The AI Act is coming to Norway: what to do before it enters into force
18 May 2026 · Skarpix
The EU AI Act is the world's first comprehensive regulation of artificial intelligence. In Norway, it is transposed into law as KI-loven, a Norwegian act that incorporates the AI Act via the EEA Agreement. Nasjonal kommunikasjonsmyndighet (Nkom) is the designated coordinating supervisory authority. The consultation on the draft law closed 30 September 2025.
The original ambition was for KI-loven to enter into force in late summer 2026, around the same time the main body of the AI Act becomes applicable in the EU on 2 August 2026. EEA negotiations have been delayed, however, and a short delay relative to the EU date is now likely. That gives Norwegian businesses a slightly longer window than EU businesses, but not much longer.
Nkom's recommendation is straightforward: start preparing as soon as possible.
Who is in scope
The AI Act applies to providers and users of AI systems placed on the market or put into service in the EU/EEA, or whose output is used there. In practice that includes most Norwegian businesses that develop, import, distribute or use AI systems. The scope is broader than many assume.
The regulation classifies AI systems by risk. The classification determines what obligations apply:
Prohibited practices (Article 5). Social scoring, manipulation, unlawful real-time biometric identification in public spaces, and a handful of others. These are fully prohibited in the EU and have been enforceable at EU level since 2 February 2025.
High-risk systems (Annex III). AI in recruitment, credit assessment, education, law enforcement, critical infrastructure, and several other areas. These carry the strictest obligations: risk management system, data governance, technical documentation, logging, human oversight, and conformity assessment. The requirements apply from 2 August 2026 at EU level.
Limited risk. Mainly transparency obligations. Chatbots must disclose they are AI. Generated content must be labelled.
Minimal risk. No specific obligations. Spam filters, AI in games, and similar.
There are also separate rules for general-purpose AI models (GPAI), including so-called "models with systemic risk". Those rules have applied at EU level since 2 August 2025.
What you need to do, by role
The first thing to determine is whether you are a provider, a user, or both. The obligations differ.
As a provider (you develop or import AI systems for use under your own name): risk management system, data governance and data lineage, technical documentation, logging, transparency towards users, human oversight at system level, conformity assessment, CE marking for high-risk systems, and continuous post-market monitoring.
As a user (you put an AI system into operation in your own organisation): use the system in accordance with the provider's instructions, conduct a fundamental rights impact assessment (FRIA) where required, ensure human oversight in operations, keep logs, and inform affected individuals where necessary.
As both: both sets apply. Many organisations are both: you buy an AI tool and fine-tune it on your own data, or build your own interface on top of a third-party model.
Fines
Fines under the AI Act are among the steepest in EU law. For prohibited practices the cap is EUR 35 million or 7% of global turnover, whichever is higher. For breaches of most other obligations the cap is EUR 15 million or 3%. For incorrect information to supervisory authorities, EUR 7.5 million or 1%.
For comparison, the GDPR cap is EUR 20 million or 4% of global turnover. The AI Act goes higher for the most serious breaches.
AI literacy for staff (Article 4)
A requirement that often gets overlooked: Article 4 requires organisations to ensure that staff using AI systems have sufficient AI literacy to use them safely. This is a baseline obligation that applies regardless of risk level. It does not mean everyone has to become a data scientist. It means the people using an AI system should understand what the system does, what it doesn't do, how it can fail, and how to handle its outputs critically.
In practice this means training for staff who use AI tools at work, documented. Datatilsynet has signalled that they expect Norwegian organisations to have a plan for this. Datatilsynet has flagged AI as a priority area for supervision.
What to do now
Inventory your AI systems. First step. List every AI system you develop, import, distribute or use. Include shadow AI: department-level ChatGPT usage, AI features that have appeared inside existing SaaS tools, and so on. You can't comply with what you don't know about.
Classify each system. Prohibited, high-risk, limited risk, or minimal risk? For each one: are you the provider, the user, or both?
Start where the obligation is heaviest. Have a high-risk system as provider? That's where most of the work lives, and that's where you start. Risk management systems and technical documentation take time to build properly.
Plan for Article 4 training. What AI literacy does whom need? How do you document it? This is the easiest obligation to start on, and one of the first things supervision will look for.
Update supplier contracts. If you use a third-party AI system, the contract needs to place responsibility between provider and user clearly. No reason to wait on this.
Skarpix offers a free AI Act assessment that takes 5-10 minutes and produces a concrete report on where you stand, both as a provider and as a user. It's built around the Norwegian picture, including Nkom's coordinating role and KI-loven as currently proposed.