Back to blog

Company hijacking: Norway’s new automatic registry alert

Håkon Berntsen ·
Company hijacking: Norway’s new automatic registry alert

From 1 July 2026, the Brønnøysund Register Centre automatically notifies people and businesses when they are removed from key roles such as board member, managing director or responsible shipowner. It is a concrete defence against company hijacking – a form of fraud that hits small organisations and sole proprietorships especially hard. Here is what happens, and what you must still do yourself.

What company hijacking is

Company hijacking, or corporate identity theft, means fraudsters filing false changes to a company’s roles – for example registering themselves as chair or managing director. With control of the roles they can order goods on credit, take out loans, drain accounts or misuse the company’s identity. Victims often discover it only when the invoices arrive, or when they try to use their own role and find it gone.

How a hijacking often unfolds

The pattern is usually the same. The fraudster finds a company that looks lightly monitored – perhaps a small association or a sole proprietorship. Then a change of roles is filed, often with a forged signature or a misused login. If the change goes through without anyone reacting, the fraudster appears to the outside world as the company’s rightful representative. Goods are then ordered on credit or loans taken out in the company’s name. When the invoices fall due, the real owner is left with the bill and a clean-up job in the registers. Precisely because the first steps happen quietly, early notification is so valuable.

Why small organisations are exposed

Large companies usually have finance departments and routines that catch irregularities quickly. A small association, a voluntary organisation or a sole proprietorship rarely does. Board seats in the voluntary sector are filled by dedicated people who do not necessarily monitor the registers day to day, and role changes can happen at annual meetings without everyone noticing. That is exactly why the barrier to exploiting them is low – and the consequences large when it happens.

What the new alert catches

Amendments to the Business Enterprise Registration Act and the Central Coordinating Register Act mean the register centre now sends an automatic notification to people and businesses that are no longer registered in a key role. If you are removed as a board member or managing director, you are told – and can react before harm is done. It is a register-quality and economic-crime measure that makes it far harder to hijack a company quietly.

One clarification matters: the technical solution was rolled out back in May 2026. What happens on 1 July is that the duty becomes enshrined in law. So the alert is not entirely new as a feature, but it is now anchored in legislation – and thus something you can rely on going forward.

What you must still do yourself

An automatic alert is a safety net, not a guarantee. It only helps if it reaches you – and if you act on it. So do this regardless:

  • Check your notification addresses in Altinn. Make sure both email and mobile number are correct and belong to the right person, so alerts actually arrive.
  • Review the roles regularly. Every few months, verify that the board, managing director and signing rights are correct in the register.
  • React quickly. If you receive an alert you do not recognise, contact the register centre immediately. Minutes and hours count.
  • Limit access. Keep track of who holds authorisations and roles in Altinn, and remove access that is no longer in use.

What to do if you are hit

If you discover a role change you did not make, do not wait. Contact the Brønnøysund Register Centre to have the change stopped and corrected, and report the matter to the police – economic crime needs a report to be followed up. Notify your bank and any suppliers so that orders in the company’s name can be stopped, and review your Altinn access to lock the fraudster out. Keep documentation along the way; it is needed both in the register and in any case that follows.

Relevant for both nonprofits and founders

If you sit on the board of a voluntary organisation, you are a role holder who can be notified – and who should keep your own details up to date. If you run a sole proprietorship or a small limited company, the same applies. Good role hygiene is not only about security; it makes your organisation more visible and accountable to the outside world. If you want your business to be easy to find and verify for partners, you can register it in the business directory.

To strengthen your organisation’s digital foundation more broadly, our free founder courses take you through the practical steps – from roles and routines to the tools you need.

Make role checks a fixed routine

The simplest protection is also the cheapest: a fixed routine. Put a role review into the board’s annual cycle, ideally after each annual meeting and once mid-year. Name who is responsible – without an owner, such checks are quickly forgotten. Go through who is listed as board members, managing director and signatories, and verify that the notification addresses in Altinn belong to people who actually pay attention. Document that the check was done, for example in the board minutes.

For a small organisation this takes a few minutes twice a year, but it closes the door the fraudsters depend on: that no one notices the change until it is too late. Combined with the new automatic alert, such a routine gives protection that is hard to get past.

What to do now

Log in to Altinn today and confirm your notification addresses are correct, and check that the roles in your company or association are right in the register. Read more about the legal change from the Ministry of Trade, Industry and Fisheries, and make a role review a fixed routine a couple of times a year.

More to read

Related Articles

Stay updated

Subscribe to our newsletter for news about open source, AI, and digital innovation.