Liability for misuse of BankID

Supreme Court judgment of 17 June 2026, HR-2026-1359-A, (case no. 25-176614SIV-HRET), civil case, appeal against Eidsivating Court of Appeal's judgment of 16 September 2025.

A (advocate Arnor Zoran Scheibler) v. Entercard Norge – branch of Entercard Group AB (advocate Mathias Fridtjof Seierstad Haugan and advocate Vidar Riksfjord)

A man was held liable for losses arising from his former cohabitant’s misuse of his BankID to obtain consumer loans, and his liability was neither reduced nor limited.

The Supreme Court held that it was unnecessary to determine whether he was contractually bound by the loan agreements, as he was in any event liable. The misuse of the BankID resulted from the man having knowingly entrusted the BankID token, password and personal identification number to his former cohabitant. He had also, over an extended period, failed to monitor his financial affairs, despite being aware of her financial difficulties and gambling problems.

The Supreme Court emphasised that BankID is a strictly personal security solution and that a strict standard of care applies to its holder. On an overall assessment of the parties’ conduct and their respective contributions to the risk, the Court concluded that the man had, at least, grossly breached his duty of care. By contrast, the lender had implemented relevant control measures in accordance with prevailing practice and could not be blamed. 

There was a sufficient causal link between the man’s conduct and the loss. Section 3‑20 of the Financial Contracts Act 2020, which sets monetary limits on liability in cases of misuse of electronic identification, did not apply, as the loan agreements had been concluded before the Act entered into force. There was no basis for a reduction in liability under section 5‑1 of the Damages Act, since the lender had not contributed to the loss. Nor were there any special circumstances justifying mitigation under section 5‑2, notwithstanding that the liability was financially burdensome. Considerations of general deterrence and the need to maintain trust in eID solutions also weighed against mitigation.
 
The decision elaborates on the legal startingpoints applicable to claims for damages arising from misuse of BankID.

Read the judgment (Norwegian only) (PDF)

Area of law: Tort law

Key paragraphs: 46, 69, 82, 83, 97

Justices: Øie, Bergsjø, Thyness, Stenvik, Steen