Norway

EEA Member State (Non-EU): Norway is not a member of the European Union, but it is a member of the European Economic Area (EEA). The GDPR was incorporated into the EEA Agreement by Joint Committee Decision on July 6, 2018, making it directly applicable in Norway from July 20, 2018.^[1] Norway is therefore bound by the GDPR in substantially the same manner as EU Member States, though enforcement operates through the EFTA Surveillance Authority and EFTA Court rather than through EU institutions. For a detailed treatment of the EU/EEA framework, see the EU Framework page. This page covers Norway’s national implementing legislation, domestic enforcement record, intelligence and surveillance laws, and its role in the Nine Eyes intelligence alliance.

Overview

Norway has a dual character in the privacy landscape. On the civilian side, the country operates one of Europe’s more assertive data protection regimes, with a supervisory authority (Datatilsynet) that can directly impose administrative fines and has demonstrated a willingness to pursue landmark enforcement actions against multinational technology companies. On the intelligence side, Norway’s strategic position on Russia’s Arctic border has made it a significant signals intelligence partner of the United States and United Kingdom, a relationship that dates back to the earliest days of the Cold War and was formalized in a SIGINT agreement with the NSA in 1954.^[2]

Norway is a member of the Nine Eyes intelligence alliance, which consists of the Five Eyes nations (the United States, United Kingdom, Canada, Australia, and New Zealand) plus Denmark, France, the Netherlands, and Norway.^[3] Its foreign intelligence service, the Etterretningstjenesten (E-tjenesten), operates a substantial SIGINT apparatus, focused primarily on monitoring Russian military and naval communications from listening stations along Norway’s 196-kilometer land border with Russia and from satellite ground stations in the Arctic.^[4]

The passage of the Intelligence Service Act 2020, with bulk collection provisions that came fully into effect on October 1, 2023, represents a significant expansion of Norway’s surveillance infrastructure. The law authorizes the E-tjenesten to conduct bulk collection of cross-border electronic communications (mirroring data streams for metadata and content analysis) with metadata storable for up to 18 months and raw data for up to 15 years.^[5] This places Norway alongside Sweden, Denmark, and France as one of the European countries operating bulk interception programs comparable in scope to those disclosed in the Snowden revelations.

This tension characterizes Norway's privacy framework: a country with active data protection enforcement and established governance transparency norms, operating simultaneously as a key node in the Western signals intelligence network with legal authority for mass surveillance of cross-border communications.

Data Protection Authority: Datatilsynet

The Datatilsynet (Norwegian Data Protection Authority) is an independent administrative body responsible for supervising compliance with the Personal Data Act and the GDPR in Norway. Unlike Denmark’s Datatilsynet, which must refer cases to the courts for imposition of fines, Norway’s Datatilsynet has the power to impose administrative fines directly, giving it direct enforcement capability.^[6]

Structure and Resources

The Datatilsynet is headquartered in Oslo and operates with a relatively modest staff compared to the data protection authorities of larger EU countries:

• Staff: Approximately 72 employees (56 full-time, 6 temporary, and 10 students) as of 2021^[7]
• 2022 budget: NOK 69.83 million (approximately EUR 7.2 million)^[7]

Despite its relatively small size, the Datatilsynet has pursued enforcement actions that have been cited in GDPR enforcement across the EEA, most notably the Grindr case that established precedent on the treatment of dating app data as special category personal data under the GDPR.

Enforcement Record

The Datatilsynet has pursued a number of significant enforcement actions that have been cited in GDPR enforcement across the EEA:

The Grindr Case: Landmark Precedent

The Datatilsynet’s enforcement action against Grindr LLC is a significant GDPR enforcement case with broad implications for the treatment of dating app data under Article 9. In December 2021, the Datatilsynet imposed a fine of NOK 65 million (approximately EUR 6.5 million) for Grindr’s disclosure of personal data (including the fact of being a Grindr user) to several third-party advertising partners without obtaining valid consent.^[8]

The case established two critical legal principles. First, it held that the mere fact of being a user of a dating app oriented toward men who have sex with men constitutes data revealing a person’s sexual orientation or sex life, and is therefore special category data under Article 9 of the GDPR, warranting the highest level of protection. Second, it found that Grindr’s consent mechanism, which bundled consent for data sharing with advertising partners into the general terms of service, did not meet the GDPR’s requirements for freely given, specific, informed, and unambiguous consent.

Grindr challenged the decision through every available avenue. The Privacy Appeals Board upheld the Datatilsynet’s findings in September 2023. Oslo District Court upheld the fine in 2024. And on October 21, 2025, the Borgarting Court of Appeal handed down its verdict, rejecting Grindr’s appeal on all points and maintaining the full NOK 65 million fine.^[14] The noyb European Center for Digital Rights, which supported the case, characterized it as establishing that “selling the sexual orientation of users is simply not acceptable.”^[15]

National Framework

Personal Data Act 2018 (Personopplysningsloven)

The Personal Data Act (LOV-2018-06-15-38) is Norway’s primary data protection legislation. It serves as the national vehicle for implementing the GDPR in Norway and entered into force on July 20, 2018, following the incorporation of the GDPR into the EEA Agreement by Joint Committee Decision on July 6, 2018.^[1]

The Act makes the GDPR directly applicable in Norwegian law and supplements it with national provisions where the GDPR permits Member State (or, in Norway’s case, EEA state) derogations. Key national provisions include:

• Age of consent for information society services: Norway has set the age at 13 years, exercising a derogation from the GDPR’s default threshold of 16 years. This is one of the lowest thresholds in the EEA, matched only by a few other countries^[16]
• National security and defense exemptions: Processing of personal data for national security and defense purposes may be exempt from certain GDPR provisions
• Research exemptions: The Act provides for specific derogations facilitating scientific research, historical research, and statistical purposes
• Journalism and academic expression: Exemptions for processing carried out solely for journalistic purposes or for the purpose of academic, artistic, or literary expression
• Video surveillance: Chapter 8 of the Act addresses video surveillance specifically, including a prohibition on the use of false (dummy) surveillance cameras when actual surveillance would violate the GDPR, a provision unique to Norwegian law^[17]

EEA/GDPR Implementation: Key Differences from EU Members

While Norway is bound by the GDPR in substantially the same way as EU Member States, its non-EU status creates several structural differences worth noting:

• Enforcement architecture: Disputes involving the Datatilsynet’s interpretation of the GDPR may be referred to the EFTA Court rather than the Court of Justice of the European Union (CJEU). The EFTA Court generally follows CJEU case law but is technically a separate judicial body
• EDPB participation: The Datatilsynet participates in the European Data Protection Board (EDPB) as an observer rather than a full member, though it is bound by EDPB guidelines and consistency mechanisms^[18]
• Legislative lag: New EU regulations must be incorporated into the EEA Agreement before they become applicable in Norway, which can create a brief delay between EU adoption and Norwegian applicability

Electronic Communications Act (Ekomloven)

The revised Electronic Communications Act (Ekomloven) was adopted by the Storting (Norwegian Parliament) in November 2024 and entered into force on January 1, 2025. The new Act aligns Norway’s regulation of cookies and tracking technologies more closely with the GDPR and the ePrivacy Directive, introducing stricter requirements for obtaining valid, informed, and voluntary consent from users before placing cookies or other tracking mechanisms on their devices.^[19]

Surveillance and Intelligence

PST (Politiets sikkerhetstjeneste) – Police Security Service

The Politiets sikkerhetstjeneste (PST) is Norway’s domestic intelligence and security service, operating under the Ministry of Justice and Public Security. PST is responsible for counterterrorism, counterintelligence, counterextremism, non-proliferation, dignitary protection, and security vetting of personnel requiring clearances.^[20]

PST possesses significant surveillance powers under the Police Act (Politiloven):

• Section 17d (Targeted surveillance): District courts may authorize PST to conduct wiretapping, room tapping, and data interception for up to six months in cases involving threats to national security. These coercive measures are deployed for preventive purposes, meaning PST can intercept communications outside the scope of any criminal investigation, purely on the basis of an assessed security threat^[21]
• Section 6 (“Illegal methods”): PST may employ listening devices and clandestine human intelligence sources (HUMINT) without a court order when operating in public settings or conducting certain preventive activities. The statutory language explicitly acknowledges that these are “illegal methods” that the service is nonetheless authorized to use^[21]
• Prosecutorial function: Unlike most intelligence services, PST has a prosecutorial role, meaning it can both investigate and initiate prosecution of cases relating to national security offenses^[20]

E-tjenesten (Etterretningstjenesten) – Norwegian Intelligence Service

The Etterretningstjenesten (E-tjenesten), commonly referred to in English as the Norwegian Intelligence Service (NIS), is Norway’s foreign and military intelligence service. It operates under the Chief of Defence and the Ministry of Defence, with its primary mission focused on collecting, processing, and analyzing information about foreign states, organizations, and individuals that may pose a threat to Norwegian and allied security.^[4]

The E-tjenesten’s primary strength lies in signals intelligence (SIGINT), a capability that derives from Norway’s unique geographic position. Norway shares a 196-kilometer land border with Russia in the Arctic north and faces the Russian Northern Fleet’s primary bases across the Barents Sea. This geography has made Norway one of the most strategically valuable SIGINT partners of the United States and United Kingdom since the early Cold War.^[2]

The E-tjenesten conducts all-source intelligence collection, including SIGINT (signals intelligence), IMINT (imagery intelligence), HUMINT (human intelligence), ACINT (acoustic intelligence), RADINT (radar intelligence), and TELINT (telemetry intelligence). It operates listening stations along the Norwegian-Russian border and manages satellite ground stations in the Arctic, including facilities connected to the Svalbard Satellite Station on the archipelago of Svalbard, which provides a uniquely advantageous position for communicating with polar-orbiting satellites.^[22]

Intelligence Service Act 2020 (Etterretningstjenesteloven)

The Intelligence Service Act 2020 represents a substantial expansion of Norway’s surveillance authority. The Act took effect in January 2022, with the remaining provisions governing bulk collection of electronic communications data entering into force on October 1, 2023.^[5]

The bulk collection regime authorizes the E-tjenesten to:

• Mirror cross-border data streams: Telecommunications service providers must facilitate the transfer of cross-border electronic communications to the intelligence service for collection and analysis
• Retain metadata: Up to 18 months
• Retain raw data: Up to 15 years, with the possibility of extension under specific conditions
• Analyze both content and metadata: The regime encompasses not merely metadata but also the content of communications traversing Norway’s international fiber-optic cables^[23]

Judicial oversight is provided through a prior authorization model: the Oslo District Court, or the Court of Appeal, must approve collection actions before they commence. This represents a stronger safeguard than some comparable European systems (such as France’s advisory-only CNCTR model), though critics note that courts reviewing classified intelligence applications may face structural limitations in exercising independent scrutiny.^[5]

EOS Committee (Stortingets kontrollutvalg for etterretnings-, overvåkings- og sikkerhetstjeneste)

The EOS Committee is Norway’s parliamentary intelligence oversight body, established to provide civilian control over the country’s intelligence and security services. It consists of seven members elected by the Storting (Norwegian Parliament), all of whom hold top-level security clearances covering both national and NATO classified information.^[24]

The Committee oversees four agencies, collectively known as the EOS services:

• NIS (E-tjenesten): Norwegian Intelligence Service (foreign/military intelligence)
• PST: Police Security Service (domestic intelligence)
• NSM: Norwegian National Security Authority (protective security)
• FSA: Norwegian Armed Forces Security Department (military security)^[25]

The EOS Committee’s oversight is primarily legally oriented, focusing on the protection of privacy and due process, proportionality, and human rights compliance. It publishes annual unclassified reports to the Storting, providing a measure of public transparency. In March 2024, the EOS Committee publicly criticized the E-tjenesten for unlawfully acquiring intelligence on a Norwegian resident through bulk metadata analysis, finding that the service had exceeded the legal boundaries established by the Intelligence Service Act.^[5] This finding highlights both the value of active oversight and the reality that unlawful collection does occur even within systems designed to prevent it.

Nine Eyes: Third-Party Status

Norway’s signals intelligence relationship with the United States predates NATO itself. SIGINT cooperation began in 1952, and a formal NORUSA SIGINT agreement was signed with the NSA in 1954.^[2] This makes Norway one of the earliest “third party” SIGINT partners of the Five Eyes alliance.

Norwegian journalist Baard Wormdal, who received the Norwegian Press Association prize for openness in 2023, has documented over 70 years of secret collaboration between the E-tjenesten, the NSA, and the CIA in two books: The Satellite War (2011) and Stalking the Bear (2022). Wormdal’s research demonstrates that Norwegian intelligence cooperation with U.S. agencies has extended well beyond the formal NATO framework, encompassing bilateral operations directed primarily at Russian military targets.^[22]

As a “third party” partner under the UKUSA framework, Norway has access to shared intelligence tools and can exchange raw SIGINT data with the Five Eyes members. However, unlike the “second party” Five Eyes members, third-party partners like Norway are not automatically exempt from being targeted by NSA intelligence collection. An internal NSA document disclosed by Edward Snowden states that “the NSA can, and often do, target the signals of most 3rd party foreign partners.”^[26] The Snowden archive also contains a dedicated document on NSA intelligence relations with Norway, confirming the depth and scope of the bilateral relationship.^[27]

Data Retention

Norway’s approach to mandatory telecommunications data retention has been marked by prolonged legislative uncertainty. The Data Retention Regulation (FOR-2013-05-14-484), which would require telecommunications providers to retain traffic and location data, was adopted in 2013 but has never entered into force. As of early 2026, the regulation remains dormant, with its entry into force repeatedly deferred amid the broader European legal uncertainty surrounding mandatory data retention.^[28]

As an EEA member, Norway is influenced by rulings from the Court of Justice of the European Union (CJEU), which has progressively constrained general and indiscriminate data retention across EU/EEA states. The CJEU’s landmark decisions in Digital Rights Ireland (2014), Tele2/Watson (2016), and La Quadrature du Net (2020) have established that blanket data retention is incompatible with fundamental rights unless limited to situations of serious national security threats with appropriate safeguards. However, Norway is not directly bound by CJEU judgments in the same way as EU Member States; the EFTA Court applies CJEU case law as a matter of practice but retains formal judicial independence.^[28]

The revised Electronic Communications Act (Ekomloven), which entered into force on January 1, 2025, addresses certain aspects of data handling by telecommunications providers but does not resolve the broader question of mandatory data retention. Whether the Data Retention Regulation will eventually be brought into force in a form compatible with CJEU case law, or whether it will be permanently shelved, remains an open question in Norwegian privacy law.^[19]

Meanwhile, the Intelligence Service Act 2020 has created a parallel regime for the retention of data collected through bulk interception: metadata retained for up to 18 months and raw intelligence data for up to 15 years. This intelligence retention regime operates independently of any civilian data retention mandate, meaning that cross-border communications data is already being retained at scale regardless of the status of the dormant Data Retention Regulation.^[5]

Commercial Surveillance Procurement

Norwegian law enforcement and intelligence agencies have procured commercial surveillance technologies from US and Israeli vendors, creating capabilities that supplement the bulk collection powers authorized under the Intelligence Service Act 2020. These procurements have attracted scrutiny from civil society organizations and, in one notable case, led to divestment by Norway's largest pension fund.

Palantir Technologies

The Norwegian Police Service (Politiet) has deployed Palantir analytics platforms for intelligence fusion and investigative support. The system provides pattern-matching and link-analysis capabilities across criminal investigations, drawing data from multiple law enforcement databases and external sources.^[33]

The use of Palantir raises questions about data sovereignty. As a US company, Palantir is subject to the US CLOUD Act, which allows American law enforcement and intelligence agencies to compel production of data held on Palantir systems regardless of where that data is stored. Norwegian criminal investigation data processed through Palantir could become subject to US legal process—creating a pathway for American access that operates outside the mutual legal assistance treaty framework Norway negotiated with the United States.

Cellebrite: Digital Forensics

Norwegian police have procured Cellebrite systems for digital forensics and mobile device exploitation. These tools extract data from smartphones, bypass device encryption, recover deleted messages, and access encrypted messaging applications.^[34]

Storebrand Divestment from Palantir (2024)

In a rare example of ethical pushback against surveillance technology investment, Storebrand—Norway's largest private pension fund—announced in 2024 that it was divesting from Palantir Technologies due to concerns about the company's role in enabling human rights violations. Storebrand concluded that Palantir’s sales of products and services to Israel for use in the occupied Palestinian territories (including AI-based predictive policing systems used for surveillance of Palestinians) violated international humanitarian law and human rights norms, making the investment incompatible with the fund’s responsible investment criteria.^[35]

The divestment is significant because it represents institutional recognition that commercial surveillance vendors operate in a global market where the same tools sold to democracies for legitimate law enforcement purposes are also deployed by authoritarian regimes and in contexts that violate human rights. By continuing to procure Palantir systems while Norway's largest pension fund divests on ethical grounds, Norwegian police create a contradiction: the technology deemed too ethically problematic for investment is considered acceptable for law enforcement deployment.

The Oversight Gap

When E-tjenesten conducts bulk collection under the Intelligence Service Act 2020, those operations require ministerial authorization and are subject to EOS Committee oversight. When PST conducts domestic surveillance, it must obtain court warrants and faces accountability through the SIRIUS Commission and the EOS Committee.

But when Norwegian police purchase analytics platforms or device exploitation tools from commercial vendors, those procurements are treated as standard equipment purchases subject to normal administrative rules. There is no equivalent requirement for EOS Committee review of commercial surveillance technology acquisition, and no independent assessment of whether these capabilities comply with the same necessity and proportionality standards that apply to intelligence agencies operating under the Intelligence Service Act.

International Data Sharing Agreements

Despite Norway’s robust privacy framework (including Datatilsynet enforcement, EOS Committee oversight of intelligence services, and non-EU status preserving some sovereignty), Norway participates in extensive international data sharing frameworks through its Schengen Association and bilateral agreements that provide foreign agencies with pathways to access Norwegian person data.

Mutual Legal Assistance Treaty with the United States

Despite not being an EU member, Norway maintains an MLAT with the United States via EU-Norway-Iceland agreements. The MLAT allows Norwegian law enforcement to request data on US persons, and US law enforcement to request data on Norwegian persons, through diplomatic channels with average processing times of 10 months.^[29]

Nine Eyes Intelligence Sharing

Norway is a member of the Nine Eyes intelligence alliance, an expansion of the Five Eyes that includes Denmark, France, Netherlands, and Norway. The Norwegian Intelligence Service (NIS) and Norwegian Military Intelligence Service share signals intelligence with Five Eyes partners, though with less privileged access than core Five Eyes members.^[30]

The Nine Eyes framework creates a reciprocal surveillance mechanism: Norwegian intelligence services can collect data on US, UK, or other partner nations’ persons and share it with those countries’ agencies, while NSA, GCHQ, and other Five Eyes agencies can collect on Norwegian persons and share with Norwegian intelligence. According to Privacy International, data collected via intelligence sharing programs can be shared with law enforcement, potentially bypassing the Intelligence Service Act’s oversight by the EOS Committee.

Schengen Association: Full Participation Despite Non-EU Status

Norway fully participates in Schengen cooperation despite not being an EU member. Norway joined Schengen on March 25, 2001, and has the right and obligation to apply all Schengen rules. This includes:^[31]

Schengen Information System (SIS II): Norwegian police have full access to the EU’s largest law enforcement database, processing hundreds of thousands of queries daily. Norwegian police can query SIS II in real time and contribute alerts visible to law enforcement across all Schengen countries (27 EU members plus Norway, Iceland, Switzerland, Liechtenstein).

Dublin Acquis: A 2001 association agreement gives Norway participation in the Dublin system for asylum requests, enabling data sharing on asylum seekers across Schengen countries.

Directive (EU) 2016/680: As part of its Schengen Association Agreement, Norway is required to apply data protection safeguards equivalent to the EU Law Enforcement Directive, transposed through Norwegian law.

EU-Norway Cooperation Agreements

Europol Association Agreement (2001): Norway has maintained a cooperation agreement with Europol since 2001, enabling Norwegian police to participate in Europol data sharing and joint operations. Europol’s cooperation agreements with US FBI (intelligence sharing increased 30% recently) create a pathway for Norwegian person data to flow to US authorities.

EU-Norway-Iceland MLAT and Extradition Agreements: Norway participates in EU-Norway-Iceland mutual legal assistance and extradition frameworks, enabling cross-border evidence gathering and criminal cooperation with EU member states.

Passenger Name Record Agreement

The EU-Norway-Iceland PNR agreement enables transfer of passenger data for counterterrorism and serious organized crime. Every passenger on Norway-EU flights has comprehensive personal data (name, itinerary, payment, contacts) shared with authorities. The agreement was negotiated alongside similar EU agreements with the US, Canada, and Australia.^[32]

Multilateral Frameworks

Interpol I-24/7: Norway participates in Interpol’s global network (195 countries, 100,000+ messages daily) for criminal intelligence sharing.

Egmont Group: The Norwegian FIU (Økokrim) participates in the Egmont Group network of 164+ Financial Intelligence Units, sharing financial intelligence on money laundering and terrorist financing.

Storebrand Divestment: An Ethical Counterpoint

The Storebrand divestment from Palantir described above provides a notable counterpoint in the context of international data sharing. While Norwegian police continue to procure Palantir analytics platforms that may expose data to US legal process via the CLOUD Act, Norway’s largest pension fund has deemed the same company too ethically problematic for investment, illustrating the tension between Norway’s ethical investment principles and its law enforcement technology choices.

The Privacy Backdoor Effect

Despite Datatilsynet enforcement, EOS Committee oversight, and Norway’s non-EU status, international data sharing agreements create alternative pathways for accessing Norwegian person data:

• Nine Eyes Laundering: NSA/GCHQ can collect on Norwegian persons and share with NIS, potentially bypassing Intelligence Service Act oversight; Norwegian intelligence can collect on US/UK persons and share with partner agencies
• Schengen/EU Framework Sharing: Norwegian person data entered into SIS II becomes accessible to 31 Schengen countries; Europol association creates pathway to US FBI
• MLAT Bypass: US authorities can request data via EU-Norway MLAT, potentially with lower evidentiary standards than Norwegian judicial warrants
• PNR Dragnet: All EU-Norway travel subject to passenger data sharing

For Norwegian persons, this means data nominally protected by Norway’s Personal Data Act, Datatilsynet oversight, and EOS Committee intelligence review can be accessed through Nine Eyes intelligence sharing (default exchange with no notification), Schengen frameworks (SIS II, Europol association), MLAT channels, or PNR passenger data agreements. Norway’s non-EU status provides some sovereignty, but its comprehensive Schengen Association means Norwegian person data flows through the same EU law enforcement frameworks as EU members, while Nine Eyes membership enables intelligence sharing with Five Eyes partners.

Recent Developments

Grindr: Borgarting Court of Appeal Verdict (October 2025)

The Borgarting Court of Appeal’s October 21, 2025 verdict rejecting Grindr’s final appeal represents the culmination of the four-year Grindr enforcement saga described above, confirming both legal principles established by the Datatilsynet and upholding the full fine. The ruling has cemented the case as one of the most significant GDPR enforcement actions in the EEA.^[14]

Tracking Pixel Enforcement (2024)

The Datatilsynet sanctioned six Norwegian websites for sharing visitor data through Meta and Snapchat tracking pixels without valid consent. The cases included a children’s crisis helpline that was inadvertently sharing sensitive user data, from children seeking help during crises, with social media advertising platforms. Fines of approximately NOK 250,000 (roughly EUR 25,000) were imposed on the helpline, drawing attention to the privacy risks embedded in standard marketing tools when deployed on sensitive services.^[12]

NAV Information Security Penalty (March 2024)

The Datatilsynet imposed a NOK 20 million fine on the Norwegian Labour and Welfare Administration (NAV), one of the largest government agencies in Norway, for “serious neglect” in information security. NAV administers welfare benefits, employment services, and pensions for the entire Norwegian population, making the security failures particularly consequential given the sensitivity and volume of personal data processed.^[9]

Bulk Collection Oversight Criticism (March 2024)

The EOS Committee publicly criticized the E-tjenesten for unlawfully acquiring intelligence on a Norwegian resident through analysis of bulk-collected metadata. This finding, disclosed in the Committee’s reporting to the Storting, represents the first known public criticism of the E-tjenesten’s conduct under the newly operational bulk collection regime. The case demonstrates that the oversight mechanism is functioning (the Committee detected and publicly reported the violation) but also that the intelligence service overstepped its legal authority within the first year of the bulk collection provisions being fully operational.^[5]

Datatilsynet Priority Areas (2025–2026)

The Datatilsynet has identified artificial intelligence, data sharing, and personal data processing in municipalities as its priority oversight areas for 2025 and beyond. The focus on municipal data processing reflects the reality that Norwegian municipalities administer extensive public services (health care, education, welfare, and social services) and handle correspondingly large volumes of sensitive personal data, often with information security practices that lag behind the private sector.^[13]

Electronic Communications Act (January 2025)

The entry into force of the revised Ekomloven on January 1, 2025 introduced stricter cookie and tracking consent requirements aligned with the GDPR and ePrivacy Directive. The new rules require that consent for cookies and similar tracking technologies must be clear, voluntary, and informed, and that refusing consent must be as straightforward as granting it. These provisions have significant implications for the Norwegian digital advertising ecosystem, where many websites had previously relied on pre-ticked consent boxes or consent mechanisms that made refusal more difficult than acceptance.^[19]

Norwegian AI Act Draft (Consultation June–September 2025; Target August 2026)

Norway is implementing the EU AI Act (Regulation 2024/1689) through a national AI Act currently under development. A public consultation ran from June 30 to September 30, 2025, with the government targeting adoption by August 2026. The Norwegian Communications Authority (Nkom) has been designated as the national AI supervisory authority, responsible for market surveillance and enforcement, while Norsk Akkreditering has been designated as the national accreditation body for conformity assessment bodies under the Act.^[36][37] The legislation will impose risk-based obligations on AI system providers and deployers, including prohibitions on certain AI practices (such as social scoring and real-time remote biometric identification in public spaces), transparency requirements for general-purpose AI models, and conformity assessment procedures for high-risk AI systems.

Datatilsynet Calls for Biometric Remote Identification Ban

In its consultation response to the proposed AI Act, the Datatilsynet went beyond the EU AI Act’s baseline requirements by proposing a general prohibition on biometric remote identification, including for commercial use. The DPA’s position would prohibit not only real-time biometric identification in publicly accessible spaces (already restricted under the EU AI Act) but also post-remote biometric identification and commercial applications of facial recognition and other biometric categorization technologies. This represents one of the strongest positions taken by any EEA data protection authority on biometric surveillance.^[45]

Salt Typhoon Intrusions Disclosed (February 2026)

On February 6, 2026, the Norwegian Police Security Service (PST) disclosed that Chinese state-sponsored hackers operating under the designation Salt Typhoon had compromised Norwegian network infrastructure devices. The disclosure marked the first Nordic acknowledgment of Salt Typhoon intrusions, a campaign that had previously been disclosed as affecting telecommunications providers in the United States, the United Kingdom, and other countries. The intrusions targeted network equipment to enable persistent access for intelligence collection, consistent with the broader Salt Typhoon modus operandi of embedding in telecommunications infrastructure for long-term espionage.^[38][39]

2026 National Threat Assessments (February 2026)

On the same date, the PST, E-tjenesten, and NSM jointly published their 2026 threat assessments, identifying Russia as the greatest threat to Norwegian security and characterizing the threat from China as “substantial.” The assessments highlighted persistent cyber operations by both states against Norwegian critical infrastructure, government agencies, and defense-related targets, reinforcing the strategic rationale for Norway’s expanded cybersecurity and digital security legislation.^[38]

Digital Security Act (October 2025)

Norway’s Digital Security Act (Lov om digital sikkerhet) entered into force on October 1, 2025, establishing the country’s first cross-sector cybersecurity legislation. The Act implements the original EU NIS Directive (NIS1) into Norwegian law and applies to operators of essential services across sectors including energy, transport, health, water supply, and digital infrastructure. Key provisions include a 24-hour incident reporting obligation for significant cybersecurity events and designation of the National Security Authority (NSM) as the primary supervisory body with enforcement powers.^[40]

NIS2 Implementation via Security Act Amendment (Target July 2026)

Building on the Digital Security Act, Norway is preparing to implement the EU NIS2 Directive through amendments to its Security Act, with a target effective date of July 1, 2026. The expanded scope will bring approximately 5,000 Norwegian organizations under cybersecurity obligations, a dramatic increase from the limited number covered by NIS1. Registration for affected entities opens July 1, 2026, with the first compliance audits scheduled for October 1, 2026. Industry analyses project a 12–22% increase in IT security spending across newly in-scope organizations to meet the Directive’s requirements for risk management measures, supply chain security, and incident reporting.^[41][42]

Social Media Under-15 Age Verification Proposal

The Norwegian government has approved a legislative proposal to ban children under 15 from accessing social media platforms, with age verification enforced through BankID, Norway’s national digital identity system. A public consultation on the proposal closed on October 7, 2025. The proposal would require social media platforms operating in Norway to implement age verification mechanisms that prevent minors under 15 from creating accounts or accessing age-restricted content. The choice of BankID as the verification mechanism leverages Norway’s high BankID penetration (used by virtually all Norwegian adults) but raises questions about privacy implications of linking social media usage to national identity systems.^[43]

Municipality Audit: All 357 Communes (January 2026)

In January 2026, the Datatilsynet announced a comprehensive audit covering all 357 Norwegian municipalities (kommuner) as part of the government’s designation of 2026 as the “Total Defense Year” (Året for totalberedskap). The inspection program follows a three-phase structure: a written self-assessment questionnaire sent to all municipalities, followed by analysis and risk-scoring of responses, and culminating in five specific on-site inspections targeting municipalities identified as highest risk. This is the most ambitious supervisory initiative the Datatilsynet has undertaken, reflecting the authority’s stated priority of improving personal data processing in the municipal sector.^[44]

NOK 1 Billion AI Research Programme and KI-Norge Hub

The Norwegian government has committed NOK 1 billion (approximately EUR 90 million) to a national AI research and innovation programme, accompanied by the establishment of KI-Norge, a national AI hub housed within the Norwegian Digitalisation Agency (Digdir). The programme includes a national AI regulatory sandbox to allow companies to test AI systems in a controlled environment with guidance from supervisory authorities, addressing one of the AI Act’s key provisions encouraging Member States and EEA states to establish such sandboxes.^[46]

Personal Data Act Amendment: Consent Age Raised to 15 (Under Consultation)

A proposed amendment to the Personal Data Act would raise the age of consent for information society services from the current threshold of 13 years to 15 years, aligning it with the social media age verification proposal. The amendment is currently under consultation. If adopted, Norway would move from one of the lowest consent age thresholds in the EEA to a more moderate position, matching countries like France and the Czech Republic.^[47]

DORA Act for Financial Sector (Proposed March 2025)

Norway has proposed implementing the EU Digital Operational Resilience Act (DORA) through national legislation targeting the financial sector. The proposal, introduced in March 2025, would impose cybersecurity and ICT risk management obligations on banks, insurance companies, investment firms, and other financial entities operating in Norway, with a maximum fine of NOK 50 million for non-compliance. DORA implementation reflects the broader trend of sector-specific cybersecurity regulation supplementing the cross-sector Digital Security Act.^[48]

Telenor NOK 4 Million Fine (March 2025)

The Datatilsynet imposed a fine of NOK 4 million on Telenor, Norway’s largest telecommunications provider, on March 10, 2025, for failures relating to Data Protection Officer (DPO) independence. The enforcement action found that Telenor had not ensured the organizational independence required of the DPO function under Article 38 of the GDPR, including inadequate reporting structures and conflicts of interest. The case is significant as one of the first Norwegian enforcement actions specifically targeting DPO independence requirements.^[49]

Timegrip AS NOK 250,000 Fine (January 2026)

On January 16, 2026, the Datatilsynet imposed a fine of NOK 250,000 on Timegrip AS, a workforce management software provider, for blocking employee access to their own personal data. The company’s systems denied employees the ability to access, correct, or export their personal data as required under GDPR Articles 15–20, constituting a violation of fundamental data subject rights.^[50]

Digital Services Act Implementation (Target Summer 2026)

Norway is preparing national legislation to implement the EU Digital Services Act (DSA), with a public consultation held from July to October 2025 and a target adoption date of summer 2026. The implementation will designate three co-supervisory authorities: Medietilsynet (Norwegian Media Authority) as the Digital Services Coordinator, alongside Datatilsynet for data protection aspects and Forbrukertilsynet (Consumer Authority) for consumer protection elements. This tripartite supervisory model reflects the DSA’s cross-cutting nature spanning media regulation, privacy, and consumer rights.^[51]

Personverndagen 2026: “Digital Sovereignty and Privacy”

The Datatilsynet has announced that the theme for Personverndagen 2026 (Data Protection Day 2026) is “Digital Sovereignty and Privacy” (Digital suverenitet og personvern), signaling the authority’s increasing focus on questions of data sovereignty, cloud computing dependencies, and the relationship between national control over digital infrastructure and effective data protection.^[52]

Data Retention and Electronic Communications Act Revision

The dormant Data Retention Regulation (FOR-2013-05-14-484), described above, remains not in force as of early 2026. The government has indicated that a comprehensive revision of the Electronic Communications Act addressing data retention questions is planned for the first half of 2026, though no draft legislation has been published. The revision is expected to address the compatibility of any future retention mandate with CJEU case law and the EFTA Court’s jurisprudence.^[53]

Sources