Norway is in the process of implementing the EU's AI Act — and businesses are now being warned not to repeat the costly mistakes that characterized the introduction of the GDPR privacy regulation nearly ten years ago. This is the message in a commentary published in Dagens Næringsliv, where the tone is clear: prepare now, or pay the price later.
What is the AI Act, and What Does it Require?
The EU AI Act is the world's first comprehensive legal framework that regulates artificial intelligence based on risk level. Systems are divided into categories of unacceptable risk, high risk, limited risk, and minimal risk — with the strictest requirements for high-risk systems, which include everything from medical diagnostics to recruitment tools and critical infrastructure.
For Norwegian businesses, this specifically means that a number of AI solutions they already use — or plan to use — will need to be documented, tested, and in some cases approved before they can be put into operation.
The GDPR Mistake No One Wants to Repeat
When GDPR came into effect in 2018, many businesses were unprepared. According to research on GDPR implementation, compliance efforts resulted in very high costs: globally, Ernst & Young estimated that the world's 500 largest companies spent nearly 8 billion dollars on complying with the regulations in the year of its introduction alone.
For medium-sized businesses, ongoing costs have been somewhere between one and ten million Norwegian kroner annually, depending on the nature of the business and the volume of data. Since 2018, European supervisory authorities have imposed fines totaling over 7.1 billion euros across more than 1,560 decisions.
But just as serious as the fines was the confusion: vague guidelines, undefined terms, and under-resourced supervisory authorities created uncertainty for years after its introduction.
Supervisory Authorities — A Recurring Criticism
One of the most frequently repeated problems from GDPR experiences is that national supervisory authorities simply lacked the resources to effectively enforce the regulations. The EU Agency for Fundamental Rights (FRA) pointed out as recently as June 2024 that a lack of funding and too few staff prevented data protection authorities from fulfilling their mandates.
For the AI Act, these same authorities will likely be responsible for an even more technologically demanding regulatory framework. There is little to suggest that the resource situation has significantly improved — and that worries experts.
€7.1 billionTotal GDPR Fines Since 2018$8 billionWhat the World's 500 Largest Companies Spent on GDPR Compliance in 2018
What Should Norwegian Actors Do Now?
The warning from Dagens Næringsliv is not new, but it is timely. The implementation of the AI Act is already underway in the EU, and Norway, as an EEA member, will have to introduce the regulations — the timing is currently unclear, but companies that wait until the law is formally in place risk being caught off guard.
The most important measures highlighted in expert literature on GDPR experiences are also relevant here: map which AI systems the business uses, assess risk level, establish documentation routines, and ensure that management is involved — not just the IT department.
For Norwegian tech companies and startups developing AI products aimed at the European market, it is also crucial to understand that the requirements apply to the system, not just the user. This means that responsibility for compliance is largely placed on the developers.
An Opportunity, Not Just a Burden
It is worth noting that commentators and experts do not only see the AI Act as a cost. Clear and credible regulation can give Norwegian actors an advantage in an international market where trust in AI systems is under pressure. Companies that already have their affairs in order will be stronger when customers start asking questions about compliance.
Nevertheless, the message is clear from those who closely followed the GDPR process: it is much more expensive to clean up than to prepare. Norway has seen it once — there is no reason to see it again.
Sources: Dagens Næringsliv, EU Agency for Fundamental Rights (FRA), Ernst & Young GDPR report 2018, research on GDPR implementation challenges.