eID verification of Ultimate Beneficial Owners — how we keep Norwegian company formation trustworthy

Foundations of trust Why a national eID is the right way to verify an Ultimate Beneficial Owner

Registering a Norwegian company — whether a NUF (Norwegian-registered foreign branch, our core product), an AS (Aksjeselskap) — is a legally binding act. The directors we appoint, the share register we maintain and, for an AS, the share capital of NOK 30 000 we transfer in your name all rely on the Brønnøysund Register Centre trusting that you really are the person we say you are. The Norwegian Money Laundering Act of 2018 (Hvitvaskingsloven) § 12, the EU Anti-Money Laundering directives (AMLD 5 and AMLD 6) and the upcoming EU AML Regulation (AMLR) all require us as a professional intermediary to perform enhanced due diligence on every Ultimate Beneficial Owner.

A scanned passport is no longer enough. National eIDs solve that with a chain of trust that goes all the way to a public authority:

• eIDAS assurance level — every eID we accept is at level Substantial or High, meaning the issuing scheme is notified to the European Commission and recognised across the EU/EEA.
• Non-repudiation — the authentication produces a signed token. You cannot later claim someone else logged in.
• Tamper-resistant — name, date of birth and national identifier come straight from the eID issuer (banks, public registries), not from a document we have to inspect by eye.
• Cross-border by design — the eIDAS framework makes a Danish MitID, a Swedish BankID and an Estonian Smart-ID legally equivalent for our KYC purposes.

Our identity provider Idura Verify — the Nordic eID broker we trust

We do not build national eID integrations from scratch. We rely on Idura Verify, a Copenhagen-based trust-service broker formerly known as Criipto. Idura ApS (CVR 35142207, Gammel Kongevej 3E, 1610 København V) is a certified MitID broker, an approved BankID partner in Norway and Sweden, a Finnish Trust Network broker and a connected AusweisApp service provider.

Choosing Idura Verify means:

• One legal framework, five eIDs. A single data-processing agreement covers MitID, BankID NO, BankID SE, FTN and AusweisApp.
• Verified production setups. Idura’s production environment for each eID has been activated by the issuing scheme (Nets, BankID AB, BankID NO, Suomi.fi, Bundesdruckerei) — Intermediary AS is therefore a properly accredited downstream service.
• eIDAS-aligned tokens. Every authentication returns a JWT signed by Idura that we validate server-side before we open a session.
• GDPR-compliant data flow. All data is processed inside the EU/EEA; no transfer of personal data outside the EU is needed for the eID step.
• Operational resilience. Idura publishes a public status page at status.idura.app and runs redundant infrastructure across two EU regions.

We use only the Verify product line — that is, the eID-authentication API. We do not use Idura’s signing or video-identification add-ons today; for electronic signatures of articles of association we rely on Brønnøysund’s own Altinn flow.

eID #1 Danish MitID — for founders resident in Denmark

Why this matters for your Norwegian filing. When you log in with MitID, we receive a token that the Norwegian Register Centre would itself accept under the eIDAS regulation. This means we can sign declarations on your behalf without having you travel to Norway. Danish founders also unlock our Establishing a Danish-owned company in Norway guided flow with the right tax and VAT defaults already populated.

eID #2 Norwegian BankID — used by our state-authorised Norwegian partners

eID #3 Swedish BankID — for Swedish residents expanding into Norway

Sweden is the largest source of foreign companies registered in Norway. Of all foreign-registered branches (NUFs) in Norway, Swedish parents make up the biggest cohort. We optimise the Swedish onboarding flow to mirror the structure used in bolagsverket.se — same field order, same labelling — so you finish in a few minutes.

eID #4 German Personalausweis — verified through AusweisApp

Why we accept AusweisApp. Germany is the fourth-largest source of NUFs in Norway today, and the trend is accelerating with the EU Digital Identity Wallet initiative. By accepting the German eID at level High, Intermediary AS is positioned for the EUDI Wallet rollout coming in 2026–2027 — your AusweisApp credential will keep working without any changes from your side.

eID #5 Finnish Trust Network — the umbrella for Finnish bank eIDs and Mobiilivarmenne

Bonus: Åland Islands and bilingual support. The Ålandsbanken FTN credential includes Swedish-language fields, so Åland founders register in Norwegian or English without translation friction.

Regulatory backbone eIDAS & Norway’s EEA obligations

Every national eID we accept is part of an eIDAS-notified scheme. eIDAS is the EU’s Regulation (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market, modernised by Regulation (EU) 2024/1183 (commonly called eIDAS 2.0). It defines a common legal framework for cross-border identification, electronic signatures, seals, time stamps, registered delivery and website authentication across the EU and EEA.

Norway is not an EU member, but as a contracting party to the EEA Agreement the country has implemented eIDAS through the Norwegian lov om elektroniske tillitstjenester (the Trust Services Act, LOV-2018-06-15-44) and its accompanying regulations. In practice this means that a Danish, Swedish, German or Finnish eID notified to the European Commission must be recognised by Norwegian public bodies — including the Brønnøysund Register Centre, the Norwegian Tax Administration and Altinn — on the same terms as a Norwegian eID at the same assurance level.

The three eIDAS assurance levels

• Low — limited confidence; not accepted by us for company formation.
• Substantial — high confidence; sufficient for most company-registration acts.
• High — very high confidence; required for share-capital transfers, beneficial-owner declarations and any AS/NUF act with material legal effect.

All five eIDs we onboard — MitID (DK), BankID (NO), BankID (SE), Personalausweis via AusweisApp (DE) and the Finnish Trust Network (FI) — are notified to the European Commission at level Substantial or High. Because they are notified, we do not need to run our own identity-proofing on top: the issuing Member State has already done it under audited eIDAS rules, and the EEA framework binds Norway to accept that proof.

Why this matters for foreign founders

For a Danish, Swedish, German or Finnish founder establishing a Norwegian NUF or AS, the eIDAS-EEA chain is what makes remote, fully digital company formation legally defensible. The same chain lets us discharge our duties under the Money Laundering Act of 2018 (Hvitvaskingsloven), the EU AML directives (AMLD 5 and AMLD 6) and the upcoming EU AML Regulation (AMLR) without ever asking you to fly to Norway or visit a notary. Identity verification is performed in your home country, by your national scheme, at an assurance level the law in Norway is obliged to honour.

What happens behind the scenes The four-step verification process at registercompany.no

After step 4 your identity is verified. What happens next — first your choice of Norwegian organisation form (our core offering is the NUF Norwegian-registered foreign branch, with AS also available), then pre-filling the founder section, drafting articles, share-capital transfer where relevant and the Brønnøysund filing — is the registration journey itself and is covered on the home page, not here.

Data, retention and your rights What we keep — and what we delete

We minimise data by design. After a successful eID login, the only personal data we store is what we are legally required to keep under the Norwegian Money Laundering Act § 30 (record-keeping) and the Bookkeeping Act § 13:

• Your verified full legal name
• Date of birth
• National identifier where the eID releases it (Swedish personnummer, Finnish henkilötunnus, German Personalausweis number)
• The eIDAS Level of Assurance reported by the eID
• A timestamp and the name of the eID broker (Idura)

We do not store: your PIN, your biometric data, your bank credentials, your MitID/BankID code generator state, or any session cookies issued by the eID issuer.

Retention: 10 years after the customer relationship ends (Money Laundering Act § 30 second paragraph). After that we delete or anonymise. You have the right to access, rectify and (subject to AML constraints) request erasure of your data — write to contact@intermediary.no.

Our cookie and data-handling overview is at registercompany.no/Cookie and our data-processing agreement with Idura is available on request.

Edge cases If you do not have a Danish, Norwegian, Swedish, German or Finnish eID

The five eIDs above cover roughly 95 % of cross-border founders coming into Norway today. If you live elsewhere in the EU/EEA or outside the EU, you have three options:

• Use an EEA eID that we will add next. We are planning to enable Estonian Smart-ID/Mobiil-ID, Latvian eParaksts, Lithuanian m.parašas, Belgian eID and Dutch iDIN — all via Idura. Subscribe to our Insights to be notified.
• Manual KYC with a certified passport copy. We perform a video identification call, you provide a notarised copy of your passport plus proof of address (utility bill, bank statement, or government letter no older than three months).
• Power of attorney to an EU/EEA representative. If you appoint a Norwegian or EU representative as your contact person, we verify the representative with eID and you sign a notarised power of attorney.

Contact contact@intermediary.no and we will set up a manual KYC slot within one working day.

Sovereign by design Data sovereignty and Norway’s critical-infrastructure regime

For a foreign founder establishing a Norwegian company, where your identity data is processed and who has legal jurisdiction over it is just as important as how it is verified. The entire identity-verification flow at registercompany.no runs on Norwegian and Nordic sovereign infrastructure — not on US or Asian hyperscalers, and never on a SaaS layer that could be compelled to disclose your data under foreign extraterritorial law.

Our identity broker Idura Verify is a Norwegian-owned, Norwegian-headquartered company, fully subject to Norwegian law and supervised by Datatilsynet (the Norwegian Data Protection Authority) and operating within the perimeter of NSM (Nasjonal sikkerhetsmyndighet, the Norwegian National Security Authority). National eID brokering of this kind is treated as critical national digital infrastructure in Norway and across the Nordics, and is regulated accordingly under the EU NIS2 Directive, the Critical Entities Resilience (CER) Directive and the upcoming EU Digital Identity Wallet framework (Regulation (EU) 2024/1183).

Why this matters when you choose who registers your Norwegian company. Many cross-border KYC and company-formation services run on US-based SaaS stacks (AWS US regions, Azure US regions, Google Cloud US, Salesforce, US-routed Stripe Identity / Persona / Onfido flows). That is a legal grey zone for personal data of EU/EEA founders ever since Schrems II, and it puts your identity record one subpoena away from a foreign authority. The architecture we operate on is the opposite: a Norwegian eID broker, Nordic-domiciled processing, EU/EEA-only storage, and an audit trail that a Norwegian court is the only one with jurisdiction to read.

• Jurisdiction: Norwegian law, EU law and the EEA Agreement — exclusively.
• Supervisors: Datatilsynet (GDPR), NSM (digital security), Finanstilsynet (AML/CFT through our regulated partners) and the national eIDAS supervisory bodies in each Nordic scheme we connect to.
• Regulatory frame: GDPR, eIDAS (Regulation (EU) 910/2014 as amended by 2024/1183), NIS2, CER and DORA where applicable to our supervised partners.
• Data residency: identity data and audit logs stored within Norway / the EEA, with documented sub-processors and no onward transfer to third countries without an Article 46 GDPR safeguard.
• Resilience: the same class of broker and infrastructure that Norwegian state-facing eID services rely on — designed for national-level uptime and incident response.

This is what we mean when we say compliance is built in, not bolted on. Data sovereignty is not a checkbox on a procurement form — it is a property of the infrastructure your data actually lives on. For a foreign founder who is about to put their passport, their tax residency and their beneficial-ownership declaration into a Norwegian registration flow, that choice of infrastructure is the choice that matters most.