When messaging becomes critical: why compliance and SLAs matter more than ever

Messaging is no longer just a support channel - it has become critical infrastructure. As SMS and RCS are used for notifications, authentication and payments, the demands for compliance, delivery security and clear accountability also increase.

In this article, we take a closer look at how regulations, SLAs, and responsibility sharing actually affect messaging solutions in practice – and why this has become a more important decision criterion than ever.

Automation changes the risk picture

The development in messaging communication is going in one clear direction:

• Multiple messages are sent automatically

• Fewer people are involved in each step

• Systems depend on messages actually getting through.

  
  

For businesses that use SMS and RCS for notifications, authentication or payments, a delay or outage can have real consequences. This could mean missing information for the end user, lost revenue or, in the worst case, breaching legal obligations. When messaging becomes an integral part of core processes, thinking “best effort” is no longer enough.

The regulations affecting message communication today

Message communication is not regulated by a single set of regulations, but by several that together set the framework for how solutions should be designed and operated in practice.

GDPR and the Electronic Communications Act – a strict double regulation

GDPR regulates the processing of personal data, but in the messaging sector this is supplemented by the Electronic Communications Act . This entails:

• Metadata and traffic data: Information about who sends to whom, when and where has a particularly strong protection. The Electronic Communications Act often imposes stricter deletion obligations for traffic data than the general principles of the GDPR.

• Confidentiality: The requirement to ensure the security of communications is absolute.

• Role allocation: Clear data processing agreements are required that specify how data is handled at all levels, from business to operator.

New eco-law (from 1 January 2025)

The new Electronic Communications Act has tightened the requirements for security and robustness in Norwegian networks. For businesses, this means that providers now have a greater responsibility to prevent abuse (such as SMS spoofing) and ensure that critical traffic is correctly prioritized in the infrastructure.

Marketing Act – when SMS is used for marketing

When SMS is used for marketing, separate rules apply. The main rule is that prior consent is required , and the line between service messages and marketing can in practice be thin. This places demands on both how businesses use the channel and how messaging solutions support consent, control and easy opt-out for the end user.

Public sector: stricter framework

Public sector businesses often encounter:

• stricter documentation requirements

• clearer expectations for delivery reliability

• more formalized responsibilities

There is rarely room for unclear roles or unresolved dependencies in the supply chain.

Digital Security Act (NIS1) – and NIS2 in Norway

In Norway, the Digital Security Act came into force on October 1, 2025. The act implements the original NIS Directive (NIS1) and sets requirements for digital security for businesses of particular importance to society.

NIS2 has not yet been implemented in Norwegian law , but Norwegian authorities are investigating how the directive will be implemented through the EEA Agreement. At the same time, we are already seeing expectations from customers and public actors moving towards the NIS2 principles, especially when it comes to risk management and supply chains.

When message dialogue is also payment

When messaging is used for payment, a separate regulatory framework comes into play. SMS payment is not just communication – it is finance.

This includes, among other things:

• supervision by the Financial Supervisory Authority

• requirement for e-money or payment license in accordance with PSD2/PSD3

• compliance with financial regulations, including upcoming requirements through DORA (Digital Operational Resilience Act) , which requires financial systems to be robust against digital threats

In Norway, this is handled through Strex , which has the necessary licenses and regulatory responsibility in the payment area, and is the only one with this framework in the Norwegian market. For businesses, this means that messaging and payment dialogue must be considered together, but with a clear division of responsibility between communication and finance.

Who is really responsible?

Message communication is an interaction between several parties:

• The customer Owns the use of the solution and the purpose of the communication. Is responsible for content, consent, possible universal design (UD) and correct use.

  
  

• The platform provider Provides technology, integrations and message flow management. Responsible for how the solution is built, monitored and operated.

  
  

• The operators Provides transport in mobile networks within its technical limits.

  
  

• Subcontractors May be involved in routing, international delivery, or payment in messaging dialogue.

• Payment agent (e.g. Strex) Has regulatory responsibility if the message involves a financial transaction

  
  

Good compliance is not about one actor "taking all responsibility", but about the division of responsibility being clear, documented and understood .

What is a realistic SLA for SMS and RCS?

A Service Level Agreement (SLA) should describe what can actually be guaranteed in a complex chain.

• What can be guaranteed: Platform uptime, response time in the event of errors, 24/7 monitoring and notification of deviations.

• What cannot be fully guaranteed: 100% delivery to all recipients at all times (due to circumstances such as lack of coverage at the recipient, full inboxes or errors on the recipient's device).

A modern SLA is therefore about transparency and predictability – that you as a customer know exactly what happens if something goes wrong.

Checklist: 7 questions to ask before choosing an SMS and RCS provider

1. Who is actually responsible if messages do not reach you?

2. What does the SLA cover – and what does it not cover?

3. How are personal data and metadata handled in the message flow?

4. Does the solution support universal design (UD) requirements, for example, using rich media in RCS?

5. How is compliance with regulations documented over time?

6. How are incidents and deviations handled?

7. How is the supplier preparing for increased regulatory requirements, including the Digital Security Act, NIS2 and DORA?

What happens next?

The development points in one clear direction:

• more documentation

• greater requirements for control in the supply chain

• less room for "best effort" communication

Messaging is increasingly being treated as critical infrastructure . For businesses, this means that choosing a messaging provider is not just about price or functionality, but about maturity, regulatory understanding, and the ability to take responsibility in practice.

Explanations of terms:

GDPR – The EU's data protection regulations for the processing of personal data, including message content and metadata.

The Electronic Communications Act – Norwegian telecom legislation that regulates electronic communications, security and accessibility.

UU (Universal Design) – Statutory requirement that digital solutions should be usable by everyone, regardless of functional ability

SLA – agreed service level for availability, response time and follow-up.

Digital Security Act (NIS1) – Norwegian law in force from October 1, 2025 that sets requirements for digital security.

NIS2 – upcoming EU directive with stricter requirements for cybersecurity and supply chains.

DORA – EU regulations for operational resilience in financial services.