Market · Norway

Norway, covered as a first market

Norway is inside the EEA, so the GDPR applies — but through Norwegian implementing law, its own regulator, and local rules on cookies and supply-chain transparency. It also carries the GDPR representative duty, one most European compliance advisors quietly skip. Privello treats Norway as a first-class part of the advisory triangle.

The regime

EEA GDPR, through Norwegian law

The GDPR was incorporated into the EEA Agreement and applies in Norway through the Personal Data Act (personopplysningsloven), supervised by Datatilsynet. In substance you meet the same GDPR standard as in the EU, but the implementing law and the regulator are Norwegian, and local guidance can differ in detail from what an EU-only program assumes.

Two local instruments sit alongside it: the Electronic Communications Act (ekomlov) governs cookies and trackers, and the Transparency Act (åpenhetsloven) imposes human-rights and decent-work due diligence on larger enterprises operating in Norway.

See Representation Advisory
  • EEA, not EU. GDPR applies through the Personal Data Act; the regulator is Datatilsynet.
  • Cookies. Governed via the ekomlov, moving toward the ePrivacy consent standard.
  • Transparency Act. Supply-chain due-diligence duties for larger enterprises (åpenhetsloven).
  • Representation. The GDPR Article 27 duty applies here too — and few advisors even flag it.

Why it is a land-grab

The market almost everyone skips

Search the European compliance market and almost every advisor covers the EU, some add the UK, and a handful add Switzerland. Norway is routinely left off the list, even though its EEA membership makes the GDPR — and the Article 27 representative duty — apply there too. For a company entering the Nordics, that gap is an unnecessary exposure. Privello closes it by scoping the Norwegian obligations in the same analysis as the EU and Swiss ones, and arranging an EEA-established representative where the duty applies.

See the EU · Switzerland · Norway triangle

Common questions

Questions about the Norwegian market

Does the GDPR apply in Norway?

Yes. Norway is not an EU member but is part of the European Economic Area, and the GDPR was incorporated into the EEA Agreement and applies through the Norwegian Personal Data Act (personopplysningsloven). The regulator is Datatilsynet. In practice you meet the GDPR standard, but through Norwegian implementing law.

Do we need a separate cookie approach for Norway?

Norway has historically applied cookie rules through its Electronic Communications Act (ekomlov), and the standard is moving toward the consent model familiar from the ePrivacy Directive. If you rely on trackers and analytics for Norwegian users, the cookie setup should be checked against the current ekomlov position rather than assumed identical to an EU banner.

What is the Transparency Act?

The Transparency Act (åpenhetsloven) requires larger enterprises operating in Norway to carry out and report on human-rights and decent-work due diligence across their supply chains. It is not a data law, but it lands on the same companies entering the Norwegian market and is worth mapping alongside the privacy obligations.

Do you actually cover Norway, or just the EU?

Norway is a first-class market for Privello, not an afterthought. As an EEA state, Norway carries the GDPR representative duty too, yet most European compliance advisors quietly cover only the EU. Privello advises across the EU, Switzerland, and Norway as one triangle — including scoping the Norwegian Article 27 duty and arranging an EEA-established representative where one is needed.

Scope. Privello LLC is a data-regulation consultancy and is not a law firm; it does not practice Norwegian law. Patrick Smith is a U.S.-licensed attorney (State of Texas); his bar admission is stated as a credential only. Where a matter requires formal legal advice under Norwegian law, Privello coordinates qualified local counsel.

Begin

Add Norway to your European file

Tell us whether you are entering the Nordics and what data you collect from Norwegian users. We will fold the EEA GDPR, ekomlov, and Transparency Act obligations into one program.