Technology companies with users or commercial operations in Norway are now subject to tightened digital services obligations. Norway has fully incorporated the EU's digital services legislative regime into the EØS-avtalen (European Economic Area Agreement), bringing domestic enforcement into full alignment with EU standards. For international companies that have treated Norway as a lower-priority jurisdiction, the window for adjustment is closing.
Norway's digital services regulatory regime. operating through EEA incorporation of EU digital services legislation. imposes transparency, algorithmic accountability, and content moderation obligations on online platforms, intermediaries, and technology service providers active in the Norwegian market. Compliance deadlines have already passed for larger providers, with smaller and mid-sized operators now subject to active scrutiny by Medietilsynet (the Norwegian Media Authority), Norway's designated Digital Services Coordinator. Companies failing to meet documentation and reporting requirements face administrative enforcement action.
This alert sets out what has changed, which business categories are affected, and what international companies must do immediately.
What changed – the regulatory development and effective date
Norway transposed the EU's digital services legislative package into national law through EEA Committee decisions effective from early 2024. Full domestic enforcement began in the second half of 2024. Medietilsynet assumed the role of Digital Services Coordinator with powers to investigate, impose interim measures, and levy financial penalties.
Three structural changes affect technology companies directly.
First, algorithmic accountability obligations now require providers to document how recommender systems and content-ranking mechanisms operate. This applies to any operator that deploys algorithmic systems to determine what content Norwegian users see. General descriptions are insufficient – operators must be able to produce technical documentation on request.
Second, software liability under Norway's digital services legislative regime has been clarified. Intermediary liability protections remain available, but they now depend on demonstrable compliance with notice-and-action procedures. A provider that cannot show it acted promptly on unlawful content notices loses the benefit of the liability shield.
Third, technology licensing arrangements for digital services must now account for Norwegian data localisation and audit rights where those services are provided to regulated sectors. This is a frequently overlooked dimension of technology licensing for SaaS and platform providers.
AI Act compliance is a parallel and reinforcing pressure. Norway has signalled that AI Act requirements – particularly for high-risk AI systems – will be enforced concurrently with digital services obligations where the same product or service is implicated. Companies should treat these as a combined compliance burden, not separate tracks.
For detailed guidance on the AI and technology legislative regime as it applies in Norway, see our AI and technology law services for Norway.
Who is affected – threshold criteria and business categories
The Norwegian digital services legislative regime applies across a broad range of business categories. The following operators face the most immediate compliance exposure.
- Online marketplaces and platform operators with Norwegian users, regardless of where the operator is established
- Social media services, content aggregators, and recommendation-engine-based platforms accessible in Norway
- Cloud and SaaS providers supplying services to Norwegian businesses in regulated sectors – including finance, health, and media
- App stores and software distribution platforms with Norwegian-resident end users
- Providers of AI-driven tools used in hiring, credit assessment, or content moderation that reach Norwegian users
Threshold criteria matter. Very large online platforms – those exceeding the user thresholds set out in EU digital services legislation as incorporated into the EEA – face the most demanding obligations. This includes mandatory algorithmic audits and independent risk assessments. Mid-sized operators face a lighter but still enforceable set of transparency and reporting requirements. Small operators below the relevant thresholds retain baseline obligations: clear terms of service, accessible complaint mechanisms, and a designated contact point within the EEA.
A company established outside the EEA that provides digital services to Norwegian users must designate a legal representative within the EEA. Failure to do so is itself a violation subject to enforcement, entirely separate from any substantive compliance failures. This requirement catches a significant share of non-European technology companies that overlook Norway when scoping their EEA representative arrangements.
Intellectual property dimensions also arise here. Technology companies that rely on licensed content. music, video, software. Data sets. to power their services in Norway must verify that existing technology licensing arrangements cover Norwegian distribution and comply with any territorial audit obligations now in force. For further analysis of intellectual property considerations for technology operators in Norway, see our guidance on intellectual property law in Norway.
To receive an expert assessment of your digital services compliance position in Norway, contact us at info@ferrazwhitmore.com.
What to do now – immediate actions and compliance timeline
International technology companies should treat the following as a priority checklist for the next 60 days.
- Audit your Norwegian user base and service footprint. Determine whether your service reaches Norwegian users and at what scale. This establishes which tier of obligation applies and whether the very-large-platform rules are engaged.
- Verify or establish an EEA legal representative. If your entity is incorporated outside the EEA, appoint a representative now. Document the appointment formally and ensure Medietilsynet can contact them directly.
- Document algorithmic systems used in Norwegian-facing services. Prepare technical summaries of any recommender, ranking, or content-moderation algorithms. This documentation should be ready for regulatory inspection without further preparation time.
- Review notice-and-action procedures. Confirm that your internal processes for handling unlawful content reports meet the response-time and documentation standards required to preserve intermediary liability protection under Norwegian digital services law.
- Cross-check AI Act compliance obligations. Where your product includes AI components that may qualify as high-risk under EU AI regulation as applied through the EEA, treat Norwegian enforcement as a live risk alongside DSA obligations.
Companies that identify gaps during this review should prioritise remediation in the order listed above. The EEA representative gap carries the highest immediate enforcement risk because it is verifiable by Medietilsynet without any investigation into substantive operations. Algorithmic documentation gaps are the most common source of follow-on enforcement action once an operator is under scrutiny.
A comparison with the parallel regulatory development in Portugal – where digital services obligations are also being actively enforced – is available in our alert on digital services regulation in Portugal.
About Ferraz & Whitmore
Ferraz & Whitmore is an international law firm based in Lisbon, advising technology companies, institutional investors, and in-house legal teams on AI Act compliance, algorithmic accountability, software liability, and digital services regulation across 46 jurisdictions. As a law firm in Norway and across the EEA, we combine Portuguese civil law expertise with English common law tradition to provide cross-border technology law counsel that is both technically precise and commercially practical. Our technology law team includes practitioners with experience advising on regulatory compliance before EEA and EU supervisory authorities. For a tailored strategy on digital services compliance in Norway, reach out to info@ferrazwhitmore.com.
Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. Ferraz & Whitmore assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@ferrazwhitmore.com.