The clock is ticking for Norwegian businesses. In barely two months — specifically on 2 August 2026 — the first fully operative requirements of the EU's Artificial Intelligence Act (EU AI Act) come into force, and Norwegian companies are not exempt. Through the EEA Agreement, Norway is obliged to implement the regulation, and the window for preparation is rapidly closing.

What the Law Actually Requires

The EU AI Act is built on a risk-based model in which AI systems are divided into four categories: unacceptable, high, limited, and minimal risk. The higher the risk, the stricter the requirements. For systems in the high-risk category — used in sectors including healthcare, finance, and transport — extensive technical documentation, risk assessments, internal controls, and traceability are required.

Norwegian businesses must also obtain a complete overview of all AI solutions they use, the vendors behind them, and the data those systems depend on. It is no longer sufficient to purchase a service and deploy it without further scrutiny.

Seven Weeks Until the AI Act Hits: Norwegian Businesses Risk €35 Million in Fines - Bilde 1

Costs Are a Particular Concern for SMEs

For large corporations the burden is significant but manageable. For small and medium-sized enterprises it could be crushing. According to available research, annual compliance costs for SMEs may range between €50,000 and €500,000. Start-ups developing high-risk AI systems may need to dedicate one to two full-time employees solely to regulatory compliance.

The initial legal assessments for a start-up with a single high-risk system can alone cost between €15,000 and €50,000 — and total first-year costs can reach €250,000. For larger organisations, programmes that quickly exceed one million dollars annually are being discussed.

€35 million
Maximum fine per violation
7%
Maximum share of global turnover

Norwegian Supervisory Authorities Are in Place

The Norwegian Data Protection Authority (Datatilsynet) and the Norwegian Communications Authority (Nkom) have been designated as Norway's primary supervisory bodies under the new regulation. Nkom holds the role of national coordinating authority for the AI Act, while Datatilsynet handles the interface with data protection legislation — an interface that is substantial, given that the vast majority of AI systems process personal data.

Norwegian Accreditation (Norsk Akkreditering) will serve as the national accreditation body for AI systems requiring external auditing. Such audits can themselves cost between €20,000 and €80,000 per system, according to available estimates.

Many Norwegian businesses do not have a full overview of which AI systems they actually use — and that is precisely where the law begins.

KI-Norge and Digdir Offer Guidance

On the government side, support structures have been established. KI-Norge, organised under the Norwegian Digitalisation Agency (Digdir), functions as a national hub for responsible AI development and offers, among other things, an AI sandbox where businesses can test and develop systems in a controlled environment without risking immediate sanctions.

Industry associations such as Abelia and Tek Norge support the introduction of the regulation and emphasise the importance of aligning Norwegian legislation with EU rules — not least to ensure market access. Both organisations have, however, been clear that supervisory authorities should prioritise guidance over penalties in the early phase.

Overlap with GDPR Complicates the Picture

An additional complicating factor for Norwegian businesses is that the AI Act does not operate in a vacuum. The Personal Data Act, which implements the GDPR in Norwegian law, already places strict constraints on the processing of personal data. When AI systems — as most do — use personal data, a dual regulatory framework emerges that both sets of supervisory authorities can enforce.

For companies using cloud infrastructure outside the EEA, data transfer rules also come into play, which can entail significant architectural and compliance costs.

With seven weeks remaining, there is no longer time to "wait and see" — it is time to map, prioritise, and act.

What Should Norwegian Businesses Do Now?

Experts recommend that Norwegian businesses begin with a systematic mapping of all AI systems in use — including systems purchased from third-party vendors. Those systems must then be risk-classified according to the AI Act model, with measures prioritised according to risk profile.

For those who have already started, the remaining time is about completing documentation and establishing internal control procedures. For those who have not yet begun, the advice is to seek external legal and technical assistance immediately — and to contact Datatilsynet or Nkom for guidance.