Act and Section 2-6 of the Financial Institutions Act).

The impact of a crisis on a company’s reputation may be measured through:

• media analysis;
• stakeholder surveys and feedback;
• market surveys and analysing stock-market drops; and
• revenue and sales impacts.

Common steps taken to rebuild a company’s reputation post-crisis may include:

• transparent communication (eg, public statements);
• promptly implementing crisis response plans;
• policy revisions and auditing;
• rebranding and marketing; and
• corporate social responsibility initiatives.

However, the most important form of reputational management is to ensure that:

• communication is part of the task force in the crisis management team;
• a communications plan is drafted early on to cater to all possible scenarios; and
• there is clear communications management throughout the crisis situation.

Several sector-specific laws and regulations include mandatory reporting requirements related to incidents. One example is data security breaches, as outlined in 5.3 Co-Operating With Enforcement Authorities. Other examples include a duty to report serious workplace incidents to the Labour Inspection Authority under Section 5-2 of the Labour Act, and a duty to report environmental incidents under the Regulation on Notification of Acute Pollution or Risk of Acute Pollution.

Additionally sector-specific reporting obligations include:

• financial sector ICT incidents under the Digital Operational Resilience Act (DORA), with initial notification to the Financial Supervisory Authority required within 24 hours of detection for major incidents, reportable via Altinn;
• significant incidents affecting electronic communications networks and services, which must be reported to the Norwegian Communications Authority as soon as possible;
• security-threatening incidents under the Security Act, which must be reported to the NSM; and
• significant incidents under the Digital Security Act affecting essential and important services, which must be notified to the competent authority without undue delay.

The way in which companies ensure timely and accurate reporting to regulatory bodies varies based on:

• effective implementation of crisis management plans;
• adequate training of employees;
• following internal reporting procedures;
• involving external legal counsel; or
• a combination of such measures.

Communication with stakeholders is an important workstream, and is often handled in-house by the communications team or investor relations team. There are also external communications advisers who assist in advising on communications workstreams in crisis situations. Communication triggers may arise from legal obligations (see 5.3 Co-Operating With Enforcement Authorities), and, outside of such obligations, from specific assessments of factors such as the role of the stakeholder and reputational risks. Many companies have a communications director who is responsible for co-ordinating stakeholder interactions, while communications regarding larger crises tend to be dealt with by the crisis management task force, as further detailed in 5.9 Reputation Management.

The DSB has recently published an updated crisis communication guideline, which emphasises the importance of having a pre-established crisis communication plan, unified messaging, and specific strategies for countering disinformation and influence operations in social media and digital channels.

It is very important to control access to communication during a crisis. This means that those who require all the information (normally the board of directors and senior management, as well as key functions) should be given access, while other information is restricted to prevent unnecessary access. If it is a public matter (for instance, due to a dawn raid by authorities), it is often advisable to send a brief holding statement to let the employees know that the company is aware of the situation.

Which person(s) to contact and in which order would normally be included in a dawn raid manual or incident response plan.

Effective strategies for communicating with the public and media may include:

• a clear communication plan;
• having statements issued by the relevant members of the crisis management team and/or senior management;
• identifying a single point of contact; and
• media training.

The content of the communication is also crucial for the public’s perception of the situation and the company, and providing an immediate, transparent and facts-based response is often beneficial in that regard. Collaborating with different departments of the company (especially those with expertise within the field that the crisis related to), as well as co-ordinating the communication through the head of communication and/or a centralised communication team, are key factors for ensuring consistency and accuracy of the communication.

Relevant challenges faced by companies in their communication work include:

• balancing accuracy and the need for an immediate response;
• co-ordinating between different departments of the company;
• managing misinformation from individuals or other stakeholders; and
• handling intense media pressure.

A clear communication plan, as well as obtaining external expertise when necessary, are possible key factors for handling such challenges. The DSB’s updated crisis communication guideline specifically addresses the challenges of disinformation and co-ordinated influence campaigns, recommending that companies establish monitoring capabilities for social media and prepare response strategies to counter false narratives.

Communication with investors should typically follow the same principles as effective external communication (see 6.3 External Communication). Additional workstreams are also often handled by the investor relations team to maintain investor confidence. In some cases, providing a stock exchange announcement may be required under the Securities Trading Act.

As of 1 April 2025, the Norwegian Financial Supervisory Authority has taken over the responsibility for supervising ongoing disclosure obligations and delayed disclosure of inside information under the Market Abuse Regulation. Listed issuers must now submit notifications regarding delayed disclosure directly to the Financial Supervisory Authority via Altinn, rather than to the stock exchange.

Addressing customer concerns and maintaining trust during a crisis may be done through effective external communication and co-ordination (see 6.1 Co-Ordination of Communications and 6.3 External Communication). Channels used to communicate with customers may include the media, the company’s website and emails. 

See 6.2 Internal Communication regarding communication to employees. Common steps taken to ensure employee morale and productivity may include effective communication as well as offering various types of assistance, specifically if individuals are affected.

Although companies may be subject to notification requirements (see 5.3 Co-Operating With Enforcement Authorities) for certain crises, there are generally no statutory obligations as to which channels should be used for communication with people affected by the crisis. One exception is stock exchange announcements, which must be made through specific channels (see 6.4 Investor Relations). Some public authorities also have established dedicated notification channels in the event of a crisis – for example, the Norwegian Environment Agency.

However, there are generally no obligations to use specific channels to inform the general public about immediate crises for companies not subject to specialised legislation. Nevertheless, previous crises and risks of future crises may be an integral part of more general reporting obligations, and such reports may be required to be published on the company’s website – an example of this is reports under the Norwegian Transparency Act.

Regarding which communication channels are typically used outside statutory reporting and notification obligations, see 6.1 Co-Ordination of Communications.

Social media platforms form an important part of crisis communication and can be used to disseminate information rapidly, correct rumours, answer questions and monitor what is circulating amongst the public, whilst at the same time these channels demand pace, resources and structure. For social media platforms to function effectively as a communication channel during a crisis, organisations must already have an established presence, which means having built a following, knowing the channel’s functions and limitations, understanding which target audiences are active on which channels, and having defined the appropriate tone and style of communication.

Before a crisis occurs, organisations should have established clear routines for operating accounts, systems for logging and archiving activity, response routines for questions and comments, plans for interaction between social platforms and other channels (website, press, intranet, etc), and clarified contingency roles for who has access to accounts, including outside working hours. In terms of rapid response, the need for information arises immediately. An initial message should be issued promptly; at the stage the company does not have all the information, it is sufficient to confirm that there is an incident and that work is underway to assess the situation.

AI is playing an increasingly important role in developing, streamlining and implementing crisis communication, and can be used as support in all phases of planning work – from risk analysis and content production to simulation and monitoring. Concrete applications include risk analysis and scenario planning, support for message development and stakeholder analysis, simulation and training exercises, efficient document production and revision, media monitoring and reputation analysis, and translation to other languages and formats. Media monitoring and situational analysis are particularly important during crises, as AI can help organisations quickly detect trends, misinformation and rumours in social media platforms.

The primary legal risks stem from the following three areas highlighted in Norwegian crisis communication guidance and legislation.

• Ethics, protection of company data and privacy: organisations must ensure that use of AI complies with privacy laws and other regulations.
• Human judgement: AI can provide suggestions and support but should not replace human judgement, particularly in crisis communication.
• Source criticism: AI tools can generate plausible but incorrect assertions, and content must always be quality-assured. This risk is critical in crisis contexts where errors in reporting to regulators, misinformation to affected persons, or failures in transparency can trigger enforcement action, reputational damage, and liability claims. Products wholly or partially produced by AI should in many cases be labelled.

As part of a post-crisis review, it is generally advisable to identify lessons learned after a crisis. The participants in such a process are often members of the crisis management team; some learned lessons may be confidential, and are typically only available to this team. Other learned lessons may be more generic and therefore used more widely in compliance training. In any event, it is advisable to do a “root cause analysis” in order to establish exactly what went wrong and why, as well as how to ensure it does not happen again.

To ensure that relevant learned lessons are integrated into future crisis management strategies, companies may choose to:

• amend crisis management plans and policies;
• revise internal governance structures; or
• enhance training of employees.

If a crisis arises due to a lack of policies, such a gap would normally be filled following a crisis. Often, however, a compliance issue and a resulting crisis may be due to the bypassing of internal routines, and therefore updates of policies and procedures may not always be necessary.

See 3.8 Assessing Crisis Management Success and 4.2 Planning.