As of March 2026, Norway’s financial regulator, Finanstilsynet, has implemented a stringent Virtual Asset Service Provider (VASP) registration framework under the amended Act on Measures to Combat Money Laundering and Terrorist Financing (AML Act), aligning with EU-wide digital asset regulations. All crypto exchanges, wallet providers, and trading platforms operating in or targeting Norwegian consumers must now register with Finanstilsynet, undergo rigorous AML/CFT due diligence, and maintain continuous compliance monitoring. This shift reflects Norway’s broader strategy to integrate digital assets into the regulated financial system while mitigating illicit finance risks. Failure to register or comply results in immediate operational bans and potential criminal liability.
Key Findings
Mandatory VASP registration: All entities offering virtual asset services in Norway must register with Finanstilsynet, regardless of domicile.
Enhanced AML/CFT obligations: VASPs must implement risk-based customer due diligence, transaction monitoring, and suspicious activity reporting.
EU MiCA alignment: Norway’s regime incorporates EU Regulation 2023/1114 (MiCA), requiring licensing for stablecoin issuers and custody providers.
Strict enforcement: Unregistered VASPs face immediate delisting, fines up to NOK 10 million, and director disqualification.
Corporate transparency requirements: Ultimate beneficial ownership (UBO) must be disclosed for all VASP applicants.
---
Regulatory Landscape: From AML Act to VASP Oversight
Norway, as part of the EEA, has progressively aligned its financial regulations with EU standards. The Act on Measures to Combat Money Laundering and Terrorist Financing (AML Act) was amended in 2025 to transpose the EU’s Sixth Anti-Money Laundering Directive (6AMLD) and the Markets in Crypto-Assets Regulation (MiCA), which became applicable in Norway via EEA incorporation.
Finanstilsynet, in collaboration with the Norwegian Tax Administration and Økokrim (National Authority for Investigation and Prosecution of Economic and Environmental Crime), now operates a centralized VASP registry modeled on the EBA’s Register of VASPs. This registry is publicly accessible and includes real-time compliance status updates.
Who Must Register as a VASP in Norway?
Under Section 4 of the AML Act, a VASP is defined as any natural or legal person providing one or more of the following services on a professional basis:
Exchange between virtual assets and fiat currency;
Exchange between one or more forms of virtual assets;
Transfer of virtual assets;
Safekeeping or administration of virtual assets or instruments enabling control over such assets;
Participation in and provision of financial services related to an issuer’s offer or sale of a virtual asset.
Notably, decentralized finance (DeFi) platforms are not automatically exempt. Finanstilsynet assesses each case based on whether a natural or legal person controls the service. Peer-to-peer (P2P) platforms without custody or facilitation of payments may escape registration, but those offering fiat on-ramps or custodial wallets are required to register.
Registration Process and Compliance Requirements
The registration process is rigorous and digital, conducted via the Finanstilsynet Portal with identity verification through BankID or equivalent eID. Applicants must submit:
A completed VASP application form;
Business plan and risk assessment;
Organizational structure and governance documentation;
Proof of registered office in Norway or EEA (or a local representative);
AML/CFT policies, including customer due diligence (CDD), enhanced due diligence (EDD), and transaction monitoring rules;
Internal audit and compliance officer details;
Proof of professional indemnity insurance (≥ NOK 2 million);
Disclosure of ultimate beneficial owners (UBOs) and controllers.
Processing time averages 60 days, with extensions possible for complex cases. Upon approval, VASPs receive a unique registration number and must display it on all digital interfaces and marketing materials.
AML/CFT and Financial Crime Prevention
Finanstilsynet enforces a risk-based AML framework, requiring VASPs to:
Apply customer due diligence (CDD) at onboarding and for transactions exceeding NOK 10,000;
File Suspicious Activity Reports (SARs) via the Norwegian Financial Intelligence Unit (Økokrim-FIU) within 24 hours of detection;
Conduct enhanced due diligence (EDD) for high-risk jurisdictions or politically exposed persons (PEPs);
Maintain a 5-year audit trail of all transactions and customer records.
VASPs are also required to report large cash transactions (> NOK 50,000) and cross-border transfers of crypto-assets exceeding €10,000.
Stablecoins and Asset-Backed Tokens Under MiCA
Norway’s adoption of MiCA in 2025 brings stablecoins under regulatory oversight. Issuers of asset-referenced tokens (ARTs) or e-money tokens (EMTs) must obtain a license from Finanstilsynet if they target Norwegian users. Key obligations include:
Minimum capital requirements (≥ €350,000 for ARTs);
Reserve asset segregation and audits;
Daily redemption rights for holders;
Public disclosure of token backing and reserve management.
Non-compliant stablecoin issuers face delisting and potential injunctions.
Enforcement and Penalties
Finanstilsynet has demonstrated a zero-tolerance approach:
Unregistered activity: Immediate administrative order to cease operations; fines up to 10% of annual turnover (capped at NOK 10 million for individuals).
AML violations: Directors may face disqualification for up to 10 years and criminal charges under Sections 27 and 28 of the AML Act.
Data breaches: Failure to protect customer data results in GDPR-level fines (up to 4% of global revenue).
In 2025, two foreign exchanges were forced to withdraw from the Norwegian market after failing to register, setting a precedent for future enforcement.
---
Recommendations for VASPs and Market Participants
Register Early: Given the 60-day processing window and high application volumes, submit applications at least 90 days before planned launch.
Establish Local Compliance Hub: Even non-Nordic VASPs should appoint a Norwegian compliance officer and maintain a registered office or authorized representative.
Adopt EU-Compliant AML Tools: Integrate AI-driven transaction monitoring systems (e.g., Chainalysis, TRM Labs) with regional IP and identity verification checks.
Prepare for Stablecoin Licensing: If issuing or facilitating stablecoins, budget for capital reserves and audit preparation; engage with Finanstilsynet’s sandbox for guidance.
Conduct Regular Regulatory Audits: Engage third-party AML auditors annually to assess compliance with evolving rules.
Educate Users: Clearly disclose registration status, fees, and risk disclosures to Norwegian users to avoid misleading marketing claims.
Monitor EU/EEA Rule Changes: Stay updated on delegated acts under MiCA and Finanstilsynet guidance notes, especially regarding DeFi and NFTs.
---
FAQs: Common Compliance Questions
Q1: Do foreign VASPs need a physical presence in Norway to register?
No, but they must appoint a local authorized representative or establish a branch registered with the Norwegian Register of Business Enterprises (Brønnøysundregistrene).