Data protection and cybersecurity laws in Norway

The processing of personal data is regulated by:

• Act relating to the processing of personal data (Personal Data Act):
  • The Personal Data Act implements the General Data Protection Regulation (GDPR) into Norwegian law and also contains national rules with Norwegian adaptations.
  • The Act applies to the processing of personal data pertaining to natural persons.
• Sector-specific data protection legislation, including:
  • Act relating to the processing of data by the police and the prosecuting authority (the Police Databases Act)
  • Act relating to the processing of health information in provision of health care (the Patient Record Act)
  • Act on health registries and the processing of information regarding health (the Health Registry Act)

The Norwegian Data Protection Authority (NDPA) is the supervisory authority pursuant to Article 51 of the GDPR. 

When preparing the Personal Data Act, the Ministry of Justice and Public Security announced that the Act would be subject to review after having been in force for some years. This review, launched in 2024, focused on the national provisions of the 2018 Act, assessing whether they were suitably designed, functioned as intended, and whether amendments were needed.

Following the review, the Ministry proposed raising the age at which children may consent to the processing of personal data in relation to information society services (e.g., games, social media, search engines, music services) from 13 to 15 years. As of 24 September 2025, the proposal remains under public consultation. Additional proposals for amendments may also emerge as a result of the review.

In case of violations of data protection legislation, the NDPA can issue warnings, enforce compliance orders, give reprimands, stop the processing of personal data, or impose administrative fines. If the decisions of the NDPA are not complied with, the authority can also impose coercive fines.

Depending on the circumstances of the case and which rules have been broken, the NDPA can impose administrative fines of up to 20 million euros or 4% of the total global annual turnover in the preceding financial year.

Generally, no registration, notification, or authorisation is required for the processing of personal data in Norway. Certain exceptions apply:

• Data Protection Impact Assessment (DPIA): If a data protection impact assessment (DPIA) indicates a high risk to the rights and freedoms of the data subjects, the controller must consult the NDPA prior to processing.
• Personal data breaches: In the case of a personal data breach, the controller must notify the NDPA. Furthermore, the processor must notify the controller without undue delay after becoming aware of such a breach. If the breach is likely to result in high risk to the rights and freedoms of natural persons, the controller must also notify the affected data subjects without undue delay.
• Processor’s duty to object: The processor must inform the controller if, in its opinion, an instruction from the controller infringes data protection legislation.
• Data Protection Officer (DPO): Certain organisations are required to appoint a DPO and notify the NDPA of the DPO’s contact details. 

Main controller obligations:

• Define a purpose and identify a legal basis for the processing of personal data.
• Implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR.
• Ensure the protection of the rights of the data subjects, including providing information about the processing.
• Enter into a data processing agreement (DPA) when using a processor.
• In certain situations, perform a data protection impact assessment (DPIA) and, if required, consult the NDPA
• Implement appropriate technical and organisational measures to ensure the security of personal data.
• Keep a record of the data processing activities.
• Report data breaches to the Data Protection Authority.

Main processor obligations:

• Only process personal data on instructions from a controller.
• Refrain from engaging another processor (sub-processor) without the controller’s authorisation.
• Implement appropriate technical and organisational measures to ensure the security of personal data.
• Notify the NDPA if becoming aware of a data breach.
• Keep a record of the data processing activities.
• Notify the controller in case any given instructions infringe data protection legislation.

Processing requirements:

• Personal data should be processed in accordance with these principles:
  • Processed in a manner that is lawful, fair, and transparent,
  • Used only for clearly defined purposes,
  • Restricted strictly to the necessary extent in relation to its intended purpose,
  • Maintained accurately and up to date,
  • Managed securely to prevent unauthorised access or breaches,
  • Retained only for the duration necessary for its specified purpose.

Data subjects have the following rights:

• The right to be informed about the collection and the use of their personal data,
• The right of access, including the right to obtain a copy of their personal data,
• The right to have inaccurate personal data rectified, or completed if incomplete,
• The right to erasure,
• The right to restrict processing,
• The right to data portability,
• The right to object to processing,
• The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them

Norwegian law contains two specific derogations from data subject rights:

• First, Section 16 of the Personal Data Act restricts information, access, and breach notification rights where disclosure could compromise national security, crime prevention, secrecy obligations, health, or private interests.
• Second. Section 17 of the Personal Data Act limits access, rectification, and restriction rights in cases of archiving, research, or statistical processing where exercising such rights would be disproportionate or seriously hinder the purposes of the processing.

Under GDPR, a “third party” is defined as a natural or legal person, public authority, agency, or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data. In other words, a third party does not process personal data on behalf of the controller.  

The controller needs a valid legal basis and a defined purpose to transfer personal data to third parties. When personal data is shared with a third party, that party becomes a recipient of the data.

Transfers to member states of the EU/EEA may take place in accordance with regular requirements in the GDPR.

Personal data can be transferred to third countries if one of the following conditions is met:

• The European Commission has declared the country to have an adequate level of data protection (adequacy decision).
• Appropriate safeguards are in place, such as binding corporate rules or standard data protection clauses.
• Specific conditions are met, like explicit consent from the data subject, necessity for contract performance, important public interest, legal claims, vital interests of the data subject, or public register access.
• In certain cases, for compelling legitimate interests of the controller, provided the transfer is non-repetitive and involves limited data subjects, with adequate protection measures.

A controller or processor must appoint a Data Protection Officer (DPO) in the following situations:

• The entity is a public authority or body,
• The core activities require regular, systematic monitoring of data subjects on a large scale,
• The entity processes special categories of data or criminal convictions/offences on a large scale.
•  

Key tasks include advising on obligations, monitoring compliance, providing guidance on DPIAs, and serving as the contact point for the supervisory authority.

Personal data must be adequately protected. Therefore, both controller and the processor have an obligation to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

In case of a personal data breach, the controller must without undue delay (and no later than 72 hours after having become aware of the it), notify the personal data breach to the NDPA. Where the breach is likely to result in a high risk to the rights and freedoms of data subjects, the controller must also notify the affected individuals without undue delay.

The processor must notify the controller without undue delay after becoming aware of a personal data breach.

Under the Marketing Control Act, direct marketing to individuals through electronic communications methods such as e-mail, faxes, automated calling systems (voice machines) is prohibited without the recipient’s prior consent. This exception does not apply where the individual is contacted orally by telephone. An exception also applies where a business has obtained the recipient’s email address in connection with a sale of goods or services and uses it for marketing of its own similar products or services, provided that the recipient is clearly offered an easy and free opt-out at the time of collection and with each subsequent communication.

Cookies

The conditions for the use of cookies are set out in the Act relating to electronic communications (the Electronic Communications Act) Section 3-15. This provision stipulates that storing and processing cookies is prohibited unless the user is informed about and consents to the details of the processing. The consent must align with GDPR standards, meaning that it needs to be freely given, specific and unambiguous. This implies that an opt-out solution is not a valid form of consent.

Exceptions to the consent and information requirements are allowed if:

•  The sole purpose of using the cookies is to facilitate communication in an electronic network,

It is necessary to supply an information societal service at the user's explicit request.

Adtech

Previously, it was unclear whether the use of Google Analytics and similar services complied with Norway’s data protection legislation. The primary issue was the transfer of personal data to third countries, including the US. In 2023, NDPA concluded that such use was unlawful.

However, since July 2023, the EU–US Data Privacy Framework has been recognized by the European Commission as providing adequate protection, thereby allowing transfers to certified US entities, including Google.  As of May 2025, Norwegian authorities continue to advise controllers to assess compliance thoroughly, particularly around onward transfers and supplemental measures to ensure GDPR-level protections. While this framework eases certain restrictions, compliance with the GDPR’s principles, documentation of transfer impact assessments, and strict adherence to transparency obligations remain paramount. If there is any concern that personal data may be subject to undue surveillance, additional safeguards should still be implemented. Moreover, other regulatory concerns regarding adtech, such as profiling, consent, and user tracking, persist under Norwegian and EU law

There is no universal method or process in Norwegian law with regards to risk scales or risk assessments. The organization under the relevant security obligation must carry out a conscientious assessment and use a reasonable risk scale.

• The English pages of NDPA:
  https://www.datatilsynet.no/en/
• The Personal Data Act in Norwegian:
  https://lovdata.no/dokument/NL/lov/2018-06-15-38
• The Personal Data Act in English (unofficial translation):
  https://lovdata.no/dokument/NLE/lov/2018-06-15-38

There is no general applicable law especially dedicated to

cybersecurity in Norway. The relevant laws that

regulate cybersecurity are fragmented and often sector specific.

We have listed some of the essential cybersecurity laws below:

1.  All processing of personal data is subject to the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and the Personal Data Act of 15 June 2018.
2. The National Security Act of 1 June 2018 aims, inter alia, to prevent, detect and counteract activities threatening national sovereignty, including regulations on information security.The Electronic Communications Act of 4 July 2003 and the Electronic Communications Regulation of 16 February 2004 aim to give secure and modern communication services to the public.
3. The Digital Operational Resilience in the Financial Sector Act (DORA Act) of 27 May 2025, implementing the Digital Operational Resilience Act (DORA) (Regulation (EU) 2022/2554) into Norwegian law.

The Digital Security Act of 20 December 2023 implementing the EU Directive 2016/1148 on Network and Information Security (NIS1) Directive into Norwegian law. 

The NIS2 (2022/2555) Directive will most likely be transposed to Norwegian law, as it is considered relevant for EEA countries such as Norway. Within relatively short time, a new public consultation document about the new Act will be presented.

Please see our answers above.

The following regulators are responsible for enforcing the requirements according to the applicable laws described above:

1. The Norwegian Data Protection Authority (NDPA) is responsible for enforcing provisions in the GDPR.
2. The Norwegian National Security Authority is responsible for enforcing the provisions in the National Security Act.
3. The Norwegian Communications Authority (NKOM) is responsible for enforcing the Electronic Communications Act and the Electronic Communications Regulations.
4. The Norwegian Financial Supervisory Authority is responsible for enforcing the provisions in the ICT Regulation.
5. Sectoral authorities supervise entities within their sectors, while the Norwegian National Security Authority is the supervisory authority for entities without one under the Digital Security Act.

Key obligations under:

The GDPR:

• Lawful basis and principles: All processing must have a valid legal basis and comply with GDPR principles (lawfulness, fairness, transparency, purpose limitation, minimisation, accuracy, storage limitation, integrity/confidentiality, accountability).
• Transparency and rights: Inform data subjects clearly about processing and enable their rights (access, rectification, erasure, restriction, portability, objection).
• Data Processing Agreements: Controllers must have data processing agreements with processors; processors may only act on documented instructions and need approval to use sub-processors.
• Security: Controllers and processors must implement appropriate technical and organisational measures to manage risk and ensure security.
• Impact assessments: Conduct Data Protection Impact Assessments (DPIAs) where high risk is likely, and consult the authority if needed.
• Breach notification: Notify the supervisory authority within 72 hours of a personal data breach; inform affected data subjects if high risk. Processors must notify controllers without undue delay.
• International transfers: Only transfer personal data outside the EEA where adequate safeguards (e.g. adequacy decision, SCCs, BCRs) are in place.

The National Security Act

• Organisations that fall within the scope of the National Security Act are required to carry out risk assessments and implement proportionate security measures.
• In cases where they have been affected by security-threatening activities or if there is a well-founded suspicion of security-threatening activities, organisations must immediately notify the authorities.
• Ensure personnel security, including clearance and authorisation where required.

The Electronic Communications Act

• Organisations must implement necessary security measures for the protection of communications and data.
• Organisations must notify authorities and subscribers/users if there are security breaches or risks of such.

The DORA Act

• Financial entities must establish robust ICT risk management frameworks.
• Continuous monitoring, vulnerability assessments, and proactive risk mitigation are required.
• Entities must report major ICT-related incidents to regulators using standardized procedures.
• Regular testing of digital resilience through threat-led penetration testing and other exercises.
• Entities must assess and monitor risks from ICT third-party service providers. Critical providers must be identified and contractual information submitted to regulators.
• Encourages voluntary sharing of cyber threat intelligence among financial entities.

The Digital Security Act

• The Act applies to providers of essential services (e.g., energy, transport, health) and certain digital services.
• Conduct risk assessments of networks and information systems used to deliver the service.
• Implement appropriate and proportionate technical and organisational measures to achieve a security level adapted to risk, considering technological developments
• Take measures to prevent, detect, and minimise the impact of incidents, ensuring service continuity.
• Notify the designated authority without undue delay of incidents that significantly affect service delivery

Regulators mentioned above can sanction organisations in the following manner:

1. The NDPA can impose administrative fines up to EUR 20 million or, in the case of an undertaking, 4% of the total worldwide annual turnover. Infringements of the reporting requirements under the GDPR are limited to EUR 10 million or, in the case of an undertaking, 2% of the total worldwide annual turnover.
2. The Norwegian National Security Authority can impose coercive fines and administrative fines for violations of the Security Act.
3. The NCA can impose coercive fines and administrative fines for violations of the Electronic Communications Act and the Electronic Communications Regulations.
4. The Norwegian Financial Supervisory Authority can impose coercive fines.

The National Security Authority may order corrective measures, and impose coercive or administrative fines.

The Norwegian National Cyber Security Centre (NCSC) is Norway’s national cyber security centre and part of the Norwegian Security Authority (NSM). NCSC is also home to the national Computer Emergency Response Team (CERT); NorCERT.

Organizations subject to the Security Act must immediately notify the National Security Authority and other supervisory authorities in case of, or there is reason to suspect that they are exposed to, an action whose purpose is to damage information, information systems, infrastructure or objects.

Under the Digital Security Act, providers of essential services and digital services have clearly stated incident reporting obligations to the the National Security Authority (NSM) and the relevant sectoral authority.  If a significant incident occurs that affects critical infrastructure, these organizations must report within defined timelines and may be subject to additional follow-up investigations or audits.

Norway will most likely conform to the requirements that will follow from EU/EEA law.

• The Norwegian Data Protection Authority (English):
  https://www.datatilsynet.no/en/
• The Personal Data Act (English):
  https://lovdata.no/dokument/NLE/lov/2018-06-15-38
• The Norwegian National Security Authority (English):
  https://nsm.no/about-nsm/about-the-norwegian-national-security-authority/
• The Security Act (English):
  https://lovdata.no/dokument/NLE/lov/2018-06-01-24
• The Norwegian Communications Authority (English):
  https://nkom.no/english
• The Electronic Communications Act (English):
  https://lovdata.no/dokument/NLE/lov/2003-07-04-83
• The Financial Supervisory Authority (English):
  https://www.finanstilsynet.no/en/
• The DORA Act (Norwegian):
  https://lovdata.no/dokument/NL/lov/2025-05-27-18 
• The Digital Security Act (Norwegian)
  https://lovdata.no/dokument/LTI/lov/2023-12-20-108