Position paper informs Norwegian approach to AI, with sector-specific legislative amendments to regulate developments in AI.

Laws/Regulations directly regulating AI (the “AI Regulations”)

Currently, there are no specific laws, statutory rules, or regulations in Norway that directly regulate AI. Norway is not expected to enact its own comprehensive AI legislation, with the exception of the EU AI Act, which is expected to become Norwegian law in the same manner as for all European Economic Area (EEA) Member States.

In addition, the Norwegian government continues to consider whether any other existing legal framework should also be amended (as necessary) to meet any technological developments.¹

Norwegian laws are largely technology-neutral and flexible, thereby indirectly encompassing AI within a significant portion of its legal framework

Status of the AI Regulations

As noted above, there are currently no specific laws or regulations in Norway that directly regulate AI.

However, as Norway is an EEA country, the EU AI Act is expected to eventually be implemented as Norwegian law, even though no formal decision or approval has been made. With respect to the implementation of the EU AI Act in Norway, the current status can be followed on the Norwegian government website (only in Norwegian). During the period after the EU AI Act has entered into force in the EU, but before the EU AI Act is implemented into Norwegian law, the EU AI Act may still apply to Norwegian companies due to its extraterritorial provisions.²

In 2021, the Norwegian government published the Norwegian Position Paper on the European Commission’s Proposal for a Regulation of the European Parliament and of the Council Laying Down Harmonized Rules on AI (the “Position Paper”), which sets out the government’s approach on AI. The paper also establishes their support for the EU AI Act (including its definition of AI, risk-based approaches, classification of high-risk AI systems, etc.), their concerns regarding the relationship between the EU AI Act and other legal frameworks, consequences for SMEs, their establishment of the Regulatory Sandbox (the “Sandbox”) by the Norwegian Data Protection Authority (Datatilsynet) and foreseen governance structures.³

Other laws affecting AI

There are various laws that do not directly seek to regulate AI but may affect the development or use of AI in Norway. Norwegian regulations are largely technology-neutral, implying their applicability irrespective of the technology in use (also encompassing AI).

A non-exhaustive list of key examples includes:

• The Norwegian constitution, especially Chapter E (human rights)
• The Equality and Discrimination Act
• The Working Environment Act
• The Transparency Act (which is, among other things, intended to promote businesses’ respect for fundamental human rights in connection with the production of goods and provision of services)
• The Personal Data Act (which includes the GDPR)
• Product liability and product safety rules
• The Marketing Control Act, Consumer Purchase Act and Digital Services Act. For instance, advertising or marketing should not be misleading or appear as something other than what it is, which includes situations where AI has been employed in the marketing process. Consumer laws also include requirements for providers of products or services that include AI
• Intellectual property laws may affect several aspects of AI development and use. For instance, the Norwegian Copyright Act can be invoked in cases involving generative AI training or use, and text and data mining
• The Law Enforcement Directive and other sector-specific regulations such as the Health Register Act, the Police Register Act and the Police Register Regulatio
• During the COVID-19 crisis, a temporary regulation that authorized fully automatic processing was added to the National Insurance Act. The statute was later added to the Labor and Welfare administration Act on December 4, 2020
• The Law Commission made recommendations to the Archival Act and Public Administration Act, which aim to provide transparency and accountability in public administration systems where AI is used

Definition of “AI”

As noted above, there are currently no specific laws or policies in Norway that directly regulate AI. Accordingly, no definition of AI is currently recognized through Norwegian national legislation.

However, in January 2020, the Norwegian government presented its National AI Strategy, which adopts the definition set out by the European Commission’s High Level Expert Group on AI, which is “AI systems act in the physical or digital dimension by perceiving their environment, processing and interpreting information, and deciding the best action(s) to take to achieve the given goal. Some AI systems can adapt their behavior by analyzing how the environment is affected by their previous action.”⁴

The Norwegian government also supports the definition of AI proposed by the EU Commission under the EU AI Act.⁵

Territorial scope

As noted above, there are currently no specific laws or regulations in Norway that directly regulate AI. Accordingly, there is no specific territorial scope at this stage.

Sectoral scope

As noted above, there are currently no specific laws or regulations in Norway that directly regulate AI. Accordingly, there is no specific sectoral scope at this stage. However:

• Health sector: A proposal to enable the Health Data Program and the Health Analysis Data platform to utilize AI took effect in January 2021. In June 2021, the Norwegian parliament also amended the Health Personnel Act and the Health Records Act to allow data access to clinical decision support based on AI⁶
• As explained in the "Other laws affecting AI" section above, the Law Commission made recommendations to the Archival Act and Public Administration Act that relate to public sector administrative proceedings and the use of AI in public administration. No formal proposal from the government has yet been proposed⁷

Compliance roles

As noted above, there are currently no specific laws or regulations in Norway that directly regulate AI. Accordingly, there are currently no specific or unique obligations imposed on developers, users, operators and/or deployers of AI systems.

The 2020 National AI Strategy focuses on all actors along the AI value chain, as well as on society as a whole. The strategy papers emphasize the responsibilities of AI users and operators (which are not defined), but also address the interests of affected persons (and affected sectors).⁸

Core issues that the AI Regulations seek to address

As noted above, there are currently no specific laws or regulations in Norway that directly regulate AI. Nevertheless, the National AI Strategy highlights a number of policy initiatives:⁹

• Expanding the offer of education programs and workplace trainings in the field of AI in order to create a solid basis of digital skills and capabilities
• Strengthening Norwegian research in AI
• Enhancing the innovation capacity in AI in both the private and public sectors
• Outlining ethical principles for AI in order to allow fair, reliable and trustworthy AI-related developments
• Establishing digitalization-friendly regulations to define the legislative framework in which AI developments take place
• Constructing a strong data infrastructure ensuring open data and data sharing across sectors and business areas. Dedicated opportunities for language data resources are established through the Norwegian language bank at the National Library
• Deploying a telecommunication infrastructure that provides high-capacity connectivity and computing power, and that ensures security in AI-based systems

In 2020, the Datatilsynet also established the Sandbox, to allow for testing, developing and monitoring AI concepts in a protected environment, and to promote the development of ethical and responsible AI solutions, especially with respect to privacy. As of January 2024, the Datatilsynet is in the fifth round of the Sandbox, with the most recent round selecting four new projects in Generative AI.¹⁰

Risk categorization

As noted above, there are currently no specific laws or regulations in Norway that directly regulate AI. However, the Position Paper supports the risk-based approach of the EU AI Act.¹¹

Key compliance requirements

As noted above, there are currently no specific laws or regulations in Norway that directly regulate AI. However, there are certain compliance requirements for the use of automated systems (which may include AI) with regards to the health sector and the Labor and Welfare Administration act (as explained in sections "Other laws affecting AI" and "Sectoral scope" above).

Regulators

The Norwegian government foresees designating a national supervisory authority, in accordance with the EU AI Act proposal. Norway, as an EEA Member State, should be represented in the European Artificial Intelligence Board (EAIB) to be established in accordance with Title VI, Chapter I of the proposal, equivalent to their participation in the European Data Protection Board.¹²

It has not yet been decided which regulatory body will remain the main regulator of AI, and several bodies have expressed interest. A potential candidate may be Datatilsynet, which: (i) is already running the Sandbox as explained in the "Core issues" section above;¹³ (ii) has published a strategy for its internal and external work with AI; and (iii) aims to contribute to having a coordinated and unified approach to AI both internally to its own operations and externally toward society as a whole.¹⁴

However, Datatilsynet’s competence is currently related to processing of personal data and not specifically focused on AI or technology in general.

Enforcement powers and penalties

As noted above, there are currently no specific laws or regulations in Norway that directly regulate AI. Accordingly, it is currently unclear what enforcement powers or penalties the Datatilsynet may impose upon breaches.

1 See the National AI Strategy here, page 21.
2 See the AI Act article 2 (b) and (c). For example, if a provider in Norway is "putting into service" AI systems, or AI models, in the EU, or if a provider or deployer in Norway, where the output from the AI system, is used in the EU, the regulation will apply.
3 See the Position Paper here.
4 See the National AI Strategy here, page 9.
5 See the Position Paper here.
6 See here.
7 See the National AI Strategy here, page 26.
8 See the National AI Strategy here.
9 See the National AI Strategy here
10 See here.
11 See the Position Paper here.
12 See the Position Paper here.
13 See here
14 See here.

Jeffrey Shin (Trainee Solicitor, White & Case, London) contributed to this publication.

Wiersholm contributors - Rune Opdahl, Fredrik Wiker, and Ines Tafjord.

[View source.]