TMT 2025 Comparisons

Norwegian legislation is, to a large extent, technology-neutral, but Norway does not have specific laws or regulations applicable to the digital economy in general. Norway is a member of the European Economic Area (EEA), and EU regulations such as the Digital Services Act, the Digital Markets Act and the Platform Work Directive will apply when implemented into Norwegian law.

A general challenge of the digital economy is how to apply traditional legal concepts from the “analogue world” to digital activity. Specifically, employment protection, tax regulations and criminal regulations have proved challenging to apply in the normal context of jurisdiction, due to the geographically borderless nature of the digital economy, which needs to be reconciled with strict requirements for laws to be clear and predictable in order to be enforceable within the areas of employment, tax and criminal law in Norway.

Cryptocurrency has proved to be another legal challenge. Norwegian banks have long been wary of accepting deposits made in cryptocurrency, as the normal “Know Your Customer” requirements and anti-money laundering procedures can be difficult to enforce and apply in relation to customers using cryptocurrency. Documenting the absence of money laundering or similar crimes in past crypto transactions can be almost impossible, and no common code or practice has yet been applied across banks in Norway.

The Norwegian Act on Digital Content and Services entered into force in October 2023 and implements EU Directive 2019/770. The Act applies to agreements concerning the supply of digital services or content against payment in consumer relations. It imposes objective and subjective requirements for conformity and equips the consumer with remedies in case of contract breach. In short, the Act can be understood as a consumer sales law in the digital world.

New EU acts covering the digital economy that are deemed relevant for the EEA, such as the proposal for a Cyber Resilience Act, are also likely to be implemented in Norway.

Tax (CIT)

Norway has not yet introduced a digital services tax. Revenue derived from the provisions of digital goods and services to Norwegian customers/users is thus not subject to taxation in Norway.

Digital corporations have to conduct business in Norway (personnel or servers in Norway) in order to be subject to corporate income tax on profit allocated to the business activity in Norway. Norwegian tax law prescribes that a non-resident corporation is taxable in Norway on income from business activity that it has performed or participated in, and that is carried on in or managed from Norway.

VAT

VAT is payable on digital services and goods sold within the VAT area (the Norwegian mainland and the entire area within Norway's territorial limits, but not Svalbard, Jan Mayen or the Norwegian dependencies), at a rate of 25%.

Imports

VAT is also payable on services capable of delivery from a remote location that are purchased outside the VAT area when the recipient is domiciled in the VAT area and the service is taxable when supplied in the VAT area. This is, however, unless the service is already included in a basis of calculation.

If a service is to be used in the VAT area by businesses or public enterprises domiciled in the VAT area, VAT is payable, even if the service is supplied to a recipient domiciled outside the VAT area. This does not apply, however, if it can be documented that VAT was charged on the service outside the VAT area.

If the supply of electronic communication services is effected via a fixed terminal in the VAT area, VAT is payable, even if the recipient is not domiciled in the VAT area. If supply is effected via a fixed terminal outside the VAT area, VAT shall not be payable, even if the recipient is domiciled in the VAT area.

Exports

The supply of services that are entirely for use outside the VAT area is exempt from VAT.

The supply of services capable of delivery from a remote location is exempt from VAT if the recipient is domiciled outside the VAT area. This does not apply, however, if electronic communication services are supplied via a fixed terminal inside the VAT area. If such services are supplied via a fixed terminal outside the VAT area, the supply shall be exempt from VAT.

The main challenge companies face in managing the Norwegian VAT and tax rules is the duty for the buyer of services capable of delivery from a remote location to calculate and pay VAT themselves. This is an exemption to the normal procedure, whereby the seller (not the buyer) is liable to calculate and invoice the VAT.

Tax (CIT)

Norway has not yet introduced a digital advertising tax. Revenue derived from digital advertising is thus currently not subject to taxation in Norway.

Digital corporations have to conduct business in Norway (personnel or servers in Norway) in order to be subject to corporate income tax on profit allocated to the business activity in Norway. Norwegian tax law prescribes that a non-resident corporation is taxable in Norway on income from business activity that it has performed or participated in, and that is carried on in or managed from Norway.

VAT

Digital advertising is liable for VAT in Norway. As this is a service that is not considered to be an ongoing subscription, the seller of the service is not allowed to invoice the VAT in advance. This means that the main rule on invoicing VAT applies; the sales document must be issued after the delivery.

In order to ensure compliance with tax laws in Norway, companies should always consult tax and VAT advisers before they start doing business in Norway.

Consumer Protection Regulation

Norway has implemented EU consumer protection regulation in the TMT sector, including through the Norwegian Act on Digital Content and Services. The Norwegian Marketing Control Act and the Norwegian Cancellation Act also include extensive regulations on, for example, marketing activities, unfair contract terms, pricing obligations and the right of withdrawal.

Dispute Resolution Bodies

The Consumer Authority can mediate in disputes between consumers and traders. In some cases, the Consumer Disputes Commission may also accept complaints for further adjudication. In addition, there are several specialised boards designated to handle cases within particular sectors. Consumer disputes may also be resolved through the ordinary court system.

Best Practices to Uphold Consumer Rights and Handle Consumer Disputes

Companies should ensure that their terms and conditions are clearly communicated and easily accessible to consumers when purchasing goods and services online. They should also make sure that service teams are equipped to handle disputes effectively at an early stage and in accordance with the system provided in mandatory consumer legislation.

Impact of Cryptocurrencies on the Legal Landscape in the TMT Sector in Norway

Cryptocurrency has gradually and significantly influenced the TMT sector in Norway. The rise of digital currencies and digital payment methods has introduced new business models and investment opportunities, prompting legal considerations regarding data protection, consumer rights and financial regulations.

The decentralised nature of cryptocurrencies challenges traditional regulatory frameworks, necessitating adaptations to accommodate these innovations. Norwegian authorities have been proactive in monitoring developments, seeking to balance innovation with consumer protection and financial stability.

Legal Challenges and Opportunities Presented by These Technologies

One of the main challenges presented by the new technology is the regulatory uncertainty. Due to its rapid evolution, cryptocurrency technology often outpaces legislative processes, leading to uncertainties in both compliance and enforcement. Another significant legal challenge is the risk of cyber-attacks and security breaches, requiring robust cybersecurity measures and legal remedies. Furthermore, determining the tax implications of cryptocurrency transactions can be a complex matter to deal with, as it has proven to be difficult to accurately determine and classify losses and profits.

On the upside, cryptocurrencies offer new and exciting opportunities for innovation within the TMT sector, fostering new business models and services. Blockchain technology enhances transparency and efficiency in transactions, potentially reducing costs for the parties involved and increasing trust. Cryptocurrencies make cross-border transactions more feasible, which, for example, gives Norwegian businesses easier access to international markets without traditional financial barriers.

Regulation of Blockchain and Cryptocurrency in Norway

While there is no specific legislation in Norwegian law exclusively regulating cryptocurrencies and blockchain technology, its applications are subject to existing laws, such as those concerning data protection (GDPR), consumer protection, marketing control, etc. The Norwegian Financial Supervisory Authority (FSA) (Finanstilsynet) oversees the financial aspects of cryptocurrency activities, ensuring compliance with anti-money laundering (AML) and counter-terrorism financing (CTF) regulations. Cryptocurrency exchanges and wallet providers must register with the FSA and adhere to strict reporting regimes.

The Norwegian government continues to assess the need for further regulation to address emerging challenges and opportunities presented by these technologies. Ongoing developments in technology and international regulatory trends will likely influence future legal frameworks within this field in Norway.

The Regulation on Markets in Crypto Assets (MiCA) contains common European rules on crypto-assets. MiCA is expected to be implemented in Norwegian law without significant delays in relation to the EU.

Norway does not have any general legislation governing cloud and edge computing, but the following new legislation relevant to cloud computing has recently been adopted.

• As of 1 January 2025, data centre operators are now regulated by the Electronic Communications Act with regulations.
• The Digital Security Act was adopted on 12 December 2023 and implements the EU Directive on the security of network and information systems (NIS1). The Act has not yet entered into force, but this is expected in 2025. The Act also facilitates the implementation of the Cybersecurity Regulation.

The Digital Security Act applies to providers of essential digital services, which must fulfil minimum cybersecurity requirements, such as regularly conducting IT risk assessments and notifying public authorities of events that could have a significant impact on service delivery. As of January 2025, EU Directive 2022/2555 (NIS2) has not yet been incorporated in Norway.

Specific regulations regarding the processing of personal data, bookkeeping data and archive data in the public sector will influence cloud and edge computing requirements. In addition, sector-specific legislation (relating to the financial, petroleum, energy and health sectors, for example) imposes requirements and some restrictions on cloud and edge computing. The Norwegian Security Act may also impose further requirements or restrictions based on national security considerations.

Data Centre Regulations

Data centre operators in Norway have a duty to register their business, which is done with the Norwegian Communications Authority (Nkom); see 6. Telecommunications for more information. Data centres in Norway are now subject to a number of security and emergency preparedness obligations. The overarching requirement is proper security and emergency preparedness in the delivery of data centre services in peace, crisis and war. The more detailed requirements include:

• security management and auditing;
• risk and vulnerability assessment;
• basic security;
• security plans; and
• emergency planning and exercises.

In addition, the data centre operator has a duty to notify the Norwegian Communications Authority of incidents that have resulted in significant breaches of the availability, authenticity, integrity or confidentiality of the data centre or data centre services. Notification must be sent without undue delay.

Processing of Personal Data

All processing of personal data is subject to the Norwegian Personal Data Act and the GDPR, which requires the data controller to have a legal basis for the processing of personal data, including the transfer of the data to the service provider, and for any transfer of data to countries outside the EU/EEA. If the service provider processes personal data on behalf of the customer, a data processing agreement will be mandatory, pursuant to Article 28 of the GDPR.

Article 32 of the GDPR requires the controller and the data processor to ensure the safety and integrity of the data processed through technical and organisational security measures. Appropriate measures may be encryption and the ability to restore the availability and access to personal data, as well as internal processes for regularly testing, assessing and evaluating the effectiveness of the measures.

The requirements under Chapter 5 of the GDPR govern the transfer of personal data to third countries and are therefore relevant for cloud computing. The transfer of personal data to third countries requires a transfer mechanism, and the level of protection of the data must meet EU standards.

Bookkeeping Act

As a main rule, accounting documents shall be stored in Norway. However, since 27 January 2025, accounting documents can be stored in EEA countries, the UK and Switzerland if the organisation informs the Norwegian Tax Administration in writing. This includes information regarding what accounting material is stored abroad, where the accounting material is stored, and how the control authorities can gain access to the accounting material at any time.

The accounting material must be available in readable form and must be able to be printed on paper from a terminal or similar in Norway throughout the storage period.

The Financial Sector

The Norwegian Regulation regarding the use of information communication technology (ICT) in the finance sector will also affect the use of cloud computing services in this business segment. It sets out the requirements for ICT systems used in the financial sector, and businesses will have to carry out risk assessments, ensure the Financial Supervisory Authority's right of inspection also applies to the provider, and assess whether outsourcing in general, or cloud computing services, meets the Regulation's requirements related to the systems’ quality and business continuity. The Norwegian Regulation was last updated in 2022, largely implementing guidelines from European authorities (the European Banking Authority, the European Insurance and Occupational Pensions Authority and the European Securities and Markets Authority). Furthermore, the Digital Operational Resilience Act (DORA), which specifically aims to enhance cybersecurity within the financial sector, will also most likely be implemented in Norway.

National Security

The Security Act applies to all public bodies, and to companies involved in classified procurements or companies that for other reasons are subject to the Act’s requirements following a decision by the relevant ministry. The Act generally allows for the use of cloud services for businesses that are subject to the Act, but the use of cloud and edge services for information that could relate to national security interests needs to comply with strict requirements in the Act. The business must carry out risk assessments and assess whether the use of cloud and edge computing services is safe, considering the specific information that is to be safeguarded. A proactive dialogue with the security authorities should also be considered.

It should further be noted that the application of the restrictions may change based on the geopolitical climate. The outbreak of war in Ukraine and the related energy crisis, with attacks on the energy infrastructure in Europe, illustrate the risk and are particularly relevant as Europe’s reliance on the Norwegian energy sector has increased.

Archiving in the Public Sector

The Archive Act applies to the public sector in Norway. It does not explicitly govern the use of cloud or edge computing but prohibits public entities from transferring or transporting archive material out of Norway. However, it must be noted that EU Regulation 2018/1807 on the free flow of non-personal data (the FFD Regulation) is incorporated into the EEA Agreement, so Norwegian authorities may have to revoke the prohibition. A new Archive Act is also in process and is expected to be proposed to the Norwegian Parliament in 2025.

For software suppliers to the Norwegian public administration, it is worth noting that the current Archive Act also mandates the use of open formats and requires public entities to carry out risk assessments of the storage systems to be used and examine whether these fulfil their archiving obligations.

The Health Sector

Entities providing, managing or assuring quality healthcare services are subject to the Norwegian Patient Journal Act and other sector-specific legislation, which impose strict requirements governing information security, including the use of cloud service providers. The Act also imposes functional requirements regarding the documentation of healthcare, right of access, access control and the deletion of data. In addition, most healthcare providers in Norway are bound by the sector-specific standard “Normen” (The Code of Conduct for information security and data protection in the health sector), which is a compilation of information security requirements that in some cases are stricter than requirements in law. The documents are available at www.helsedirektoratet.no.

New EU Acts

New EU acts covering cloud and edge computing that are deemed relevant for the EEA are likely to also be implemented in Norway.

Norway does not yet have any general legislation governing artificial intelligence, but the EU AI Act is expected to be implemented in Norway more or less “as is” when included in the EEA Agreement.

Specific regulations governing the processing of personal data, IPR and discrimination in relation to fundamental rights are examples of relevant regulations that will apply to the use of artificial intelligence.

EU positions on civil liability – adapting liability rules to the digital age and artificial intelligence – are also likely to have an impact on Norway via the EEA Agreement.

Data Protection

Big data, machine learning and artificial intelligence projects will involve the processing of large data sets. More often than not, data sets targeted for machine learning and artificial intelligence use and contain unstructured rather than structured data. The data sets may contain non-personal data or personal data, or a mix. The GDPR will apply where such data sets contain personal data. This includes the requirement for a legal basis for the processing and a number of safeguards. The key challenges with machine learning and artificial intelligence technologies in Norway will be:

• complying with the prohibition against processing data for a purpose that is incompatible with the purpose for which it was collected; and
• biased algorithms.

Artificial intelligence, machine learning and big data are also likely to be viewed as high-risk processing activities, meaning the controller could be required to conduct data protection impact assessments (DPIAs).

Intellectual Property

Ownership of non-personal data has yet to be broadly discussed in Norway, but the general view is that data that merely represents factual observations may not be “owned” by the collecting company or person in the traditional concept of ownership. However, databases and computer programs used for processing big data, machine learning and artificial intelligence are, to some extent, safeguarded by the sui generis database property right in Norwegian copyright law. The Norwegian Protection of Trade Secrets Act may also provide dovetailing protection for data if reasonable measures to avoid disclosure are implemented. As the protection offered by national rules is limited, it is important that intellectual property questions are clearly regulated by contract.

The question of ownership and IPR as regards the results generated by intelligent machines has been resolved by the European Patent Office, which also impacts Norway, so an artificial intelligence system cannot be named as an inventor in Norway. Contractual regulation of IPR between parties using technology for innovation purposes will remain essential for the foreseeable future.

Furthermore, it is worth noting that the implementation of the Data Act may affect the current regulation of IPR (see 4.1 Machine-to-Machine Communications, Communications Secrecy and Data Protection).

Discrimination

The use of artificial intelligence may affect the rights and freedoms of individuals – eg, when examination reviews or job applications are processed by automatic means. While problematic from a GDPR perspective, such automatisation may also be problematic under the recently adapted Norwegian Act on Discrimination, governing individuals' rights to equal treatment and not to be discriminated against based on, for example, race, sex, religion, age or sexual orientation. There have already been examples of such discrimination by algorithms internationally. As discrimination is already governed by law in Norway, developers must implement safeguards to prevent discrimination when developing artificial intelligence. Further regulation by the EU with indirect application in Norway may be expected.

Transport

When it comes to AI in transport, Norway has adopted specific regulations on the testing of autonomous vehicles. The Norwegian Public Roads Administration is authorised to grant permits for testing of autonomous vehicles in restricted areas. Aviation regulations regulate the use of drones. An entity must register and acquire a licence to operate drones on both a personal and commercial level.

There is not yet any specific Norwegian legislation regarding the internet of things (IoT), although there has been a manifest proliferation of sensor technology across industries and for personal use in Norway in the last decade.

EU Data Act

In November 2023, the EU Data Act (Regulation (EU) 2023/2854)) (Data Act) was adopted by the EU, with the stated purpose of enhancing innovation within the EU by providing increased access to, as well as greater opportunities for the re-use of, data originating from connected products and related services. As Norway is not part of the EU (but part of the EEA) the Act will not apply directly in Norway until implemented. The process of evaluating whether the text should be included in the EEA Agreement, and subsequently implemented into Norwegian law, often takes significantly longer than the time it takes for the legal act to take effect in EU countries. At the time of writing, no date for implementation of the Data Act in Norway has been announced. Nevertheless, the Data Act will also have implications for Norwegian businesses operating in the EU before any implementation in Norway.

Data-Dependent Requirements

Legal regulation applicable to the processing of data within IoT devices will apply, depending on the type of data processed in the devices.

All processing of personal data (in IoT devices or otherwise) must comply with data protection regulation, including the general principles of the GDPR, such as not collecting more data than is necessary for the purpose of processing (data minimisation) and not processing data in a manner that is incompatible with the initial purposes of processing (purpose limitation). Accordingly, legal requirements for data protection will limit the scope of IoT projects when it comes to personal data, as these devices usually collect a large amount of data.

If IoT devices are used in a workplace environment, specific attention should be given to Norwegian employee monitoring regulation, which limits allowed processing purposes and sets out procedural requirements.

In addition, some entities may be subject to Norwegian mandatory security requirements due to the sector in which they operate – eg, entities in the health, utilities and financial sectors. Such security requirements may apply to the use of IoT devices.

General Requirements for Products

General product safety requirements applicable to electronic products and requirements applicable to products communicating through publicly available communication networks may apply to IoT devices. The European Telecommunications Standards Institute has issued a consumer IoT security standard (ETSI EN 303 645), setting a baseline for cybersecurity requirements for IoT consumer products and providing a basis for future IoT certification schemes. The standard has received public support from the Norwegian Communications Authority, which is the executive supervisory and administrative authority for services within the postal and electronic communication sector in Norway.

Connectivity Services

Providers of connectivity services for IoT devices will have to comply with Norwegian requirements for the provision of connectivity services, including the Electronic Communications Act (see 6. Telecommunications for further guidance).

Contracts

When IoT technology is applied for non-personal data, contract regulation will remain key. However, the area is severely under-regulated in a large volume of legacy contracts in Norway, which may fuel renegotiation or disputes in the future.

Companies deploying IoT solutions may face different compliance challenges depending on the type of data to be processed in the IoT solutions and the sector in which the companies operate. Typically, compliance challenges may relate to:

• mandatory security requirements in the digital sphere which also apply to (use of) IoT devices; and
• limitations or procedural requirements to allowed use of data which also apply to (use of) IoT devices – eg, under data protection legislation.

For more information on both topics, see 4.1 Machine-to-Machine Communications, Communications Secrecy and Data Protection.

Even if not directly subject to security requirements applicable to (the processing of data in and use of) IoT devices themselves, companies deploying IoT devices are advised to ensure the implementation of appropriate security measures to protect against incidents.

Once/if implemented in Norway, the Data Act will include data sharing obligations targeted at IoT companies and providers of services related to connected products. Data sharing requirements in regulation not specifically targeted at IoT companies may also apply.

EU Data Act

Under the Data Act, data holders, which may be IoT companies, will be under an obligation to share data with users of connected products or such third parties that the users request. In addition, connected products and related services shall be designed in such a manner that data is available by default, easily, securely, free of charge, in a comprehensive, structured, commonly used and machine-readable format, and, where relevant and technically feasible, directly accessible to the user. Data holders will also, under certain circumstances, be obliged to share data with public authorities upon request – eg, when necessary to respond to a public emergency.

Micro and small enterprises will be exempted from many of the requirements.

GDPR

In relation to personal data, IoT companies should note the rights of data subjects under the GDPR, which include the right to receive access to personal data concerning the subject from data controllers and information on the purposes of processing. All controllers are subject to the requirements. Depending on the circumstances, IoT companies may not themselves be controllers, but may instead be processors or even third parties who do not process personal data themselves but provide the IoT device that other parties use to process personal data. When acting as a processor, IoT companies may expect to be obliged to assist the controllers with fulfilment of the rights mentioned above under mandatory data processing agreements required under Article 28 of the GDPR. When acting as a third party only providing the IoT devices, IoT companies may expect that their customers will demand products that enable them to comply with their obligations under the GDPR.

Other Data Sharing Requirements

Data sharing obligations not aimed specifically at IoT companies are present in a range of Norwegian legislation, including:

• civil and penal litigation procedural rules, which include certain mechanisms under which a party to a case may be put under an obligation to share certain data;
• freedom of information regulation, under which public authorities may be under an obligation to share information; and
• a range of Norwegian acts and statutory instruments allow relevant public enforcement bodies to order the disclosure of data related to their case handling and enforcement activities.

The Norwegian Broadcasting Act sets different requirements for set categories of audiovisual media services.

The first category corresponds to companies wishing to engage in broadcasting via ground-based transmitting facilities, and these must obtain a licence. The term “broadcasting” shall be understood to encompass “the transmission of speech, music, images and the like by electronic communications networks intended or suitable for direct and simultaneous reception by the public”. Beyond the requirement that the communication must be made via an electronic communication network, the term “broadcasting” is technology-neutral.

Companies wishing to engage in other broadcasting services (ie, broadcasting services not subject to the licensing requirement) must register with the Norwegian Media Authority. This requirement is typically applicable for companies wishing to broadcast via the internet, satellite or cable. The broadcasting terms' criterion of “direct and simultaneous reception by the public” entails that the registration requirement is only applicable for companies wishing to transmit live content to the public – eg, streaming live news online. On-demand audiovisual services are not obliged to register.

Another category covers on-demand audiovisual services, which are defined as services “where the primary purpose is providing audiovisual programmes that can be viewed at the moment chosen by the user and at their individual request on the basis of a catalogue of programmes and that is distributed to the general public via electronic communication networks”. This typically includes non-live online streaming and online television.

The criterion of editorial control will generally exclude media services that distribute user-generated content without interference from the service provider. However, Norwegian authorities are currently considering a proposed amendment to the Norwegian Broadcasting Act, suggesting implementing the rules from Directive 2018/1808, which amends Directive 2010/13/EU (Audiovisual Media Services Directive) concerning user-generated video platform services (such as YouTube) over which the provider of the service has no editorial control.

Licensing and Registration Processes

Application for a broadcasting licence is done by sending a completed form to the National Media Authority. Licensed parties will be subject to fees, regulated by the Ministry of Culture. The fees may vary from time to time and for different providers.

Registration of a broadcasting service is done on the website of the Media Authority after creating a user account.

Other Main Requirements

The legal framework sets specific requirements for the different categories of audiovisual media services. This includes requirements for labelling age limits and advertisements, and rules on reporting to the authorities and protection measures for younger viewers.

The new Electronic Communications Act came into force in January 2025 and applies to:

• all activities related to electronic communications and associated equipment;
• data centres;
• the management and use of the electromagnetic frequency spectrum and numbers, names, domain names and addresses;
• all emissions of electromagnetic waves from electronic communications and all unintentional emissions of electromagnetic waves that may interfere with electronic communications; and
• content services that are invoiced together with the electronic communication service.

The act is neutral regarding variations in technology and therefore encompasses all forms of electronic communication. Further obligations for providers derive from the Act’s corresponding regulations.

Registration Requirements for Electronic Communications Providers

There is no general requirement for regulators’ approval to offer electronic communication services in Norway. However, providers of public electronic communications networks and public electronic communications services must register with the Norwegian Communications Authority (Nkom) before starting up operations. The business can start when the registration has been sent. The registration obligation does not apply to providers of number-independent person-to-person communication services, such as Messenger and WhatsApp.

To register, the provider must complete Nkom’s form. Registered companies appear on Nkom’s public list of registered providers.

Registration and Security Requirements for Data Centres

Data centre operators are subject to a registration obligation and the security provisions of the Electronic Communications Act and Regulations. The regulations will cover commercial data centres and some internal data centres.

The registration obligation applies to:

• data centre operators that offer others access to data centre services for a fee; and
• data centre operators that operate data centres with a subscribed electrical power above a given threshold value (0.5 MW), including enterprise data centres, with the exception of the defence sector, the police and the Police Security Service.

Registration is done with the Nkom. To register, the data centre operator must complete Nkom's form. The registration shall contain the following information:

• the data centre operator's name;
• the Norwegian organisation number or the data centre operator's legal status, form and registration number if the data centre operator is registered in a trade register or similar public register in the EEA;
• the Norwegian address or the address of the data centre operator's main company in the EEA and any secondary branch;
• the data centre operator's web address;
• the physical location of the data centres;
• the contact details of a representative of the data centre operator who is physically present and has the authority and knowledge to follow up requests from the authorities;
• a description of the services offered;
• information about Norwegian state, county and municipal authorities, bodies and businesses that are customers of the data centre operator;
• an estimate of the percentage of power consumption that will be used for the extraction of cryptocurrency;
• information about the size of the subscribed electrical power; and
• the expected start-up date of the business.

The purpose of the registration requirement is to provide the authorities with an overview of the data centre industry in the same way as the telecom industry. It is emphasised that the registration requirement does not entail a permit or approval scheme on the part of the authorities: it is only a registration obligation, and the data centre operator can start up the business as soon as the registration has been completed.

Approval Requirements for Use of Frequencies in Norway

In many cases, the use of frequencies requires permits form the authorities in Norway. Norwegian frequency resources are managed by Nkom. Frequencies cannot be used in Norway without permission from Nkom or the Ministry of Digitisation and Public Administration (DFD).

General licences for frequencies may be granted for specific purposes, such as purposes that benefit society and the general public and that do not exclusively benefit an individual or a commercial enterprise.

Satellites

The reception of radio signals from satellites does not require a licence from Nkom or other authorities on the Norwegian mainland and on Jan Mayen. This applies regardless of which frequency bands are used. For the transmission of radio signals to satellites, some frequency bands are available without the need for a licence. Larger satellite earth stations with high uplink effects, or in other frequency bands, require frequency licences.

Other rules apply to Svalbard and Antarctica, including for reception.

The use of radio equipment for satellite communication, for ordinary commercial services in Norway, is harmonised with the rest of Europe. Permission for such use is granted through a general licence for the use of frequencies (the Free Use Regulations), and the use of such equipment therefore requires no further frequency licence from Nkom.

The right to an open internet connection is enshrined in law in Norway. The Electronic Communications Act states that providers of electronic communications networks or services may not impose requirements or general contractual terms and conditions for access to or use of networks or services that discriminate against end users on the basis of citizenship, place of residence or place of establishment, unless such discrimination is objectively justified.

Section 1-11 of the Electronic Communications Regulation states that Regulation (EU) 2015/2120 of the European Parliament and of the Council on net neutrality applies as a Norwegian regulation.

In principle, providers are not allowed to block or throttle traffic from specific applications, such as streaming or file sharing. There are some exceptions to this, which mean that the provider can, for example, intervene due to security considerations or measures imposed by law or the courts. Examples include the blocking of domain names for copyright infringement or domain names that are on the police's list of sexual abuse material.

Norway is among the most digitalised countries in the world, with extensive use of technology across industries and everyday life. Norway’s 5G deployment is rapidly expanding, with major cities and rural areas increasingly covered by high-speed networks, supporting enhanced connectivity across the country.

The regulatory framework for the integration of these emerging technologies consists of Norwegian implementations of EU initiatives within the TMT field, as well as some country-specific legislation (see 6.1 Scope of Regulation and Pre-Marketing Requirements and 6.2 Net Neutrality Regulations).

IT Agreements

Norway does not have general legislation for IT service agreements, although the country boasts no fewer than three families of IT standard contract templates: Statens Standardavtaler (SSA), IKT Norge (IT industry organisation) and Dataforeningen (Computer Association). SSA is the most widely used template, even though it was originally intended for government entities. Even two private parties often use the templates. Standard terms and conditions heavily influenced by big international IT companies are also often applied by Norwegian IT suppliers.

The relevant legislation to consider is the Norwegian Contracts Act and the non-statutory principles applicable to all contracts. Compared to other jurisdictions, Norway may be considered a “hybrid” between the common law and the civil law tradition. The Contracts Act contains provisions regarding all forms of agreements, including rules on how a binding contract is concluded and rules on certain circumstances that can lead to the invalidation of a contract. Commercial contracts will, however, very rarely be censored or invalidated by a Norwegian court of law following the provisions of the Contracts Act. It is therefore important that the agreement, or the choice of standard template, is considered well in advance, and that the agreement regulates the placement of risk between the parties.

One of the major discussion and negotiation topics over recent years in Norway has been the relationship between contract templates and standard terms and conditions from cloud service providers. Different templates have different takes on the question, from full applicability of the standard terms and conditions to very limited possibility to deviate from the contract template even though standard services are offered as part of the deliverables.

The Norwegian Act relating to the Sale of Goods applies directly to the sale of goods, but is to some degree seen as an expression of applicable non-statutory principles governing contracts law and may therefore apply analogously to IT service agreements, especially for matters not regulated in the contract. The Act governs the parties’ obligations and remedies in the event of a breach of contract, and will consequently need considering when entering into an IT service agreement. Consumers enjoy mandatory protection that cannot be varied in contract, so B2C contracts require more scrutiny than B2B contracts.

Data Protection

GDPR compliance is a typical challenge in many IT service contracts, as these will often involve the processing of personal data to some extent. If the service provider will be processing data on behalf of the customer, a data processing agreement will be mandatory, pursuant to Article 28 of the GDPR. Common GDPR challenges include complex supply chains, access rights, the supplier's use of personal data for its own purposes, audit of suppliers and data transfers to third countries.

Regulated Industries

Regulated industries obviously have some more sector-specific regulations to be complied with. However, regulated industries frequently use the ordinary templates, with some additions to secure compliance with sector-specific regulations. Security regulations in the energy, finance and health sectors, for example, are often part of the contracts with entities within these domains. There are regular discussions with IT service providers regarding how much responsibility they should take for compliance with sector-specific regulations in the agreements.

Key elements include a detailed scope of services with clear definitions of the services being provided. This should encompass all technical specifications and functional requirements. Service Level Agreements (SLAs) are furthermore very important, with performance metrics such as uptime, latency and response times, and the inclusion of penalties or remedies for failure to meet these standards. Pricing and payment terms and data protection and information security are naturally also important elements. Any infrastructure investments should be specified, with clear responsibilities for both parties.

Favourable terms are achieved when the market standards are understood through conducting research on industry benchmarks for service levels and pricing to ensure competitive terms. Leverage of volume and commitment is advisable, where long-term business or large volumes will give more favourable terms. In more complex projects, it should be possible to negotiate cost-sharing arrangements for infrastructure and maintenance to optimise expenses.

Companies should ensure that systems and networks are compatible in order to facilitate seamless interconnection, and should understand the integration possibilities and challenges. Companies must adhere to national and EU regulations governing interconnection, including any obligations for non-discriminatory access. Companies should also establish clear quality of service standards and KPIs to maintain network performance and customer satisfaction.

As part of the EEA, Norway has implemented Regulation (EU) 910/2014 (eIDAS) through the Norwegian Electronic Trust Services Act.

Electronic signatures and electronic ID confirmation and signatures are commonly used in Norway, in both the public and private sectors. Most governmental online platforms require logins with an electronic ID, including accessing tax statements, any social aid, communication with the courts and student loans. Private corporations like banks, insurance companies, real estate agencies, unions and the Norwegian postal and freight services also prefer and rely on electronic ID confirmation and signatures. Payment confirmation through electronic signatures is also frequently used in online retail.

The largest provider of electronic signatures and identification in Norway is BankID, which is jointly owned and developed by Norwegian banks and is the leading identity service provider across the market in Norway. Other examples of providers with a foothold in the Norwegian market include Buypass and Signicat.

In the last few years, liability and responsibility for loss after fraud using electronic identification and signatures has been litigated in Norwegian courts. Recent principal judgments have concluded that the electronic identification and signature providers carry a larger part of the liability than previously assumed. Consequently, the new Norwegian Financial Contracts Act was adopted in 2020, with effect from 1 January 2023. The purpose of the new act is to strengthen consumer protection, with more responsibility being placed on the banks and financial institutions in cases of BankID fraud. The deductible has also been significantly reduced in favour of the consumer.

Amendments to the eIDAS Regulation will most likely be incorporated into the EEA Agreement, which would prompt an amendment to the existing Norwegian legislation.

Main Relevant Legislation

The computer gaming industry is not subject to any sector-specific legislation in Norway, with the industry and its offering to consumers being mainly regulated by non-sector-specific regulation. However, the gaming industry is not unregulated, as there are several aspects of computer gaming that are regulated by law.

The most relevant legislation for the computer gaming industry is as follows.

• The Digital Services Act (digitalytelsesloven) of 2022 implements the Digital Services Directive and provides consumers with rights when purchasing digital services such as games and in-game purchases.
• The Marketing Control Act (markedsføringsloven) of 2009 is the framework law for marketing control and implementation of European directives regarding unfair market practices towards consumers. As in other European jurisdictions, this kind of legislation is regarded as regulating certain aspects of market practices in computer gaming, especially rules regarding marketing towards minors and manipulative methods for in-game purchases.
• The Gambling Act (pengespillloven) of 2022 in essence bans all gambling in Norway, with the exception of government-approved gambling operators. Gambling in Norway is tightly regulated and affects all gambling elements in computer gaming.

Age Ratings

Age ratings are not specifically regulated in Norway, but most games are marketed with the PEGI rating. The use of the PEGI rating is just a recommendation in Norway, but the widespread acceptance of this recommendation has meant that there has been no need to legislate on the issue.

In-Game Purchases, Loot Boxes, etc

There is considerable debate on whether issues such as in-game purchases, loot boxes and gambling elements in computer gaming should be regulated more specifically or more tightly. In 2024, the Parliament instructed the government to address some of these issues and propose new legislation, particularly in regard to loot boxes. At present, in-game purchases are generally regulated by non-gaming-specific regulation, such as the Digital Services Act and the Marketing Control Act. New regulations are expected to be proposed in the coming years.

Loot boxes are similarly a much-discussed topic. Some regulators and practicians have argued that loot boxes might be considered illegal gambling in Norway, but there is no consensus on this topic, and the government is expected to follow up on the instruction from the Parliament to look closer into the need for more detailed regulation.

Gambling elements are strictly regulated, and gambling is generally prohibited. This extends to a complete ban on the marketing of illegal gambling (also gambling allowed in the home jurisdiction) in Norway, a ban on gambling marketing on TV channels carried by operators in Norway, and a ban on Norwegian banks transferring money to and from gambling services. Businesses offering gambling elements in computer games should thus be aware that all payments to and from the game could be banned if the game includes elements that are considered gambling under Norwegian law.

The primary regulatory bodies overseeing the gaming industry are:

• the Media Authority, which has limited regulatory powers regarding gaming specifically, but has “soft power” through the issuing of recommendations, such as for participation in PEGI;
• the Consumer Authority, which has enforcement powers in relation to marketing and unfair consumer practices in the gaming industry, and may instruct businesses to change practices and issue fines; and
• the Gaming Authority, which has enforcement powers in matters relating to the Gambling Act, and has powers to issue bans and fines.

The regulatory bodies have initiated very few enforcement actions directly towards the computer gaming industry. This is partly because the Norwegian gaming industry is a minor player in the games played by Norwegian consumers, and partly because of the lack of sector-specific regulations. However, the Consumer Authority participates in international co-operations and often addresses issues relating to games through EU co-operation bodies for co-ordinated actions. The Gaming Authority is very active in enforcing rules regarding gambling.

Intellectual property in game development is subject to the general IP legislation and is not specifically regulated.

One of the most common IP challenges faced by game developers is the lack of clear chain of title to developed games. The Norwegian copyright legislation has strict rules on agreements relating to the total transfer of copyright from the original authors to an employer, and unclear or insufficient contracts in early phases of development are often an issue.

The use of foreign law-based contracts with creators might create further uncertainty in the chain of title, as US-style contracts may contain rights regulations that are at odds with local law. The most important thing computer game developers can do to secure their rights is to be diligent in their contract and chain of title work.

Norway does not require the registration of copyright, and copyright thus exists from the time of creation. This also means that developers need to be diligent in securing rights to early phase developments of a game, to avoid chain of title issues in later phases.

Regulation of the use of copyrighted material from others in games is generally in line with harmonised European legislation, where commonly used exceptions are the panorama exception, the caricature/parody/pastiche exception, quotations for inclusion in other works and incidental or minor inclusion of copyrighted material in other works.

Trade mark law is also harmonised with European law; however, Norway is not part of the EU trade mark system, which means that registration must be done locally to obtain protection in Norway. Trade marks can protect the unique branding elements associated with a video game, such as names, logos, symbols, catchphrases and in-game elements. As for the use of third-party trade marks in games, the grey areas that exist in most European jurisdictions also exist in Norway.

User-generated content will normally be the copyright of the user, and not the game developer or distributor. This means that having clear and concise terms and conditions for user-generated content is key if the distributor wishes to have control over or licensed rights to user-generated content. In general, Norwegian copyright law offers extensive protection to original creators (and users will often be original creators), so local guidance on terms and conditions relating to user-generated content is advised.

Freedom of expression in Norway is enshrined in Section 100 of the Norwegian Constitution, Article 10 of the European Convention on Human Rights (ECHR) and Article 19 of the UN Covenant on Civil and Political Rights (ICCPR). The conventions apply as Norwegian law (cf the Human Rights Act). Freedom of expression may only be restricted where there are “particularly weighty considerations”, and only if such considerations make it justifiable in relation to the grounds for freedom of expression (cf Section 100, third paragraph of the Norwegian Constitution).

In Norway, the following acts are most relevant to social media:

• the Marketing Control Act came into effect in 2009 and governs advertising and marketing practices on social media, ensuring they are not misleading or aggressive;
• the Personal Data Act was implemented in 2018 and incorporates the GDPR into Norwegian law, providing a comprehensive framework for data protection and privacy on social media platforms; and
• the Electronic Communications Act came into effect in 2025 and regulates electronic communications in Norway, including aspects relevant to the use of cookies and person-to-person communication services by social media platforms.

In Norway, the age limit for consent is 13 under Article 6(1)(a) of the GDPR in connection with information society services (Article 8).

Making discriminatory or hateful statements in public is a criminal offence. Hateful statements include threatening or insulting someone because of their skin colour, ethnicity, religion, beliefs, sexual orientation or identity. Hate speech that is published publicly – eg, via posts published on social media – is punishable by a fine or imprisonment for up to three years under Section 285 of the Norwegian Penal Code.

The key challenges of social media in Norway include:

• the spread of misinformation, disinformation, influence and propaganda;
• sexual abuse of children under the age of 14, with a 2024 report from the police showing that such abuse increasingly starts on social media; and
• cyberbullying of children.

In Norway the regulatory bodies are the Data Protection Authority (Datatilsynet), the Consumer Authority (Forbrukertilsynet) and the Police. Enforcement actions include the issuing of warnings, reprimands, orders, administrative fines, coercive fines and damages for non-economic loss.

In 2022, the Norwegian Data Protection Authority imposed a record-breaking fine of NOK65 million on the dating app Grindr. Grindr took legal action, but Oslo District Court upheld the decision in 2024. The verdict has been appealed to the Court of Appeal and is not yet closed.