The EU Council of Ministers recently gave its final approval to the Digital Omnibus package, which includes amendments to the EU AI Act — the world's first comprehensive legally binding framework for artificial intelligence. The news comes via a client alert from law firm JD Supra. For Norwegian technology companies, startups, and research institutions operating in or toward the European market, this legislation is anything but a distant EU affair.

What Is the EU AI Act?

The EU AI Act entered into force on 1 August 2024 and classifies AI systems into four risk levels: unacceptable, high, limited, and minimal risk. The higher the risk, the stricter the requirements for documentation, human oversight, and safety.

What makes the law particularly relevant for Norwegian operators is its territorial scope: the regulation applies not only to companies established in the EU, but also to providers and users outside the EU if the AI system's output is used within the European market. Norway, as an EEA member, is closely integrated into that market.

The EU Law That Could Fine Norwegian AI Companies €35 Million - Bilde 1

Timeline for Entry Into Force

1 August 2024
The EU AI Act enters into force
2 February 2025
Prohibitions on unacceptable AI practices and AI literacy requirements apply from this date
2 August 2025
Rules for general-purpose AI models (GPAI) and governance structures are activated
2 August 2026
The main body of obligations for high-risk systems (Annex III) takes effect
2 August 2028
Extended transition period for high-risk AI embedded in regulated products expires

Heavy Fines and a New EU AI Office

Enforcement is handled through a newly established EU AI Office under the European Commission, working in tandem with national market surveillance authorities in member states — a hybrid model that, according to JD Supra's client alert, is designed to ensure consistent application across borders.

€35m / 7%
Maximum fine for breaches of AI prohibitions
€15m / 3%
Maximum fine for high-risk breaches

For Norwegian companies with operations targeting the EU market, this means compliance is not optional. A Norwegian health-tech company supplying an AI-driven diagnostic tool to German hospitals, for example, will be required to meet the high-risk obligations covering robust risk management, technical documentation, and mandatory human oversight.

Norwegian Innovation Under Pressure — or Opportunity?

The law also includes provisions for regulatory sandboxes, where companies — particularly SMEs and startups — can test AI systems in controlled environments before a full commercial launch. This could open opportunities for Norwegian operators to develop and validate products within the regulatory framework without risking immediate sanctions.

Norwegian companies selling AI services to EU customers cannot afford to ignore a law that is already in force.

US authorities have taken a different path: where the EU has opted for binding legislation with strict fines, the United States relies on voluntary frameworks, industry-led initiatives, and executive orders. This divergence creates a challenging landscape for international operators that must navigate both regimes.

What Should Norwegian Operators Do Now?

With the most important obligations for high-risk systems taking effect as soon as 2 August 2026 — just weeks away — the window for preparation is extremely narrow. Norwegian businesses should map which AI systems they offer in the EU market, classify them under the law, and begin work on the required documentation and governance structures.

The Digital Omnibus approval confirms that the EU is not retreating from the ambitions of the AI Act — quite the contrary.