The European Commission's recently published transparency guidelines under the EU AI Act set the standard for how artificial intelligence must be documented, labelled, and monitored across Europe. For Norwegian companies and researchers — closely tied to EU regulation through the EEA Agreement — this is no distant Brussels affair: it is practical, day-to-day reality right now.
The guidelines are currently in draft form and have been reviewed by Inside Global Tech, which has highlighted ten key points from the document.
High costs for high-risk systems
Perhaps the sharpest blow for smaller players is the estimated compliance cost. According to available research data, a single high-risk AI system may cost between €200,000 and €500,000 just to set up in accordance with the regulation's requirements. Annual operating and monitoring costs then run between €80,000 and €150,000.
The robustness and accuracy requirement is the single line item that consumes the largest share of the annual budget. For Norwegian start-ups and research institutions working with AI, this could represent a genuine barrier to entry.

Vague rules create uncertainty
A recurring concern among developers is the lack of concrete guidance. The guidelines are discretionary on many points: How detailed must the documentation of training data be? Which performance metrics are sufficient? And what exactly should a user manual for an AI system contain?
Experts cited in research reviews warn that vague and unspecific rules risk stifling innovation, and that the discretionary approach — where each system is assessed individually — creates unpredictability for market participants.
Vague and unspecific rules risk hampering innovation rather than promoting the responsible development of artificial intelligence.
A particularly problematic point is the definition of what actually constitutes an "AI system" under the law. Many AI solutions are embedded in existing analytical platforms and decision-support tools, making it difficult to determine whether they fall within the regulation's scope. The European Commission envisages a holistic, case-by-case assessment — an approach that offers little predictability.
Documentation and traceability are demanding
For high-risk AI systems, the law requires detailed technical documentation covering design, training data, evaluation methods, and risk-mitigation measures. The problem is that many AI development environments are characterised by rapid experimentation and iterative development — something that is difficult to reconcile with thorough, ongoing documentation.
In addition, the law requires that risk management be integrated throughout the entire lifecycle of an AI system — from design to decommissioning. In practice, much of today's AI governance takes place primarily during the development phase, and visibility into a system's behaviour after deployment is often limited.
Labelling may cause "alert fatigue"
Another central theme in the guidelines is the labelling of AI-generated content. Here, experts warn of what is termed "labelling fatigue" — a situation in which users are inundated with AI warnings for everything from spell-checkers to image filters, and consequently stop paying attention to the labels altogether.
To avoid this, experts argue that labelling should be reserved for cases where it makes a genuine difference to the user, and should be proportionate to the level of risk involved.
A technically unresolved problem is the watermarking of AI-generated content. To date, no single solution exists that is both robust enough to withstand manipulation and simple enough to detect across different systems. The guidelines therefore advise against locking in specific technical requirements, as these may quickly become outdated.
What does this mean for Norwegian actors?
Through the EEA Agreement, Norway is obliged to implement the EU AI Act into national law. This means that Norwegian companies that develop or deploy AI systems classified as high-risk — for example in healthcare, finance, or critical infrastructure — must comply with the same requirements as their European counterparts.
Norwegian actors should already begin mapping which of their systems potentially fall within the scope of the regulation, and consider whether existing frameworks for data governance and privacy can be extended to cover AI governance needs as well. It is cheaper to build compliance in from the outset than to retrofit it later.
The guidelines are still in draft form, and the final version may differ from what is currently known. Norwegian companies and research communities should follow the process closely.
