Terms of use for access to the Tax Administration's services – Suppliers of end-user systems
Suppliers of end-user systems must familiarise themselves with these terms of use before integrating with the Tax Administration’s services.
Purpose of the terms of use for suppliers of end-user systems
This page describes which external services (APIs) are made available, the requirements for quality and availability, and the routines for changes, error handling, and administration. This applies to both services for reporting data and for sharing data through end-user systems.
Any changes to the terms will be announced in line with the procedures described below. Suppliers may choose to terminate their integration with the Tax Administration’s services for end-user systems if they do not accept the updated terms.
It’s assumed that the supplier has valid agreements and data processing agreements with their customers in order to report and retrieve data through the Tax Administration’s APIs for data sharing.
Services and categories of data
All services/APIs covered by these terms are listed here:
These terms of use apply to APIs for reporting data that the supplier integrates with.
The terms of use also apply to APIs for sharing data.
Suppliers can only access APIs for sharing if they're integrated with at least one API for reporting data, and the customer has submitted data at least once through the end-user system. Suppliers must not use the data for any other purpose than making it available to the customer through the end-user system.
These terms of use apply together with the Service Description for Data Sharing. They must be read in conjunction with the service descriptions for each individual service. If data is shared via an API and both the terms of use and the service description cover the same topic, the more specific rules in the service description take precedence.
Service level
The Tax Administration aims to provide stable and reliable services. However, the service level does not include any guarantees that could trigger financial sanctions or other consequences between the parties. The service level is based on a non-commercial collaboration model, where each party covers its own costs and benefits from more efficient information sharing. APIs may be taken out of service due to events beyond the Tax Administration's control. We'll notify suppliers as far as possible.
Operational notices on the Tax Administration’s status page
The Tax Administration publishes notices about errors, fixes, service status, and other operational updates here:
Suppliers are required to subscribe to operational notices on the Tax Administration’s status page and assess their relevance for the supplier’s use of the Tax Administration's services. If the notification channel changes, suppliers will be informed.
Some issues may be caused by shared functions managed by the Norwegian Digitalisation Agency. We therefore recommend subscribing to the operational notices from the Norwegian Digitalisation Agency as well.
|
Availability |
The services are normally available around the clock on all working days, except for short interruptions due to necessary technical maintenance. |
|
Availability requirement |
99,8% (excluding planned and announced maintenance) The measurement period is monthly (per calendar month). |
|
Operating hours |
All working days:
Operational services are available on all working days. On Christmas Eve, New Year’s Eve, the days between Christmas and New Year, and the Wednesday before Maundy Thursday, opening hours are limited. |
|
Response time for feedback |
Reporting function: Feedback on submitted data is provided continuously. Response time may vary between services and between synchronous and asynchronous solutions. More information about service-specific response time. Sharing function: Maximum 4 seconds for 99.8% of service calls, measured on the Tax Administration’s side of the API interface. The following load assumptions apply:
Response time also assumes that the supplier uses the event list to avoid unnecessary load. If necessary or appropriate, the Tax Administration may limit or regulate requests and calls per supplier. |
|
Availability |
The services are normally available around the clock on all working days, except for short interruptions due to necessary technical maintenance. |
|
Operating hours |
All working days:
Operational services are available on all working days. On Christmas Eve, New Year’s Eve, the days between Christmas and New Year, and the Wednesday before Maundy Thursday, opening hours are limited. |
|
Test data |
Synthetic test data should be available in the test environment for integration testing. It's expected that supplier-specific features are prepared for testing on the supplier’s side. |
|
Component versions |
Component versions in the test environment should normally match those in the production environment. |
|
Acceptable downtime during incidents |
The Tax Administration aims to keep the test environment available, but the production environment may be prioritised in the event of incidents. |
Incidents and notifications
If the Tax Administration identifies an error or issue, the supplier will be informed along with the measures taken to restore the service.
If the supplier experiences instability, unavailability, or service failure, the supplier must report this to the Tax Administration.
Before reporting, the supplier should, as far as possible, ensure that the issue does not originate from its own systems. The supplier is therefore required to handle the incident within its own quality processes (incident management routines).
The Tax Administration will resolve reported incidents in line with the agreed service level. If no deadlines have been agreed, errors or issues will be resolved within a reasonable time, based on severity and potential impact on the supplier. This follows the principle of a non-commercial collaboration model, which does not include absolute guarantees for resolving errors or other incidents. If needed, the Tax Administration may escalate cases according to its internal deviation management procedures. The Tax Administration will decide which cases are escalated and how incidents are followed up.
Suppliers report incidents using the following channels:
- For sharing: "Brukerstøtteverktøy"
- For reporting: use the contact information provided on the information page for end-user systems
- For shared functions: report directly to the Norwegian Digitalisation Agency
If the supplier suspects a breach, risk, or incident related to any type of security or personal data – such as breaches of confidentiality, integrity, or availability – necessary measures must be taken. The Tax Administration must be notified if the incident falls under its responsibility as a data controller. Critical security incidents must be reported by phone to: 23 62 27 60.
If the supplier has reported a personal data breach to the Norwegian Data Protection Authority (DPA), and the breach falls under the Tax Administration’s responsibility, the Data Protection Officer at the Tax Administration must be informed by email at [email protected], with a copy of the report to the DPA attached. This obligation does not apply if the report has been exempted from public disclosure by the DPA.
The Tax Administration is responsible for categorising reported incidents, including errors.
The Tax Administration does not guarantee a specific service level for incident handling, but we aim to manage incidents as described below. Notifications and corrections apply from the time the Tax Administration becomes aware of the incident or error. The scope, severity, and complexity of the issue determine the response time.
|
Priority |
Description |
Notification and response time, from when the error and severity are known |
| A-Critical |
Critical error. No temporary solution is available. The error has a critical impact on the use of the service. A service has a serious functional error during a critical period. Incidents that make the service unavailable or nearly unavailable due to slowness during a critical period, and such unavailability:
may lead to significant financial consequences. |
First notification: 15 minutes Response time: 2 working hours |
| B-Serious |
Incidents that prevent users from using the service. A service is unavailable or has a serious functional error, but during a non-critical period. |
First notification: 1 hour Response time: 8 working hours |
| C-Less serious |
Errors that do not affect the functionality or stability of the solution. Incidents where users can still perform their main tasks. Errors that reduce the usability of the solution, but where tasks can still be completed in a reasonably satisfactory manner. |
First notification: 1 working day Response time: 5 working days |
Explanation of the table
First notification: Confirmation that the incident has been received. This may be a technical receipt or a direct confirmation from the Tax Administration.
Response time: The Tax Administration has initiated relevant processes to assess appropriate measures and has established dialogue with the supplier.
Change management and notifications
Planning changes
A change refers to any type of modification that affects the services.
As a general rule, changes must be planned and announced in advance. All changes should, as far as possible and appropriate, be subject to testing.
Both the Tax Administration and the supplier may initiate a change or request for change. The Tax Administration is responsible for prioritising and deciding which changes will be implemented.
It must be ensured that changes that may affect the stability and availability of the services are carried out in a coordinated and secure manner.
Updating documentation
The Tax Administration publishes documentation for the services and is responsible for updating it without undue delay after changes have been implemented.
Updated documentation for the Tax Administration’s data sharing services
Channel for change notifications and news
The Tax Administration provides information about planned changes to the services. Suppliers are required to subscribe to the Tax Administration’s news service and assess the relevance of updates for their use of the services. If the notification channel changes, the Tax Administration will inform the suppliers.
Changes are classified into the following categories, each with its own process and notification requirements.
|
Category |
Description and examples |
Implementation/ process |
Notification |
|
Standard change |
Well-documented change with minimal risk of service disruption Examples:
|
If an existing service is changed, the old version will be replaced by the new one in production. The supplier must be able to handle this without making changes on their side. The supplier is responsible for notifying the Tax Administration if a standard change causes issues. |
The change is announced only as news in the news service after it has been implemented. For annual revisions, notification will be given as soon as the change is known, preferably via other relevant channels (skatteetaten.no, dedicated meetings).
|
|
Normal change |
Planned changes that are not standard changes, that is, changes that affect the functionality of the existing service. Such technical changes will require updates on the supplier’s side to ensure continued access to the service.
|
When a new version of the service is introduced, the old version will normally remain available for 4 months. The supplier must switch to the new version within this period. |
Normal changes are announced through the news service no later than 4 months before the old version is no longer available. |
|
Emergency change |
Changes that, due to external circumstances, cannot follow normal deadlines. Typical examples include changes resulting from the national budget, security incidents, or handling of critical production errors.
|
Assessed individually for each change.
|
Announced in the news service as soon as the Tax Administration becomes aware of the change. |
Crisis and preparedness plans
The Tax Administration must ensure that updated and accessible crisis and preparedness plans are in place for operating the services. The supplier must have the necessary crisis and preparedness plans for their own services. In a preparedness situation or other extraordinary event beyond the parties’ control, the Tax Administration and the supplier are expected to cooperate to establish alternative electronic and/or manual routines for exchanging data, if the situation allows.
Changed needs during critical periods and extraordinary situations
If the supplier has performance needs beyond the defined limits for the number of requests, this must be reported as a change request.
The supplier is required to inform the Tax Administration if the services will be used in extraordinary situations or during a critical period, as defined by the supplier. This also applies if major work is planned outside the defined availability period. In such cases, the Tax Administration will assess whether it is possible to increase preparedness, based on available capacity.
The Tax Administration must be informed as soon as the supplier becomes aware of upcoming changes or has planned activities related to the service.
Obligations of the suppliers of end-user systems
Access to the services (API) depends on approval from the Tax Administration and is granted upon application from the supplier. The supplier is responsible for managing the application process. Once the supplier has accepted the terms of use for suppliers of end-user systems and any applicable service description, completed testing, and connected to the service in production, they will have access to the service.
Access to data sharing services requires that the end-user system supports reporting of mandatory data to the Tax Administration. See the service description for data sharing for further details.
The supplier accepting these terms acts on behalf of their customers (end users) when integrated with the Tax Administration’s services. The supplier must have agreements with their customers that uphold these terms of use and service descriptions, and that comply with relevant legislation. The supplier is responsible for access control within their own system and for ensuring that both their own actions and the customer’s use comply with these terms of use.
The supplier is the data processor for the end user’s processing of personal data through the services covered by these terms. The supplier is responsible for ensuring that personal data is processed in accordance with the agreement with the end user and applicable data protection legislation. The supplier must not use access to the services for their own purposes.
The supplier must notify the Tax Administration if ownership of the end-user system is transferred to another party. Access applies to the relevant services as they exist at any given time, and the supplier is responsible for reviewing access regularly. The supplier must also report any errors in their own solutions that may affect the Tax Administration’s services.
The supplier is required to familiarise themselves with the technical and functional interfaces and follow the technical requirements and functional procedures specified in the service documentation. The supplier must comply with the specifications and requirements for each individual service.
The supplier is committed to using the Tax Administration’s services efficiently and sustainably. This includes minimising the number of API calls to ensure efficient use of system resources. For data sharing, event-driven integration must be used to reduce the number of API calls by listening for events and updates rather than frequent polling. Suppliers who do not follow these recommendations may be subject to throttling and, in extreme cases, access may be revoked.
If the user no longer meets the conditions or fails to comply with them, access may be terminated.
The supplier must carry out integration testing against the services. The applicable guidelines and requirements for integration, specification, and testing are available on GitHub.
The supplier is granted access to a shared external test environment. This environment is used for testing in connection with errors and deviations, changes, and further development of the services.
The Tax Administration uses exclusively synthetically generated test data, and testing with production data will not be offered. Les mer om Tenor testdata in Norwegian.
The supplier must have a test environment that can be connected to the Tax Administration’s test environment. Upon request from the Tax Administration, the supplier must provide documentation of how the integration has been tested.
The supplier must process personal data in accordance with the agreement with the end user and the requirements set out in the Personal Data Act and the General Data Protection Regulation (GDPR).
The supplier must ensure that the end-user system and the integration with the Tax Administration’s services meet applicable requirements for information security and data protection. This includes the obligation to ensure confidentiality, integrity, and availability when processing personal data, in accordance with applicable laws and regulations.
The supplier must implement planned and systematic measures to ensure satisfactory information security with regard to confidentiality, integrity, and availability. The supplier must also establish, document, and maintain planned and systematic internal control measures to ensure that personal data is handled lawfully, securely, and responsibly.
The supplier must provide adequate user support to their end users. Questions concerning the end user’s personal data must not be reported as errors in the technical solution.
Personal data that is believed to be incorrect or incorrectly registered must not be reported as an incident. If end users have questions related to their own personal data or wish to correct personal data registered by the Tax Administration, they must be referred to the Tax Administration.
Tips about possible violations that may be relevant to the Tax Administration’s operations must be submitted via a dedicated form.
Funding and costs
The Tax Administration offers the services via an interface free of charge. The supplier is responsible for covering their own costs related to adapting and facilitating their own systems, as well as operating and further developing them.
Breach of terms and sanctions
Material breach
A breach is understood as any deviation from the obligations set out in these terms of use and the service description.
Material breach includes, but is not limited to:
- Misuse of the Tax Administration’s services, including the supplier’s obligation to use the services efficiently and sustainably
- Screen scraping
- Misuse of data made available through the Tax Administration’s services
- Facilitation or execution of security breaches
- Inadequate follow-up of security breaches
- Insufficient compliance with requirements for data protection and information security
Sanctions
The Tax Administration may take necessary action if the supplier breaches the applicable terms of use or otherwise violates the technical, security-related, or statutory requirements for integration with the Tax Administration’s services.
Before such action is taken, the Tax Administration will, if possible, notify the supplier and provide an opportunity to rectify the situation. If the breach is serious or cannot be rectified within a reasonable timeframe, the Tax Administration reserves the right to disable the integration and revoke the supplier’s access to the Tax Administration’s services without further notice.
In the event of a material breach, the Tax Administration reserves the right to disable the integration and revoke the supplier’s access to the Tax Administration’s services. In such cases, the Tax Administration will provide a written notification to the supplier without undue delay.
Risks and liability
The Tax Administration cannot be held liable for consequences arising from any errors, delays, or other circumstances related to the data or services covered by these terms. This also applies to subsequent use and consequences for third parties. The Tax Administration cannot be held liable for loss or indirect loss related to the service. Indirect loss includes, but is not limited to, lost profits of any kind, lost savings, and claims from third parties.
The data made available through the Tax Administration’s data sharing services may contain errors originating from either the Tax Administration or third parties. The Tax Administration cannot guarantee the accuracy of the data, and the supplier’s customer must assess whether further verification is needed before using the data.
Changes to the terms
The Tax Administration may amend these terms of use. Requirements for changes resulting from amendments to laws and regulations must be implemented within the deadlines set out in the relevant legislation. The same applies to requirements resulting from orders or instructions from the government or ministries, as well as changes to security requirements.
Notice of changes to the terms will be provided in writing via the information page for end-user systems.