Over 9000 companies operating in Norway are subject to the Norwegian Transparency Act (Åpenhetsloven) that will enter into force on 1 July 2022.

The law aims to increase corporate respect for human rights and ensure stakeholders access to information on how companies address adverse impacts on human rights.


Why was the Norwegian Transparency Act needed?

In the past decade, regulators across Europe realized that voluntary measures and self-regulation were not sufficient to live up to the standards set by the OECD Guidelines for Multinational Enterprises. Therefore, some governments started to require companies to be accountable for their business partners’ social and environmental conduct.

France, the Netherlands, and Germany have already established supply chain due diligence regimes. And the European Commission is expected to publish a proposal for an EU regulation soon.

With the Transparency Act, Norway follows the European trend. However, the new Norwegian law is much stricter.


Which companies are subject to the Transparency Act?

The companies required to comply with the Transparency Act are:

  • larger companies that are based in Norway and offer goods and services in or outside Norway
  • larger foreign companies that offer goods and services in Norway and are taxable in Norway under internal Norwegian legislation

The Transparency Act defines larger companies as:

  • enterprises that fall into the definition provided by the Accounting Act (Regnskapsloven) §1-5, such as public limited companies, listed companies, and other entities liable for accounting
  • enterprises that, on the date of financial statements, exceed the threshold for two of the following three conditions:
    • an annual turnover of at least NOK 70 million (€ 6.92M / US $7.4M)
    • a balance sheet total of at least NOK 35 million (€ 3.46M / US $3.7M)
    • an average number of at least 50 full-time employees in the financial year (or equivalent annual man-hours)

When assessing whether a business exceeds these thresholds, a group of parent and subsidiary companies must be considered as one unit, provided that the parent company is located in Norway and regardless of whether the subsidiaries are registered in or outside Norway.


What are the requirements set out in the Transparency Act?

Companies subject to the Norwegian Transparency Act are required to:

  • perform regular due diligence assessments following the OECD Guidelines for Multinational Enterprises
  • publish an annual report on the due diligence assessment and update it yearly
  • process information requests within a reasonable time

1. Regular due diligence assessments

The Norwegian Transparency act requires companies to perform due diligence assessments following the OECD Guidelines for Multinational Enterprises. These assessments must cover their business activities, supply chain, and business partners.

To meet this requirement, organizations must:

  • embed responsible business conduct into their policies
  • identify and assess adverse impacts on human rights and decent working conditions that they have caused or contributed to
  • identify and assess adverse impacts on human rights and decent working conditions that are directly linked with their operations, products, or services via the supply chain or business partners
  • implement adequate measures to cease, prevent or reduce the negative impacts
  • monitor the implementation and results of such measures
  • communicate to affected stakeholders about how they address and handle adverse impacts
  • provide for or co-operate in remediation and compensation where this is required

Companies must carry out due diligence assessments regularly using a risk-based approach. Their frequency is not specified by the law and may vary depending on the business’s specifics – as long as companies ensure that their knowledge of their suppliers and partners is up to date when publishing the yearly report.

The due diligence assessments should be proportionate to the size and nature of the company, its operations, and the severity and likelihood of negative impacts on fundamental human rights and decent working conditions.

2. Annual reports on the due diligence assessments

Companies subject to the Norwegian Transparency Act must publish an annual report on the due diligence assessment performed. This report may be part of the report on social responsibility referred to in Section 3-3 (c) of the Accounting Act and should include:

  • a general description of the company’s structure, area of operations, guidelines, and procedures for handling potential and actual adverse impacts on fundamental human rights and decent working conditions
  • information regarding the potential and actual adverse impacts that the enterprise has identified via the due diligence assessment
  • information regarding measures to cease or reduce the risks of adverse impacts and the actual or expected results of these measures
  • information on where the report can be accessed

Additionally, companies must meet the following requirements:

  • they must publish the report yearly, no later than 30 June
  • they must update the report whenever there are significant changes in the risk assessment
  • they must make the report easily accessible on their website
  • the report should be signed following the rules set in Section 3-5 of the Accounting Act by all board members (and by a general manager, if applicable).

3. Give access to information

Companies must grant the general public access to information on how they address the adverse impacts on human rights and decent working conditions.

Anyone can submit a request to get access to the information. However, the request must be submitted in writing.
After a request has been submitted, the company must provide the information to the person who requested it:

  • in writing and in comprehensible form
  • within a reasonable time and no later than three weeks after receiving the request for information.

If the amount or type of information requested makes it difficult to respond to within three weeks, the company must inform the requester that the information will be provided within two months.

An information request can be denied if:

  • the request does not provide a sufficient basis for identifying what the request concerns
  • the request is clearly unreasonable
  • the requested information concerns data relating to an individual’s personal affairs
  • the requested information has to be kept confidential for competitive reasons, classified under the Security Act, or protected under the Intellectual Property Rights Act

If the company denies a request, the requester should be informed about the denial’s legal basis and their right to demand a more detailed justification for the denial within three weeks (and receive it within the following three weeks).


What is the deadline to comply with the Transparency Act?

The Transparency Act comes into effect on 1 July 2022 – and, from that date, the public can request information from companies covered by the Act, and such companies have to provide information after request. Moreover, from 1 July 2022 companies should have published details on how to submit requests.

Regarding the duty to carry out due diligence assessments and publish a report on them, the first report must be published no later than 30 June 2023 – one year after the entry into force of the Transparency Act.

Afterwards, the law states that such reports should be updated and published annually, no later than 30 June of each year (or in any case of significant changes to the company’s risk assessments).


What happens in case of violation of the Transparency Act?

The Norwegian Consumer Agency is tasked with providing guidance on the rules of the Transparency Act, as well as overseeing and enforcing them. Along with the Market Council, the Consumer Agency acts as supervisory authority to ensure that companies comply with the provisions of the law.

Therefore, both public bodies can, on their own initiative or at the request of others, investigate a company’s compliance and, where necessary, intervene with decisions consisting of:

  • prohibitions or injunctions to ensure that the company fulfils its duties
  • enforcement penalties – i.e., fines in case of non-compliance with the prohibitions or injunctions previously imposed
  • breach penalties – i.e., fines issued in case of repeated breaches

Decisions issued by the Norwegian Consumer Agency can be appealed to the Market Council. Both the decisions issued by the Norwegian Consumer Agency and the Market Council can be challenged within six months from the notification of the decision.


How companies can prepare to ensure compliance

The first thing to do right now is to get familiar with the requirements of the Act. Here are a few initial steps you should take:

When the law comes into effect on 1 July, the duty to provide information will already be in place. Therefore, you should set up internal processes, including people and systems, to collect and answer information requests within the 3-week deadline. If your customers include businesses that fall into the scope of the Transparency Act, you can expect to receive information requests from them.

Next, review existing policies and risk assessment procedures, which will form the basis for the first due diligence assessment. Since the due diligence process required by the Transparency Act covers not only the business but also its supply chain and partners, you need to involve employees and departments responsible for purchasing, procurement, logistics, product/service development, as well as risk management and compliance.

Start mapping out all of your direct suppliers and business partners to create a detailed list that includes their locations, the nature of their businesses, and the type of their workers. Conduct an initial risk assessment based on your suppliers’ location and the types of people they employ. Certain countries and employees, such as migrant workers, are more vulnerable to risks.

When creating new policies and internal guidelines, you should consider that the Transparency Act is based on the UN Guiding Principles on Business and Human Rights and the OECD Guidelines for Multinational Enterprises. Besides human rights and decent working conditions, these recommendations include guidance on health, safety, environment, and Anti-Money Laundering. Therefore, if your company has the resources to do so, it’s recommended that you also include other controls in your due diligence assessments to ensure full compliance with the OECD Guidelines.


How Penneo can help

Penneo can help you meet the Transparency Act’s requirements efficiently by enabling you to collect information securely, keep track of your operations, and document them with audit trails.

With Penneo, you can:

  • create digital forms to allow the general public to submit information requests and embed it on your website to
  • receive the request safely, be immediately notified, and act promptly on it
  • request information from your supplier and business partners via encrypted digital forms
  • assess the risk level of your stakeholders by including information and documentation on fundamental human rights and decent working conditions in automated risk assessments
  • sign the final report digitally via BankID (or other electronic ID available to your signers)
  • creating secure digital signatures that comply with eIDAS requirements



If you're looking to learn more, we have a few suggestions for you

9 expert tips for picking the perfect KYC solution

9 expert tips for picking the perfect KYC solution

eIDAS 2.0

eIDAS 2.0 and its impact on digital transactions and identity verification

EU unveils ambitious AML package

EU unveils ambitious AML package