Last review date: 27 December 2024

☒ omnibus – all personal data

☒ sector-specific

E.g., telecoms, public healthcare sector

☒ constitutional

Last review date: 27 December 2024

• EU General Data Protection Regulation
• Norwegian Personal Data Act (in Norwegian only)

Although not a member of the EU, Norway is a member of the European Economic Area ("EEA"). The EEA Agreement ensures that Norway is part of the "Internal market" based on the EU's four freedoms – free movement of goods, services, persons and capital.

The GDPR was incorporated into the EEA agreement and became applicable in Norway on 20 July 2018. Norway is thus bound by the GDPR in the same manner as EU Member States.

Last review date: 27 December 2024

Provisions regarding cybersecurity in Norway are highly fragmented and regulated in a vast number (approx. 150) of different laws and regulations. However, many of these provisions apply to information security in general, whereas cybersecurity requirements are considered within the scope of the provisions but not explicitly touched upon. Still, there are key laws and regulations which directly regulate cybersecurity requirements:

• Act relating to national security of 2018 ("Security Act")
• Act relating to Electronic Communications of 2003 ("E-Com Act") 
• Regulation relating to Electronic Communications of 2004 ("E-com Regulation")
• Regulation on the Use of Information and Communications Technology of 2003 ("ICT-Regulation")
• Regulation on CCTV Surveillance in Businesses
• Regulation relating to power preparedness of 2012
• The Act relating to Medical Patient Journals of 2014
• The Act on Health Registers and the Processing of Health Information (Health Registers Act)
• Regulation on the Processing of Information in the Police and Prosecution Authority (Police Records Regulation)
• The Act on Debt Information for Credit Assessments of Individuals (Debt Information Act)
• EU General Data Protection Regulation

Last review date: 27 December 2024

• The Norwegian Archiving Act (LOV-2022-12-20-115)
• Regulation on the collection, quality assurance, and dissemination of data related to public roads, traffic, etc. (the Road Data Regulation) (FOR-2010-12-03-1525)
• Regulation on the mandatory storage of certain data and the facilitation of these data (the Data Retention Regulation) (FOR-2013-05-14-484) - Not yet in force. May come into force during 2025
• The new Electronic Communications Act (Ekomloven) of 2024 - Not yet in force. May come into force during 2025
• The Act on the Processing of Information in Credit Information Business (Credit Information Act) (LOV-2019-12-20-109)Act relating to the processing of data by the police and the prosecuting authority (the Police Databases Act

Last review date: 27 December 2024Yes.

On 2 July 2021, the Ministry of Local Government and Regional Development published a proposal for a new act on electronic communications (in Nw.: ekomlov), a new regulation on electronic communications and changes to the regulation on number resources for electronic communications networks and services. The new act on electronic communications has been passed by the Parliament, and sanctioned by the Council of State. It will enter into force in 2025.The purpose of the proposal is to implement the EU Electronic Communications Directive (2018/1972), which has replaced the EU regulatory package for electronic communications from 2002, the regulation on BEREC (2018/1971) and parts of the Accessibility Directive (2019/882) applying to the electronic communications area. In addition, the legislative package continues the implementation and incorporation of a number of other EU legal acts that have been incorporated into the EEA Agreement.

A proposal for changes to the Police Act and the Police Register Act were submitted by the Ministry of Justice and Public Security for consultation on 7 October 2021, with a consultation deadline of 7 January 2022. The proposal concern changes to the Police Act which regulates the Police Security Service's (PST) task as a domestic intelligence service, and which clarify what this task entails. In addition, amendments are proposed to the Police Registers Act which allow for the PST to store, systematize and analyze large amounts of openly available information for the preparation of analyses and intelligence assessments, even if the individual information in isolation is not necessary for this purpose.

The Directive on security of network and information systems ((EU) 2016/1148), frequently referred to as the “NIS 1” will be implemented through the Norwegian Digital Security Act. The Act was initially planned to come into force during 2024. However, as of 27 December 2024, no specific date has yet been set.. The draft act is proposed to be applicable to both suppliers of critical infrastructure (e.g., power suppliers, transport, health services and financial services), and suppliers of digital services. NIS 1 was repealed in the EU when NIS 2 ((EU) 2022/2555) came into force in October 2024.

NIS 2 has already been assessed by the department as relevant to the EEA, but it has not yet been included in the EEA Agreement through a formal EEA Committee decision. The Justice and Emergency Preparedness Committee have stated that Norway is free to adopt national legislation in line with EU legislation, and that the Digital Security Act will be adapted to also meet the requirements of the NIS 2 Directive, regardless of the process of incorporating the NIS 2 Directive into the EEA Agreement.

The Artificial Intelligence Act (“AI Act”) entered into force in the EU on 1 August 2024, making it legally binding for EU member states. The AI Act establishes comprehensive regulations, including prohibition on AI applications deemed to pose an unacceptably high risk to health, safety, and fundamental rights. It also introduces rules for other high-risk AI systems, requiring compliance with strict regulatory standards. Additionally, the Act mandates labeling of AI products and AI-generated content.

The legal act is relevant to the EEA, and the regulation will take effect in Norway during the first half of 2026. Although the AI Act is an EU regulation, Norway is expected to align its legal framework with these provisions, ensuring compliance through the EEA Agreement. As part of the EU's digital strategy, the Act aims to promote data sharing while safeguarding privacy and fundamental rights, and it will affect private-sector AI applications in Norway, particularly those operating in or targeting the EU market.

Furthermore, Norway signed the Council of Europe Convention on Artificial Intelligence in September 2024, which aligns with the principles of the AI Act. The Convention focuses on ensuring that AI development respects human rights, democracy, and the rule of law. Initially, it applies only to state use of AI, but Norway has expressed an intention to extend its application to private entities as well. Consequently, Norway is likely to coordinate the implementation of both the AI Act and the Convention to ensure a consistent regulatory approach across both public and private sectors.