Companies are required to conduct supply chain due diligence, publish an annual report by June 30, and respond to public information requests within three weeks.
The Norwegian Transparency Act — Åpenhetsloven — has been in force since July 2022. Most companies subject to it know it exists. Fewer are meeting all three of its core obligations in a way that would hold up under scrutiny from Forbrukertilsynet or a public information request.
Here is what mid-market companies need to understand and act on.
Who the Transparency Act Applies To
The Act applies to larger Norwegian companies and foreign companies doing business in Norway that meet at least two of these three criteria:
If your company meets two of these three thresholds — and most mid-market Norwegian companies do — the Act applies to you in full.
The supply chain dimension is where most companies underestimate their exposure. The Act does not just cover your direct operations. It requires due diligence across your entire supply chain and business relationships — suppliers, subcontractors, and business partners where your relationship creates risk of adverse impacts on human rights or decent working conditions.
What the Act Actually Requires
The Transparency Act creates three distinct obligations. All three map directly onto governance workflows that sit with finance and compliance leadership.
1. Conduct due diligence on human rights and decent working conditions
You must conduct ongoing risk-based due diligence across your supply chain — identifying, preventing, and mitigating adverse impacts on human rights and working conditions. This follows the OECD Guidelines for Responsible Business Conduct and requires a documented methodology, risk prioritisation, supplier assessments, and evidence of follow-up actions.
This is not a one-time exercise. It is a continuous process that must be updated when circumstances change — new suppliers, new markets, changed risk assessments.
2. Publish an annual due diligence account by June 30
Every year by June 30, you must publish a publicly accessible account of your due diligence on your website. It must cover your methodology, the most significant risks identified, what actions you have taken, and the outcomes of those actions.
This is a formal public disclosure. Forbrukertilsynet reviews these. Journalists and NGOs reference them. Customers and investors read them. A vague, generic account published the day before the deadline is not what the Act requires — and it is not what protects your company's reputation.
3. Respond to information requests within three weeks
Any member of the public, journalist, NGO, or customer can submit a written information request about your due diligence work. You must respond within three weeks with substantive information about your processes, findings, and actions.
This is the obligation most companies are least prepared for. A request can arrive at any time, addressed to your company publicly. If your due diligence records are scattered across spreadsheets, email threads, and shared drives, producing a coherent, accurate response in three weeks will be extremely difficult — and a poor response is itself a public event.
What the Act Requires From Leadership
Like NIS2 and the EU AI Act, the Transparency Act places accountability at the top. The due diligence account must reflect decisions made at board and management level. The methodology must be approved. The annual report must be signed off.
The governance layer comes down to the same three workflows:
1. Sign-offs. Due diligence methodology approved at board or senior management level. Risk prioritisation decisions documented with named owners. Annual due diligence account approved before publication. Corrective action plans signed off when significant risks are identified.
2. Disclosures. The annual due diligence account published by June 30. Responses to information requests within three weeks. Internal reporting to the board on due diligence findings and progress. These must be current, accurate, and retrievable — not assembled from scratch each June.
3. Information requests. Public information requests require a substantive response within three weeks. Supplier due diligence questionnaires sent and tracked. Evidence collected from the supply chain to support your risk assessments. The ability to respond quickly and accurately is the difference between a managed process and a reputational incident.
What the Penalties Look Like
Forbrukertilsynet enforces the Act and has issued guidance and enforcement notices. Penalties for non-compliance include:
Infringement notices — formal findings of non-compliance published publicly. The reputational impact of a published finding is often more significant than any financial penalty.
Fines — periodic penalty payments for continued non-compliance following an infringement notice.
Public enforcement decisions — Forbrukertilsynet's decisions are published. A finding against your company is searchable and visible to customers, investors, and journalists.
The most immediate penalty for most mid-market companies is not a fine — it is a public information request you cannot answer credibly, followed by reputational damage at the worst possible moment in a sales cycle or investor process.
How Long Compliance Takes — Done Properly
The June 30 deadline is annual and fixed. Companies that treat it as a project scramble every May and produce something mediocre. Companies that treat it as a continuous workflow produce something credible and are ready for information requests year-round.
What It Costs
With governance automation tooling: €5,000–12,000 first year.
Traditional consultant route: €15,000–40,000 depending on supply chain complexity and the number of suppliers requiring assessment.
Annual ongoing with tooling: €4,000–8,000. The Transparency Act creates a continuous obligation — due diligence must be updated when circumstances change and information requests can arrive at any time.
For companies already managing ISO 27001, NIS2, ESG, or CSRD obligations, the supply chain assessment workflows and disclosure management processes overlap significantly. The governance infrastructure is shared and each additional framework costs less than the first.
Want the Transparency Act sign-off checklist, the supplier assessment framework, and the information request response template?
Download: The Norwegian Transparency Act for Mid-Market Companies — What Leadership Needs to Know →
