Tech Insight

Status

• EU: Date of application is 12 September 2025
• EEA: Considering relevance
• Norway: Pending.
  Implementation expected to be done through amendments to the Norwegian Contracts Act and Copyright Act.

Scope 

The Data Act targets connected products within the Internet-of-things ecosystem, namely products capable of gathering, generating or collecting data communicated via various means. The key subjects of the acts are “data holders”, including natural or legal persons with the right or obligation to use and make available data (typically manufacturers of connected products and providers of related services).

Relevance

The Data Act seeks fostering a competitive and fair data market, stimulating data-driven innovation, and ensuring data accessibility. The Act will most likely lead to increased data transfers across national borders. Norwegian businesses should therefore ensure that they have the right to use the data they hold, for example, through explicit agreements. Furthermore, businesses should secure that their data can be effectively shared, by making it available in real-time, is continuously in a machine-readable format, and that sharing is done free of charge. Businesses should also implement procedures on how to initiate access to and deliver data to third parties.

Read more about the Data Act in this Article (Norwegian only).

Key Obligations

The Data Act empowers users of IoT-products to access data from data holders under fair, reasonable and non-discriminatory terms (i.e. through a right to access data generated by the products, and a right to portability allowing users to migrate to third party services. The Act further limits an encompassed entity’s possibility to discriminate against data recipients, and introduces a “policing of reasonableness” with respect to standard terms used towards micro-, small-, and medium enterprises. Finally, data holders are under an obligation to share data with governmental bodies upon further defined conditions.

Status

• EU: Adopted on 29 February 2024
• EEA: Pending. The Commission has marked the proposal as EEA-relevant
• Norway: Pending.

Scope 

This Regulation focuses on online platforms that connect hosts and guests for short-term accommodation rentals (such as Airbnb). It seeks to create a harmonized and streamlined framework for the registration of hosts and their properties, aiming to reduce inconsistencies in how data is shared across the EU.

Relevance

The Regulation is intended to address the challenges and impacts of short-term accommodation rentals on local communities, such as excessive tourism flows and the scarcity of affordable housing.

Key Obligations

Providers of online platforms will be required to enable hosts to display registration numbers and share specific data about hosts’ activities and listings with public authorities. This includes information on rented nights and guests, facilitating compliance with registration requirements and supporting policy and enforcement efforts.

Public authorities will be required to maintain appropriately designed registration schemes for hosts, which are obligatory if public authorities wish to collect data for policymaking and enforcement purposes.

Status

• EU: Date of application was 24 September 2023
• EEA: Considering relevance
• Norway: Pending

Scope 

The DGA primarily applies to public sector bodies, but also providers of data intermediation services, which are platforms or entities that facilitate the sharing of data between data holders and data users. The DGA aims to increase the availability of data for use and re-use, particularly focusing on data held by public sector bodies. It addresses the need for trustworthy data intermediation services and promotes data altruism by encouraging individuals and businesses to make their data available for the common good, such as for research, healthcare, and education.

Relevance

The DGA aims to address technological and trust barriers that have previously limited data sharing in the EEA, thereby enhancing the EEA’s competitiveness and data sovereignty on a global scale. Implementation in Norway changes would not only enhance Norway’s data governance landscape but also facilitate cross-border data flows with EU countries, thereby supporting Norway’s participation in the European digital single market.

Key Obligations

The DGA introduces a legal framework to ensure sharing and accessibility of data, including by prohibiting exclusivity agreements related to data in the public sector, imposing an obligation to share data based on non-discriminatory, transparent and proportionate terms.

Data intermediation services must operate under strict conditions to ensure trustworthiness, transparency, and non-discrimination, and providers will be under an obligation to notify the competent authority of their intention to provide such services.

The act encourages data altruism, where individuals and organizations voluntarily share data for purposes deemed to be for the common good, under regulated and protected conditions.

The DGA further provides a framework for the re-use of public sector data, allowing for the sharing of data that cannot be made openly available due to existing protections, under certain conditions to ensure data privacy and security are maintained. Public sector bodies ability to charge fees for allowing re-use will also be limited.

Status

• EU: Trilogue initiated on 28 March 2022. Currently stalled
• EEA: Pending
• Norway: Pending

Scope 

The proposed Regulation applies to the processing of data in connection with the provision and use of electronic communication services. In additional to traditional telecom companies, the proposal will apply to Over-The-Top (OTT) service providers offering messaging, voice calls, and email services over the internet (e.g., WhatsApp, Skype, and Gmail).

Companies using electronic communication data (e-com data) for advertising and marketing purposes (including by employing cookies and similar tracking technologies) are also subject to the Regulation.

Relevance

The ePrivacy Regulation, once finalized and adopted, will necessitate adjustments in the Norwegian Electronic Communications Act and Marketing Act. how Norwegian companies manage electronic communications and direct marketing. Upon implementation, Companies will need to re-assess how they provide electronic communication services and direct marketing and prepare for the operational, strategic, and financial implications of compliance. Regulatory fines are proposed set to the higher of EUR 10,000,000 or 2 % of the worldwide annual turnover for undertakings. However, political agreement and adoption of the proposal has been delayed several times from the original proposal in 2017, and the incumbent Spanish Council Presidency does not regard the e-Privacy Regulation as a priority file. Accordingly, it may still take time before we see any progress towards an adopted Regulation.

Key Obligations

The proposal imposes strict confidentiality requirements for e-com data, including a general prohibition on listening, tapping, intercepting, or processing communications without user consent. The proposal further details specific lawful grounds for the processing of e-com data, related metadata and content (voice, video, sounds exchanged through an electronic communications service).

Specific obligations with respect to the use and collection of information from terminal equipment (such as smartphones, laptops, and connected smart home devices), which includes the use of cookies and similar technology. As a general rule, an informed, specific, and freely given consent is required unless such terminal equipment use is non-privacy intrusive, or necessary to provide a service or transmit communication. The proposal opens up for providing consent “by using the appropriate technical settings of a software application enabling access to the internet” (such as a web browser).

Software that enables electronic communications, including internet browsing, must include options to block third-party information storage or processing on the user’s device. When installing such software, users must be informed about privacy settings and must consent to a specific setting before proceeding.

Finally, the proposal imposes restrictions on unsolicited marketing communications, i.e. by requiring explicit consent as a starting point.

Status

• EU: Commission proposal published on 28 June 2023
• EEA: Pending – the Commission has marked the FIDA proposal as EEA-relevant
• Norway: Pending

Scope 

The FIDA proposal intends to increase access and reuse of customer data from financial services, e.g. data on insurances, investments, loans, and pensions. The purpose is to improve the conditions for new and innovative data driven services, as well as ensuring a more transparent financial sector for customers. Moreover, the proposal seeks to facilitate for more tailored and customer oriented financial services.

Relevance

FIDA is still at the early stages of the EU legislative process and is subject to change. However, financial service providers subject to the proposal should keep a keen eye on developments in the EU, as compliance with FIDA is likely to require significant resources.  

Key Obligations

Financial service providers must grant access to customer data to other financial service providers and entities deemed as Financial Information Services Providers (FISPs), which is a newly introduced category of entities subject to the proposal. In short, FISPs collect customer data, with the customers consent, in order to reuse the data and provide financial information services. Operating as a FISP will require a license and FISPs will be subject to audit from national competent authorities. Holders and users of financial data need to join a “Financial Data Sharing Scheme”, which are frameworks intended to govern the sharing of data in compliance with FIDA and other applicable EU legislation, e.g. the GDPR.

Status

• EU: Compromise negotiated between European Parliament and the Council on 15 March 2024
• EEA: Pending. The Commission has marked the proposal as EEA-relevant
• Norway: Pending

Scope 

The European Health Data Space (EHDS) primarily targets manufacturers and suppliers of EHR systems and wellness applications, and other controllers and processors of health data. The proposal seeks to empower individuals with greater control over their electronic health data and facilitate its use by researchers, innovators, and policymakers.

Relevance

The Regulation will allow Norwegian patients to benefit from improved cross-border healthcare services, as the EHDS facilitates easier access and transfer of health data across the EU/EEA. Norwegian researchers and innovators in the health sector could gain access to a broader pool of health data, fostering collaboration and accelerating developments in medical research and digital health solutions.

The proposed Regulation is likely to require amendments to Norwegian health legislation, such as Pasientjournalloven and Helseregisterloven.

Key Obligations

The proposal entails a right for individuals to access their own health data and enable them to share own health data with medical personnel across the EEA. The Regulation further establishes a common European format for patient journal and other medical documentation, which healthcare providers will have to adhere to.

The EHDS sets out conditions under which health data can be used for purposes beyond direct healthcare, such as research, innovation, public health, and policy-making. Entities wishing to access health data for these secondary purposes must comply with strict governance and privacy standards, ensuring data use is ethical and secure.

The negotiated compromise between the EU bodies include a right for patients to opt out of secondary use of their health data, except for public interest purposes, policy making, statistics and research purposes in the public interest.

Status

• EU: European Parliament approved the proposal on 13 March 2024
• EEA: Pending
• Norway: Pending

Scope 

The EU AI Act aims to regulate the use of artificial intelligence across the EEA. It is designed to ensure AI systems are safe, transparent, and accountable. The Act classifies AI applications into risk categories (unacceptable risk, high risk, general-purpose AI models with systemic/non-systemic risk) and sets out specific requirements and standards for each category.

The AI Act imposes the most stringent regulatory burden on natural or legal persons developing and placing AI Systems on the market, but also targets importers, distributors and users using an AI system under their authority (deployers).

High-risk AI systems encompasses systems which may be used for various purposes in different sectors, such as safety components in critical infrastructure, HR (recruitment and decision-making) and education.

Relevance

The AI Act is the first comprehensive law on AI by a major regulator anywhere. Norwegian businesses operating in or entering the EU market will need extensive knowledge of its requirements (when finalized), particularly around high-risk applications and general-purpose AI systems, to capitalize on innovation opportunities while adhering to regulatory expectations. Needless to say, the AI Act’s provision for imposing fines up to €35 million or 7% of global turnover (depending on severity and type of breach) for non-compliance highlights the EU’s serious commitment to ensuring AI is used and manufactured responsibly.

Key Obligations

AI-systems with unacceptable risk are prohibited (such as systems deploying sublimal or manipulative techniques to affect a person’s behaviour or decisions, and systems using real-time remote biometric identification in publicly accessible spaces).

For high-risk AI systems, providers are i.e. obliged to implement a risk management system, ensure quality of training data, and provide information enabling deployers to interpret the system’s output and use it appropriately. The system design must allow for human oversight, and achieve an appropriate level of accuracy, robustness and cybersecurity.

Deployers of high-risk AI systems must implement measures to ensure and monitor that the systems are used in compliance with its instructions, ensure human oversight by competent personnel, ensure that input data is relevant and sufficiently representative and, depending on the intended use, provide information to affected users and conduct an impact assessment.

General Purpose AI Systems (systems with capability to serve a variety of purposes, such as OpenAI) will be subject to mandatory transparency requirements, technical documentation, compliance with copyright laws, and detailed summaries of training data content. High-impact general-purpose AI models will face additional obligations, including risk assessments and reporting on incidents and energy efficiency.

Status

• EU: Commission proposal of 28 September 2022
• EEA: Pending
• Norway: Pending

Scope 

The proposed Directive seeks to regulate civil law claims based on damages caused by an AI system under fault-based liability regimes (negligent acts or omissions).

It is primarily providers of AI systems that may be subject to liability under the act, but also distributors, importers, users or other third-parties who place on the market or put into service a high-risk AI system, modify the intended purpose of a high-risk AI system already placed on the market or put into service or make a substantial modification to a high-risk AI system.

Relevance

The proposal responds to challenges identified in existing liability frameworks that struggle to accommodate claims for damages caused by AI, due to the technology’s complexity, autonomy, and opacity. This situation potentially leaves victims unable to pursue compensation effectively, facing high upfront costs and prolonged legal proceedings.

Implementation in Norway will potentially require amendments of the Norwegian Dispute Act, i.e. due to the introduction of special rules on the burden of proof and presentation of evidence.

Key Obligations

The proposal will empower courts to order the disclosure of evidence related to specific high-risk AI systems suspected of causing damage, aiming to assist claimants in gathering necessary evidence for their claims.

The proposal further introduces rebuttable presumptions to assist claimants in proving their cases, especially concerning the causal link between an AI system’s output (or lack thereof) and incurred damages. For high-risk AI systems, if a defendant is shown to have breached specific obligations under the AI Act or failed to comply with evidence disclosure orders, courts may presume their fault contributed to the harm.

Obligations and presumptions vary based on whether the AI system in question is classified as high-risk. For non-high-risk AI systems, courts will apply a presumption of causality only if proving such a link would be excessively difficult for the claimant. Where AI systems are used in personal, non-professional capacities, the proposal limits the application of causality presumptions, applying them only if the non-professional user significantly interfered with the AI system’s operation.

Status

• EU: Commission Proposal published on 17 October 2023
• EEA: Marked as EEA relevant
• Norway: A public consultation was initiated by the Ministry of Children and Families 31 January 2024, with deadline set at 2 April 2024

Scope 

The European legislation on out-of-court consumer redress (the ADR Directive and the ODR Regulation) was adopted in 2013. The ADR Directive establishes a general framework for consumer redress, obliging Member States to ensure that consumers can submit their disputes to ADR entities, and can resolve disputes fairly, quickly and affordably. The ODR Regulation was adopted for the purpose of establishing the European Online Dispute Resolution Platform (the ODR Platform) where consumers and traders could refer their disputes over online purchases to ADR entities.

On 17 October 2023, the Commission adopted a proposal to review the ADR framework by means of:

1. A legislative proposal amending the current ADR Directive
2. A legislative proposal to repeal the ODR Regulation.
3. a recommendation addressed to online marketplaces and EU trade associations having a dispute resolution mechanism and to Member States.

Relevance

The proposal to amend the ADR Directive aims to make the ADR framework fit to the digital markets by covering all categories of disputes concerning EU consumer rights, improve the access to ADR in cross-border disputes and simplify ADR procedures to all actors. The purpose of the repeal of the ODR regulation is to replace it by user-friendly digital tools to assist consumers in finding a redress tool to resolve their dispute.

The proposal to repeal the ODR Regulation and amend the ADR directive will require amendments to the Norwegian Lov om godkjenning av klageorganer for forbrukersaker (godkjenningsloven) and Forskrift om klageorganer I forbrukersaker.

Key Obligations

The proposal to repeal the ODR Regulation removes the obligation on online businesses to provide a link to the ODR platform and manage and email for communication.

The proposal to amend the ADR directive includes an extension of the scope of the ADR Directive to all infringement of EU law with consumer protection dimension e.l. related to discriminatory practice, issues related to switching of service providers, emission of pre-contractual information, and remedies related to the right of repair. Third-country traders can voluntarily participate in ADR procedures. It is also voluntary for EU traders to participate in the ADR unless required through EU or national legislation. However, traders will have to reply within 20 working days as to whether they intend to participate in the ADR or not.

Member States will designate a European Consumer Centre, consumer organization or another body as ADR contact points to facilitate communication between the parties, assist with the process, provide the parties and ADR entities with general information on EU consumer rights and on the procedural rules applied by the ADR entities identified or inform of other means of redress when a dispute cannot be resolved through an ADR procedure.

Status

• EU: Date of application was 1 January 2022
• EEA: Incorporated in the EEA agreement. Compliance date and entry into force is 1 April 2024
• Norway: Implemented by amendments to the Norwegian Consumer Sales Act, with effect from 1 January 2024

Scope 

The Directive and Norwegian implementation imposes mandatory requirements to consumer agreements regarding the sale of goods, with some exceptions.

Services falling under the scope of the Digital Content Directive are not covered, unless where digital services are incorporated into goods (such as smartphones and other products with software).

Relevance

The implementation of the Directive is of significant relevance to both consumers and businesses in Norway. As a total harmonization Directive, it represents a shift from its predecessor from 1999, which allowed for national laws to provide stronger consumer protection than the Directive. The amended Consumer Sales Act may necessitate changes to existing business practices, particularly in terms of standard contract terms, product conformity, and consumer remedies. Businesses will need to review and potentially revise their contracts and terms of service to ensure they are in line with the new regulations.

Key Obligations

The Consumer Sales Directive, which is currently implemented in the Norwegian Consumer Sales Act, has undergone new changes to strengthen consumer protection. The changes include clarifications on subjective and objective requirements to the contract, an expansion of the seller’s burden of proof, and the seller’s right to recourse against previous parties in the supply chain.

Some key changes to the Norwegian Consumer Sales Act include i) regulations governing situations where assets are purchased together with digital services; ii) requirements that consumers must be made “specifically aware” of any exceptions from the act’s quality requirements and “expressly and specifically” accepts them; iii) removal of the possibility for “sold as is”-reservations; iv) the possibility to claim damages for non-economic loss; and v) the possibility to terminate for breach also for the part of the sold goods that is not related to a breach of contract where the consumer cannot reasonably be expected to retain such parts.

Status

• EU: Date of application was 1 January 2022
• EEA: Incorporated in the EEA agreement. Compliance date and entry into force is 1 April 2024
• Norway: Implemented in the Act of June 17, 2022, No. 56 on the provision of digital services to consumers (the Norwegian Act on Digital Services)

Scope 

The DCD and Norwegian implementation apply to contracts where traders supply digital content or digital services to consumers. Digital content includes data produced and supplied in digital form, such as music, videos, apps, games, and e-books. Digital services encompass services that allow the consumer to create, process, store, or access data in digital form, or services that allow the sharing of data or any other interaction with data in digital form provided by the consumer.

The Directive covers both paid-for digital content or services and those provided in exchange for personal data, except where the personal data is exclusively processed for the purpose of supplying the digital content or service or for compliance with legal requirements.

Relevance

Prior to implementing the DCD in Norway, the provision of digital services to consumers was largely determined based on unwritten contractual law principles and by analogy from statutory rules. With the DCD, consumer rights and enhanced, while the ability of economic operators to create their own standard terms is limited. By imposing transparency requirements and limiting the right to amend services, increase fee and operate with long agreement terms, the DCD protect consumers from potentially unfair practices and to ensure a higher degree of transparency and fairness in the digital market. It also seeks to harmonize digital contract law across the EEA, reducing uncertainty and creating a more predictable legal environment for both consumers and businesses.

Key Obligations

The DCD and Norwegian implementation impose mandatory requirements to consumer contract and quality standards.

With respect to quality of digital content and services, the Norwegian implementation requires suitability for purpose, regular updates, conformity with the consumer’s reasonable expectations, and compliance with legal requirements at the time the contract was entered. It is noteworthy that the act does not impose any availability requirements (such as service level commitments). For any deviations from the quality standards, the consumer must be made “specifically aware” of these and “expressly and specifically” accepts them.

Defects and delays are made subject to remedies common from Norwegian law (rectification, price reduction, termination for breach and damages for economic loss). “Sole remedy” and limitation of liability-clauses typically seen in digital services standard terms may thus be unlawful.

The Norwegian implementation further limits the right to amend fees or services. The providers’ ability to amend services beyond what is necessary to comply with the agreement and quality standards presupposes i) a legal basis in the agreement; ii) no extra charge for the consumer; and iii) informing the consumer in a clear manner. The consumer is also given the right to terminate for breach if changes affect the service in a “non-insignificant” manner. The consumer may also cancel the agreement upon price changes beyond “what the change in the consumer price index would suggest”.

Finally, the maximum agreement term is set to six months, but exceptionally up to 12 months in “special cases”. In addition, if a consumer has agreed to periodic payments for an ongoing service and fails to make a payment within a 6-month period after the payment is due, the contract is considered terminated.

Status

• EU: Adopted on 28 February 2024. Deadline for implementation is 27 September 2026
• EEA: Considering relevance
• Norway: Pending. Implementation will likely result in an amendment of the Norwegian Cancellation Act, the Marketing Control Act, the Agreements Act, and the Norwegian Regulation on unfair commercial practices

Scope 

The Directive amends Directive 2005/29/EC on unfair business-to-consumer commercial practices (Unfair Commercial Practices Directive) and Directive 2011/83/EU on other consumer rights.

Relevance

The Directive is meant to promote the green transition and sustainability, and must be considered in conjunction with the proposal for a Green Claims Directive (COM(2023) 166). Implementation in Norway will likely result in an amendment of the Norwegian Cancellation Act, the Marketing Control Act, the Agreements Act, and the Norwegian Regulation on unfair commercial practices.

Key Obligations

The obligations are intended to ensure better information about sustainability and stronger protection against commercial practices that undermine sustainable consumption, such as deceptive environmental marketing (‘greenwashing’), premature product obsolescence, and unreliable and vague sustainability labelling. Additionally, producers must inform about the product’s durability on certain conditions. Producers must also inform consumers of how easily repairable the product is.

More specifically, the amendments to the Unfair Commercial Practices Directive concern the following: amendments to Article 6 and 7 concerning misleading marketing based on a case-by-case assessment, and an amendment to Annex I concerning practices that are considered to be unfair at all times (the so-called “blacklist”).

Status

• EU: Date of application was 28 May 2022
• EEA: Incorporated in the EEA agreement. Compliance date and entry into force is 1 April 2024
• Norway: Implemented with effect from 1 October 2023

Scope 

The Directive amends existing rules on unfair terms in consumer contracts (Directive 93/13/EEC), consumer protection in the indication of the prices of products offered to consumers (Directive 98/6/EC), unfair business-to-consumer commercial practices (Directive 2005/29/EC), and other consumer rights (Directive 2011/83/EU).

Relevance

The changes aim to make consumer protection rules more robust and adaptable in a digital world. There are now more formal requirements when consumers “pay” with personal data. Additionally, the new rules concerning digital marketplaces will require a closer examination of how the Directive affects individual businesses and service providers. For Norway, the Directive is implemented through amendments to the Marketing Act, Right of Withdrawal Act, Contract Act, E-commerce Act, Consumer Sales Act, Digital Services Act, and more.

Key Obligations

The Directive aims to further strengthen consumer protection, and we will outline some of the changes. Firstly, the rules regarding penalties for violations of consumer rights will be enhanced. Responsible supervisory authorities will be able to impose fines, among other measures. Secondly, it will be prohibited to not clearly label promoted search results, in which a business has paid to appear at the top of a search result. This applies to search engines, digital marketplaces, and price comparison services, among others. The Directive on unfair business-to-consumer commercial practices and the Directive on other consumer rights (which includes the right of withdrawal) will include rules on information requirements for digital marketplaces. The term “digital marketplace” has a technology-neutral definition.

The rules in the Directive on other consumer rights, which include the right of withdrawal, will also apply to digital services where the consumer “pays” with personal data. Furthermore, new requirements for marketing price reductions will be introduced, requiring the lowest previous price in the last 30 days to be disclosed.

Status

• EU: Date of application is 28 June 2025
• EEA: Considering relevance
• Norway: Pending

Scope 

The Directive imposes obligations on manufacturers, importers, distributors and suppliers of general consumer hardware systems and their associated operating systems, certain self-service terminals, banking services, electronic communication services, services providing access to audiovisual media services, e-commerce services, and e-books with accompanying software.

Relevance

The Directive will impact the value chain of the aforementioned goods and services, which includes a wide range of stakeholders. These include manufacturers and providers of e-communication services, e-commerce, and audiovisual media services. We can assist in assessing how the Directive will affect your business.

The Norwegian implementation is expected to be done through the Act relating to equality and a prohibition against discrimination, or a new act or regulation.  

Key Obligations

Products and services in scope must meet the accessibility requirements outlined in an annex to the Directive, which include aspects such as packaging labelling, functionality, and support services. However, these are only overarching requirements, and it is the responsibility of member states to define the specific technical requirements.

More specifically, the Directive will impact providers of websites and applications by having to enable audio assisted interfaces for visually impaired users, and physical products must avoid modes of operation requiring extensive reach and great strength. Additional requirements apply for specific services such as consumer banking and e-commerce services, which i.e. are required to provide consumers with perceivable, operable, understandable and robust identification methods and electronic signatures.

Status

• EU: Commission Proposal published on 22 March 2023. European Parliament and Council are discussing. European Parliament has adopted its first reading position on 12 March 2024. The new Parliament will have to follow up after the European elections taking place from 6 – 9 June 2024
• EEA: Pending
• Norway: Pending. There are already signs of positive signals from Norwegian legislators in favor of the proposal

Scope 

The Proposal aims to regulate claims and labels which explicitly or implicitly gives the impression that a product or a business has a positive, less negative or no impact on the environment. It also aims to regulate claims and labels related to improvements of the product or business over time, in terms of environmental impact.

The initiative complements Directive 2024/825 which amends the Unfair Commercial Practices Directive (2005/29/EC), which is meant to empower consumers for the green transition.

Relevance

The Proposal will impose further regulations on traders offering their products and business to consumers. Traders should adopt a life-cycle perspective on the goods and services offered to consumers, and not only assess whether or not the production method is environmentally friendly. The proposal should be seen in connection with the Unfair Commercial Practices Directive.

Implementation in Norway will likely result in an amendment to the Norwegian Marketing Act or through the adoption of new national legislation.

Key Obligations

The Proposal sets out obligations on traders to properly substantiate environmental claims. Traders must be able to verify assessments behind claims and labels before the product or business is presented to the consumers. This entails a so-called “ex-ante assessment”, which is a novelty compared to the current regulations found in the Unfair Commercial Practices Directive.

As per the Unfair Commercial Practices Directive, it is up to the member states’ consumer protection authorities to prove that environmental claims are false – partially or wholly. This burden of proof will, according to the proposal, be shifted to the traders using such claims to advertise their products or business. Further, the proposal states that an independent third party will have to verify the documentation and communication of environmental claims before such claims can be directed towards the consumers.

Status

• EU: European Parliament adopts first reading position on 12 March 2024
• EEA: Pending. The Commission has marked the proposal as EEA-relevant
• Norway: Pending

Scope 

The proposed Directive applies to economic operators, such as manufacturers, importers and distributors, of “products”. Providers of online platforms that allow consumers to conclude contracts with traders, are also subject to the Directive.

The proposed Directive extends the scope of potentially liable entities by defining software, digital manufacturing files and certain digital services as “products” in the meaning of the Directive. Therefore, the proposal will be of relevance for technology companies offering digital products.

The scope of the proposed Directive does not extend to the source code itself and non-commercial open source-software.

Relevance

The proposal is set to replace the current Directive on product liability. Its overarching goal is to bring the EU product liability regime up to speed with the digital age, circular economy and global value chains. While the proposed Directive has many similarities with the current Directive, it introduces important changes for the technology sector by introducing new provisions that clarifies the scope of product liability for digital products (software etc.).

Key Obligations

Entities covered by the proposed Directive are subject to a strict liability (liability regardless of fault) for damages caused by defective products, including defective software and digital manufacturing files. Liability arises when an injured person proves that the product was defective, he/she has suffered damages, and there is a casual link between the damage and the product’s defectiveness.

According to the proposal, product defectiveness may extend to the lack of software updates under the manufacturer’s control as well as the failure to address cybersecurity vulnerabilities.

The proposed Directive extends the nature of damages to loss and corruption of data that is not used exclusively for professional purposes. Hence, its implementation may affect limitations of liability for the customers loss of data in B2C-contracts.

Furthermore, the proposed Directive introduces new rules on evidence, which alleviate the burden of proof for example when the claimant meets excessive difficulty in proving defectiveness or a casual link because of the scientific or technical complexity of the product (e.g. AI-systems). 

Status

• EU: Date of application was 25 June 2023
• EEA: Considering relevance
• Norway: Pending

Scope 

The Directive providers remedies for national administrative authorities and courts to address harmful practices against consumers.

Relevance

The Directive should be considered in conjunction with the Norwegian Digital Services Act. If the directive is incorporated into the EEA Agreement, the Consumer Authority will gain the authority to make decisions regarding remedies for consumers. Courts in Norway already have the authority to make the aforementioned decisions.

Implementation in Norway will likely result in an amendment of the Norwegian Regulation on Consumer’s Collective Interests

Key Obligations

The Directive modernizes and replaces Directive 2009/22/EC. Courts and administrative authorities should be able to adopt decisions declaring the actions of a business to be unlawful, and thus must be stopped. Additionally, they should have the authority to adopt decisions regarding remedies for the consumer, including rectification, price reduction, termination, and compensation.

Status

• EU: European Parliament approved the proposal on 23 April 2024
• EEA: Pending. The Commission has marked the proposal as EEA-relevant
• Norway: Pending.

Scope 

The Proposal applies to the repair of goods purchased by consumers in the event of a defect of the goods that occurs or becomes apparent outside the liability of the seller pursuant to Article 10 of Directive (EU) 2019/771. The Directive imposes obligations on producers, and by extension importers and distributors.

Relevance

The proposal will impose further obligations on producers to repair goods and will encourage sustainable choices for consumers.

Implementation in Norway is expected to be done through amendment of the Consumer Sales Act.

Key Obligations

The Proposal is meant to promote a circular economy by making it more attractive for consumers to repair products instead of buying new products. The proposal includes certain safeguards for consumers when engaging with repair service providers. Furthermore, producers will have an obligation to repair products to the extent reparability requirements are provided for by certain Union legal acts . Producers will be required to inform consumers about their obligation to repair and provide information on the repair services in an easily accessible, clear and comprehensible manner. Lastly, the proposal also addresses the necessity of online platforms that allows consumers to find repairers.

Status

• EU: Date of application is 18 October 2024
• EEA: Pending
• Norway: Pending

Scope 

The Resilience of Critical Entities Directive (CER) applies to critical entities identified by member states within the sectors energy, transport, banking, financial market infrastructure, health, drinking water, waste water, digital infrastructure, public administration, space and production, processing and distribution of food.

The Directive aims to harmonize cyber resilience requirements in the EEA by ensuring that risks are more comprehensively accounted for. This includes addressing the dynamic threat landscape, such as hybrid and terrorist threats, and the physical risks from natural disasters and climate change.

While the CER-directive to some extent overlaps with the NIS2 Directive, the former focuses on the broader concept of resilience across critical entities, including physical security, risk management, and recovery from a wide range of threats.

Relevance

The CER-Directive is expected to strengthen the risk awareness and contingency planning of critical entities in the EEA, i.e. by shifting attention from infrastructure and individual objects to services and deliveries as opposed to its predecessor, the EPCIC directive (2008/114/EC). The EPCIC directive is currently implemented in the Norwegian Civil Protection Act chapter VI A, but, the CER Directive will likely be implemented in another act, and relationship to the Norwegian Security Act (with a partially overlapping scope) must be further examined. 

Key Obligations

Member States must identify critical entities by 17 July 2026, based on their provision of essential services and the significant impact that any disruption could have. These entities must be notified of their status and obligations.

Critical entities are required to conduct risk assessments and implement appropriate and proportionate measures to ensure their resilience. This includes measures to prevent, protect against, respond to, resist, mitigate, absorb, accommodate, and recover from incidents. Entities in scope will be required to demonstrate adequate employee security management, access rights, procedures for background checks and ensure adequate awareness training of its personnel.

Member states must define a regime for conducting background checks for personnel with sensitive roles or access to critical premises and systems, including criminal records. For Norway, this will likely require a supplementary legal basis for obtaining a police certificate of conduct.

Entities must notify competent authorities of incidents that significantly disrupt the provision of essential services within 24 hours, followed by a detailed report no later than one month thereafter.

Status

• EU: European Parliament approved proposal on 12 March 2024
• EEA: Pending. The Commission has marked the proposal as EEA-relevant
• Norway: Pending

Scope 

The proposal aims to enhance the functioning of the internal market by introducing EU-wide cybersecurity requirements for design, development, production and making available on the market of hardware and software products.

The Regulation will apply to all products that are connected, indirectly or directly to another device or to a network. There are some exceptions for products for which cybersecurity requirements are already set out in existing rules, such as medical devices, aeronautical products and cars.

In addition to crucial cybersecurity requirements, the Regulation will impose obligations on economic operators and introduce provisions for conformity assessment, notification to conformity assessment bodies, and market surveillance.

Relevance

The objective of the proposal is to address deficiencies, clarify connections, and enhance the overall coherence of existing cybersecurity legislation. This includes ensuring the security of products with digital components, such as ‘Internet of Things’ (IoT) products, across the entire supply chain and throughout their lifespan which will affect the businesses of both manufacturers, importers and distributors.

Key Obligations

The main obligations from the Commission proposal are:

• Rules to rebalance responsibility for compliance towards manufacturers, imposing obligations such as providing cybersecurity risk assessments, issuing declarations of conformity and cooperation with authorities.
• Vulnerability handling processes for manufacturers to manage vulnerabilities and ensure cybersecurity in digital products, along with responsibilities for economic operators such as importers or distributors in relation to those processes.
• Steps to enhance transparency regarding the security of hardware and software products for both consumers and business users.
• Establishment of a market surveillance framework to enforce compliance with the Regulations.

Status

• EU: European Parliament adopts first reading position on 24 April 2024
• EEA: Pending
• Norway: Pending

Scope 

The EU Cyber Solidarity Act aims to enhance cooperation at the Union level for better detection, preparation, and response to significant or large-scale cybersecurity incidents. This involves establishing a European Cybersecurity Shield and a comprehensive Cyber Emergency Mechanism.

Relevance

The initiative will likely not be incorporated into the EEA agreement once adopted. However, there is a chance that Norway might participate the European Cybersecurity Shield and Cyber Emergency Mechanism through a bi-lateral agreement with the EU.

Key Obligations

To swiftly and effectively identify major cyber threats, the Commission proposes setting up a European Cyber Shield. This will be a pan-European infrastructure comprising national and cross-border Security Operations Centres (SOCs) across the EU. These SOCs will use cutting-edge technologies like artificial intelligence (AI) and advanced data analytics to detect and share timely warnings on cyber threats and incidents across borders. This approach allows authorities and relevant entities to respond more efficiently and effectively to major incidents.

The goal is to have these centres operational by early 2024. In preparation for the European Cyber Shield, the Commission, under the Digital Europe Programme, selected three consortia of cross-border Security Operations Centres (SOC) in April 2023. These consortia bring together public bodies from 17 Member States and Iceland.

Additionally, the EU Cyber Solidarity Act introduces a Cyber Emergency Mechanism to boost preparedness and enhance incident response capabilities in the EU.

Status

• EU:  Date of application is 17 January 2025
• EEA: Considering relevance
• Norway: Public consultation initiated on 23 January 2024

Scope 

The Digital Operational Resilience Act (DORA) specifically targets enhancing cybersecurity within the financial sector. It encompasses a wide range of financial entities in the EU, including banks, investment firms, and payment service providers. The proposal also introduces a supervisory framework for ICT providers, such as cloud service providers.

Relevance

DORA is highly relevant in addressing the increasing cybersecurity threats faced by the financial sector, given its critical role in the economy and society at large. By imposing stringent cybersecurity measures and promoting proactive risk management practices, DORA aims to enhance the resilience of financial institutions, safeguard customer data, and maintain trust in the stability of the financial system.

Based on the public consultation initiated on 23 January 2024 in Norway, the Regulation is to be implemented by a new act on digital operational resilience for the financial sector, and amendments to several acts and Regulations in the finance sector.

Key Obligations

DORA mandates financial institutions to establish robust cybersecurity frameworks to protect their operations and sensitive data from cyber threats. This includes implementing measures such as risk assessments, ICT policies, adequate security controls and a operational resilience testing program as an integral part of the ICT-risk management framework.

Financial entities are required to establish an incident management process to detect, manage and notify ICT-related incident. In addition, record all ICT-related incidents and significant cyber threats. Furthermore, the entities must report cybersecurity incidents to relevant authorities, enabling swift response and mitigation efforts. Timely reporting helps to minimize the impact of cyberattacks and enhances overall sector resilience.

The Regulation provides comprehensive rules on third party risk management. Except for micro-enterprises, all enterprises are required to have a vendor risk strategy that meets specific criteria, maintain a registry of ICT services used, and annually report new contracts and planned ICT service agreements for critical functions to the supervisory authority. Before entering into an agreement with an ICT provider, an enterprise must conduct evaluations and ensure the provider adheres to appropriate information security standards.

Status

• EU: Date of application is 18 October 2024
• EEA: Pending. The Commission has marked the proposal as EEA-relevant
• Norway: Pending.

Scope 

Operators of essential and important services within several sectors such as energy, transport, wastewater, food, research, IT (managed service providers and managed security service providers), public administration and postal and courier services. The margin of maneuver for member states in identifying entities subject to the directive is reduced compared with the NIS 1 Directive.

Micro- and small enterprises (less than 50 employees and annual turnover below 10MEUR) are as a starting point not subject to the Directive. Such enterprises may still be encompassed, e.g. if they are considered to have a key role in society, the economy or a certain sector (e.g., sole supplier to an EU country, or entities operating a particularly vulnerable business).

The distinction between essential and important services is only relevant for the supervisory regime (ex-ante supervision for essential services, and ex-post supervision for important services).

Relevance

NIS 2 not only addresses the challenges and limitations of NIS 1 but also introduces enhanced measures to ensure a unified and robust cybersecurity framework across Europe.

Implementation in Norway will likely be done through amendments to the Digital Security Act.

Key Obligations

Like under the NIS 1 Directive, entities in scope are required to conduct a risk assessment and implement security measures appropriate to the risk. However, the NIS 2 Directive imposes a broad range of minimum measures, including: i) business continuity; ii) supply chain security; iii) policies and procedures to assess the effectiveness of cybersecurity risk-management measures; basic cyber hygiene practices and training; iv) policies and procedures regarding use of cryptography; and v) human resources security.

The Directive further enhances the notification regime for cybersecurity incidents, through a three-step model where an early warning and initial information must be provided within 24 hours, an initial assessment of the incident within 72 hours, and a detailed report with identified root cause and mitigation measures within one month.

Supervisory authorities are given broad powers to supervise and impose sanctions, e.g. trough on-site inspections, security scans, requests for evidence of implementation of policies, and binding instructions. Further, the regime for regulatory fines is harmonized, meaning the maximum fine must be at least EUR 10 million or 2% of the total global annual turnover of the business, whichever is higher for essential service providers. For important service providers, the maximum fine must be at least EUR 7 million or 1.4% of the total global annual turnover.

Status

• EU: Date of application was 10 May 2018
• EEA: EEA Joint Committee decided to incorporate the Directive into the EEA-agreement on 3 February 2023. Entry into force once parliaments in EEA/EFTA countries decide to adopt the decision.
• Norway: The Norwegian Parliament adopted the Act on Digital Security implementing the Directive on 12 December 2023

Scope 

The Act applies to operators of essential services within the sectors energy, transport, banking, health, financial market infrastructure, drinking water supply and distribution and digital infrastructure. It is expected that further criteria for identifying operators of essential services will be regulated in a Norwegian Regulation (forskrift) to the act.

Providers of digital cloud computing services, online search engines and online marketplaces, except for micro- and small enterprises (less than 50 employees and annual turnover below 10MEUR) are also in scope.

Relevance

The Digital Security Act is the first cross-sector regulation addressing cybersecurity in Norway, and is likely to have a particularly large impact on businesses that are not already subject to sector-specific digital security requirements. However, having been “tried and tested” in the EU, the Directive faced challenges including varying national implementations, insufficient scope to cover all relevant sectors, and a lack of clarity on certain obligations, leading to fragmentation and inconsistencies.

Recognizing these issues, NIS2 was introduced to provide a more comprehensive and harmonized approach. For Norway, implementing its own digital security act to implement NIS1, transitioning towards NIS2 will necessitate updates to the national act, reinforcing Norway’s commitment to enhancing cybersecurity resilience in line with evolving EU standards.

Key Obligations

Entities subject to the act will be required to conduct a risk assessment of network and information systems used in the provision of the relevant service. Based on the assessment, entities must implement technical and organizational measures to ensure an appropriate level of security. Specific security measures to be implemented are expected to be regulated in a Norwegian Regulation to the act.

The act further imposes a notification obligation to supervisory authorities where a security incident significantly impacts the service delivery.

Supervisory authorities have a right to demand information and access to encompassed entities’ premises and equipment. Breaches may be sanctioned by rectification orders and/or fines, not only directed at the entity level, but also towards individuals acting on behalf of the company.

Status

• EU: Date of application was 7 June 2021
• EEA: EEA Joint Committee has decided to incorporate the Directive into the EEA-agreement on 8 December 2023. The Committee decision will enter into force once parliaments in EEA/EFTA countries decide to adopt the decision.
• Norway: Pending

Scope 

Directive 2019/790 has three main objectives: (i) to adapt certain key exceptions to copyright to the digital and the cross-border environment, (ii) to improve licensing practices and ensure wider access to content, and (iii) to achieve a well-functioning marketplace for copyright.

Relevance

Both Directive 2019/790 and Directive 2019/789 seek to solve copyright challenges in the light of transnational consumption and new technologies. The Norwegian Government has launched a hearing for implementing the Directive in the Norwegian Copyright Act, with a deadline set at 15 March 2024.

Key Takeaways

Directive 2019/790 is meant to further harmonize copyright legislation, as well as closely related rights. The Directive makes it easier to use copyright-protected material for different purposes, mostly related to access to knowledge, by introducing mandatory exceptions to copyright to foster text- and data mining, digital uses of works for the purpose of illustration for teaching, and the preservation of cultural heritage. Furthermore, the Directive aims to enhance protection of press publications for online use, as well as strengthening the rights of license holders.

Status

• EU: Date of application was 7 June 2021
• EEA: EEA Joint Committee decided to incorporate the Directive into the EEA-agreement on 8 December 2023. Entry into force once parliaments in EEA/EFTA countries decide to adopt the decision.
• Norway: Pending

Scope 

Directive 2019/789 aims to improve the cross-border availability of television and radio programs in the internal market, by facilitating clearance of copyright and related rights for certain online services of broadcasters and for the retransmission of television and radio programs by means other than cable. The Directive also contains rules for programs transmitted via direct injection.

Relevance

Both Directive 2019/790 and Directive 2019/789 seek to solve copyright challenges in the light of transnational consumption and new technologies. The Norwegian Government has launched a hearing for implementing the Directive in the Norwegian Copyright Act, with a deadline set at 15 March 2024.

Key Takeaways

Directive 2019/789 is meant to increase access to broadcast programs from other Member States. It includes the application of the country of origin-principle for ancillary online services, rules governing the exercise of retransmission rights by rightholders other than broadcasting organisations, and provisions for mediation in cases where agreements cannot be reached. Additionally, it sets rules for the transmission of programs through “direct injection,” and amends the definition of “cable retransmission” in Directive 93/83/EEC. The Regulations in the Directive will have a positive effect on consumers, license holders and distributors.

Status

• EU: European Parliament adopts first reading position on 14 March 2024
• EEA: Pending. The Commission has marked the proposal as EEA-relevant
• Norway: Pending

Scope 

The Design Directive and the Community Design Regulation applies to the registration of design rights and community design rights, respectively.

The proposal widens the scope of the Design Directive and Community Design Regulation by broadening the definitions of “design” and “products”. The definition of “design” will now extend to the movement, transition, or any other sort of animation of design features. The definition of “product” will now also include designs not embodied in physical products, objects materializing in digital form (e.g. NFTs), spatial arrangements of items intended to form an interior environment, and graphical user interfaces.

Relevance

The proposal to revise the Design Directive and the Community Design Regulation seeks to align the design protection systems in the EU with the digital age and make it more accessible and efficient for applicants. Of particular interest for the technology sector is the expanded possibility to register digital designs, such as graphic user interfaces.

Key Takeaways

Other main changes of the proposal include:

• Expanding the scope of design protection by including means such as 3D printing technologies
• Introduction of a “repair clause”, in which design protection shall not be conferred to designs that constitute component parts of a complex product, where the appearance of the design is dependant for the sole purpose of the repair of that complex product in order to restore its original appearance
• Revising the registration process, by broadening the means of which applicants can represent their designs, for example by video or 3D printing, and allowing applicants to combine multiple designs in one application.

Status

• EU: Commission Proposal published on 27. April 2023. The European Parliament adopts first reading position, suggesting extensive changes to the proposal
• EEA: Not of EEA-relevance
• Norway: No information available

Scope 

The initiative, once adopted, will cover all patents registered in the EU – both national and Unitary patents. In addition, patent applications, utility models and supplementary protection certificates (SPCs) will also be covered. The scope is limited to EU emergencies, such as a pandemic.

Key Takeaways

The proposal seeks to combat the geographical restrictions of national patent law, by granting the Commission the power to issue EU-wide compulsory licenses during an EU emergency. This means that third parties can obtain a license to use a patented invention without consent from the patent owner, when certain conditions are fulfilled. The license will be effective in all EU member states.

Relevance

The Commission made the initiative in the aftermaths from the COVID-19 pandemic, where lack of production capacity to produce COVID-19 vaccines was a major bottleneck for governments when tackling the virus. Patent protection of the vaccine technology also contributed to a limited supply of vaccines.

Although governments can issue compulsory licenses to third parties to increase production capacity, a national compulsory license only has national effects. In the case of cross-border supply, which constitutes the norm within the EU, a third party must seek a license in every country it wishes to produce and sell the medicine, if the invention is patented in the given country. Today, there is no coordination mechanism in place between governments if a single third party has applied for a license concerning the same invention in several countries – creating an administrative and economic barrier for seeking compulsory licenses overall. Thus, the initiative, once adopted, will equip the Commission with the powers to issue compulsory licenses effective in all EU member states through a single application – and thereby removing the trade barriers to a certain extent.

Although the legal act likely will not be incorporated into the EEA agreement once adopted, the initiative is a major stepping stone for the Union when combatting epidemics and pandemics affecting EU member states and the internal market.

Status

• EU: Date of application is 1 December 2025
• EEA: Not of EEA-relevance
• Norway: No information available

Scope 

EU-wide protection of geographical indications has traditionally been reserved for wines, spirit drinks and other agricultural products and foodstuffs, i.e. Champagne and Prosciutto di Parma. Starting from 1 December 2025, craft and industrial goods will benefit fully from EU-wide protection of geographical indication (such as Murano-glass and Donegal-Tweed).

The Regulation also has implications for already existing Regulations on protection of geographical indications.

Relevance

The Regulation is deemed as non-relevant for EEA. It is, however, worth having knowledge of this Regulation when handling European trademark matters.

Key Takeaways

This Regulation addresses the need for protection of craft and industrial products. The EU has deemed it necessary to grant protection to these types of products as they are often closely linked with specific geographical areas which again often involve specific methods of productions based on local knowledge that stretches far back in time.

Protection of geographical indications for craft and industrial products will, inter alia, help producers stay competitive in niche markets, provide consumers with better information about the authenticity of products, and boost regional economies.

Status

• EU: Commission Proposal published on 27 April 2023. European Parliament adopts negotiating position
• EEA: Not of EEA-relevance
• Norway: No information available

Scope 

The legal act will affect patent holders, when the invention is considered to be a standard (SEP), such as 5G-technology or USB. Standards are developed by businesses through standard-setting organizations (SSO). Such technology is essential for many devices or activities in everyday life and are therefore inevitable.

Relevance

Although the initiative is not of EEA-relevance, it is worth having knowledge of the proposal when dealing with SEP’s and FRAND-licensing.

Key Takeaways

The proposal concerns the licensing of SEP’s. In order to use a SEP, third parties will need a license to use the patent. SSOs require SEP-owners to provide licenses on FRAND-terms (fair, reasonable, and non-discriminatory). Today, many disputes arise during negotiations of FRAND-terms, and the system of obtaining a license is non-transparent and unforeseeable.

The Commission Proposal creates a framework for SEP-licensing. SEP-owners must register their standard in a database at EUIPO and will be object to a maximum royalty rate when licensing their technology. In addition, EUIPO will facilitate dispute resolution to determine FRAND-terms. The framework will not aim to standardize the FRAND-terms in advance, as the exact contents of a license should be negotiated between the parties.

Status

• EU: Commission Proposal published on 27 April 2023
• EEA: Pending. The Commission has marked the proposals as EEA-relevant
• Norway: Pending

Scope 

On 27 April 2023, the Commission proposed a comprehensive reform of the SPC regime, including four Regulation proposals. Supplementary protection certificates (SPCs) are intellectual property rights extending the 20-year term of patent protection for medicinal or plant production products by up to five years.

Relevance

The amendments to the Regulation on SPCs for plant and medicinal products are marked as EEA-relevant, but Norwegian authorities have not yet decided on how the changes should be incorporated into Norwegian law. As the EEA states are not part of the unitary patent system, a unitary SPC will not confer rights in the EEA states.

Key Takeaways

The new Regulations from the EU on SPCs aims to simplify the EU’s SPC system as regards to national SPC’s for plant production products and medicinal products, as well improve its transparency and efficiency. This reform will replace the existing SPC Regulations with new ones, for medicinal products and plant protection products respectively. Each will establish a centralized SPC filing and examination procedure that will give rise to a bundle of national SPCs in the designated EU member states. The centralized procedure will be available where the basic patent is a European patent, and the product has market authorisation.

Further, two additional proposals also introduce unitary SPCs both for medicinal products and for plant protection products on the basis of unitary patents. It is the European Union Intellectual Property Office (EUIPO) that will handle both unitary SPC applications as well as centralized SPC applications.

Status

• EU: Effective in 17 participating EU member states
• EEA: Not relevant
• Norway: No information available

Scope 

The Unitary Patent system covers all patentable inventions.

Relevance

Although a Unitary Patent will not grant patent protection in EEA countries, Norwegian inventors can register a patent with unitary effects through EPO. A Unitary Patent can be said to be a double-edged sword: Although it limits the administrative burden for patent owners by making it possible to invoke patent infringement for a single court, the patent owner also runs the risk of having his patent revoked through a single decision. In the latter circumstance, the revocation of the patent will be effective in all participating EU member states, whereas a patent without unitary effects would have to be revoked in all individual countries where the patent is registered.

Key Takeaways

On 1 June 2023 the Unitary Patent System was successfully launched. The Unitary Patent is a legal title, granted by the EPO, that provides uniform patent protection across the EU member states that have ratified the Agreement on a Unified Patent Court. The Unified Patent Court offers a common patent jurisdiction (both Unitary Patents and European patents) for the participating member states. A Unitary Patent does not confer patent rights in the EEA/EFTA States.

Status

• EU: Date of application was 2 May 2023
• EEA: Pending. The Commission has marked the Regulation as EEA-relevant
• Norway: Pending

Scope

The Digital Markets Act (“DMA”) requires that the big tech companies, the so called “gatekeepers”, complies with the DMA in the provision of their core platform services. The classification as gatekeeper follows a set of objective criteria:

• Firstly, the service provider needs to have a significant impact on the internal market. The DMA sets a high threshold before the condition of significant impact is presumed to be met (annual turnover in the EU equal to or above EUR 7,5 billion in each of the last three years or a market value of EUR 75 billion in the last year).
• Secondly, the service provider must deliver a core platform service which is an important gateway for business users to reach end users. Again, the threshold is high before the condition is presumed to be met (45 million monthly active end users in the last year and over 10 000 yearly active business users).
• Thirdly, the service provider needs to hold a strong and durable position in the market.

Relevance

It is expected that classification as a gatekeeper will be reserved for a very limited group of companies, with the big tech companies like Apple, Meta, Amazon, Google and Microsoft as likely candidates. However, note that the EU Commission is granted the authority to classify service providers as gatekeepers on the basis of a market investigation even if the abovementioned market thresholds are not met. While we do not expect many Norwegian companies to be subject to the DMA, a proper understanding of the DMA will be important in order to protect the legal rights of Norwegian companies, either as competitors or customers of the gatekeepers. The DMA is likely to be implemented in Norway through a new act.

Key obligations

In order to ensure open and fair digital markets, the DMA introduces a set of obligations and prohibitions that gatekeepers must comply with.

Gatekeepers must allow business users access to their data and make it easy for consumers to switch platforms or services and ensure that their messaging services are interoperable with those of competitors, facilitating a broader choice for consumers.

Further, to foster a more competitive digital environment, the Regulation restricts gatekeepers from ranking their own products or services higher than those of their competitors on their platforms, and from pre-installing certain software applications and setting their own services as the default. Additionally, gatekeepers are not allowed to force users to sign up for additional services as a condition for using their platform.

The Regulation also imposes a general ban on retaliating against users who take advantage of the rights and options provided by the DMA.

Non-compliance with the DMA may result in significant fines (up to 20% of the gatekeeper’s total worldwide annual turnover) or structural obligations, such as the sale of (parts of) a business.

Status

• EU: Date of application was 17 February 2024
• EEA: Pending. The Commission has marked the Regulation as EEA-relevant
• Norway: Pending

Scope 

The DSA applies to providers of intermediary services, such as internet access providers, hosting services, domain name registrars, online marketplaces, app stores, social networks, content-sharing platforms and online travel and accommodation platforms.

The DSA classifies these intermediaries into different categories, such as intermediary services, hosting services, online platforms, and very large online platforms (VLOPs), each subject to tailored obligations based on their size, impact, and the risk they pose to society.

Relevance

An important backdrop for the DSA is a desire to regulate today’s situation where platform owners themselves may determine what content should be displayed, and what should be removed. Manipulation of content may pose risks to principles of democracy, e.g. in connection with elections. The DSA further aims to ensure equal market conditions for platform providers, a market dominated by a limited number of actors.

Implementation in Norway is expected to be made through a new act and amendments to the Norwegian E-commerce act.  

Key Obligations

Intermediary services will be required to publish transparency reports on their content moderation practices, including the handling of illegal content and the implementation of their terms of service. Platforms must establish mechanisms allowing users to easily report illegal content and take swift action to remove or disable access to such content, while at the same time mandating users’ fundamental rights to freedom of expression and information.

Online marketplaces must ensure the traceability of business users on their platforms to combat the sale of illegal goods, services, or content, and allow for effective internal and external complaints (e.g. with respect to removal of content). Further, users must receive clear information about why they are shown specific advertisements and who is sponsoring them. Manipulative design (such as “dark patterns” that could prevent users from making free and informed decisions) will be prohibited.

VLOPs face additional obligations, such as risk assessments, independent audits, and adherence to codes of conduct. They must also provide data access to researchers, e.g. to understand how online risks evolve. This would in practice entitle researchers to conduct “scraping operations” on platforms for authorized purposes.

Status

• EU: Effective 1 July 2016. Amendment proposal published 3 July 2021
• EEA: Effective 1 June 2019
• Norway: Effective 15 June 2018

Scope 

The eIDAS Regulation (electronic identification and trust services) aims to facilitate secure and seamless electronic transactions and to establish a standardized framework for electronic identification and trust services across the European Union.

Providers of eID (Electronic identification), electronic signature, electronic seal, timestamping services, electronic delivery service certificate and services or website authentications are covered by the rules of the regulation.

The proposed amendment represents a significant expansion of the scope of the regulation; member states are not only required to recognize, but also to provide means of electronic identification, and the scope is extended to cover new types of trust services as well as the implementation of a new digital wallet. This wallet, in addition to serving as a high-level eID solution, can also include certified attributes such as driver’s licenses, diplomas, vaccine passports and more.

Relevance

The regulation ensures mutual recognition of eID and trust services across member states, enabling individuals and businesses to access online services across borders. It promotes trust, security, and interoperability in electronic transactions, fostering the development of a digital single market within the EU. The member states are empowered to establish their own penalties and enforcement mechanisms for non-compliance with its provisions.

Key Obligations

Key take obligations from the regulation are:

• Mutual recognition of electronic identification in the Member states.
• Electronic signatures and seals that comply with eIDAS are legally valid and enforceable.
• Providers of qualified trust services must meet specific requirements and be listed on trusted service lists.
• Trust service providers must ensure security and integrity of their services.

Status

• EU: Date of application was 21 December 2020
• EEA: EEA Joint Committee decided to incorporate the Directive into the EEA-agreement on 24 September 2021. Entry into force once parliaments in EEA/EFTA countries decide to adopt the decision
• Norway: Proposal for new Electronic Communications Act published on 12 April 2024

Scope 

The ECD modernizes and consolidates the existing electronic communications Directives from the early 2000’s, implemented in Norway through the Electronic Communications Act. Its main purpose is to stimulate investments in and the rollout of high-speed networks across the EU, strengthen the internal market, and enhance consumer rights. The ECD also broadens the scope of application to cover services on new platforms (such as Messenger, WhatsApp) to ensure a level playing field for operators, and the Norwegian implementation also contain regulations addressed at data centre providers.

The Directive also introduces a universal service obligation for basic broadband service (so that all end-users can access basic broadband services at a reasonable price at a physical address)

The ECD primarily applies to providers of electronic communications networks (physical and virtual infrastructure used to convey signals across points), electronic communications services (services providing connectivity to the internet and services enabling direct interpersonal and interactive exchange of information between a finite number of persons) and associated facilities/services (access to physical infrastructure, databases, software, systems for billing or customer management, and other services necessary for the provision of electronic communications).

Relevance

The ECD addresses the challenges and opportunities arising from the increasing demand for mobile broadband and the need for high-speed internet as a foundation for innovative digital services. For businesses, it offers a clearer regulatory environment that encourages investment in high-speed networks and new technologies like 5G. For consumers, it promises better services, more choices, and enhanced rights.

The ECD will be implemented in Norway through a new Electronic Communications Act, replacing the existing framework which was drafted in a time where only half of the Norwegian population had internet access at home, and where smartphones were practically non-existent. The new act is modernised to support technological developments, a new digital threat landscape and users’ need for access to high-speed internet. The proposal is now formally awaiting approval by the Norwegian parliament.

Key Obligations

The ECD introduces several obligations to safeguard a variety of purposes.

The existing market regulation regime (with the possibility of asymmetrical regulations for providers with significant market power like Telenor in Norway) is maintained, with some adaptions. For instance, significant market players obligation to provide access to competitors is limited where competitors have been offered reasonable opportunities to co-invest in new high-speed networks. It further allows certain obligations to be imposed on owners of parts of the fixed network (e.g., in housing cooperatives), and grants the authority to mandate national roaming in mobile networks in areas where parallel network establishment is economically inefficient or physically impossible.

Member States must manage radio spectrum more effectively and promote efficient use, ensuring long-term investment certainty for operators. This includes coordinating spectrum assignments for wireless broadband and 5G networks, with a minimum license duration of 15 years to stimulate investments.

Consumers are expected to benefit from fully harmonized transparency requirements with respect to contract terms, service quality, prices and the possibility to switch providers with number portability. The Norwegian Electronic Communications code obliges providers to make it easy for users to switch providers without interruption of internet service, allows for more control of consumption and costs, and enhances security and privacy obligations of providers by imposing risk management and measures to protect the security of networks and services.

The consent requirement for cookies and related technologies are enhanced by harmonizing the consent requirements with those set out in the GDPR (freely given, specific and informed). Implicit consent through web browser settings will likely no longer be sufficient in Norway

The Norwegian legislative proposal include data centre regulations, and require data centre operators to register with authorities prior to commencing their operations, implement adequate security measures and emergency preparedness, and prioritize important societal actors when needed.

Providers are required to ensure that all end-users, regardless of their geographic location, have access to affordable and high-quality electronic communications services, including voice and data services. It is also worth noting that number-independent services (such as Messenger and WhatsApp) will be subject to universal service obligations such as allowing users with disabilities to call the emergency number.

Status

• EU: Date of application was 16 September 2022
• EEA: Pending
• Norway: Pending

Scope 

The European Media Freedom Act aims to safeguard and advance media freedom and pluralism throughout the European Union. It aims to create a media landscape that upholds the principles of freedom of expression, access to information, and democratic values. The act seeks to prevent undue influence, censorship, and restrictions on media outlets, journalists, and their ability to report freely and independently. It also addresses issues related to media ownership, transparency, and accountability.

Relevance

Businesses such as media organizations, advertising and PR Agencies, digital platforms and social media companies and businesses with media partnerships should pay particular attention to the act, due to the more direct impact of the act.

The specific penalties for non-compliance with the European Media Freedom Act may vary depending on the laws and regulations of individual member states.

Key Obligations

Key obligations in the European Media Freedom Act include protecting and promoting media freedom and pluralism, ensuring the independence of media organizations, preventing undue influence or censorship, promoting transparency and accountability in media ownership, and safeguarding journalists’ rights to report freely and independently.

Status

• EU: Effective from 11 October 2018
• EEA: Effective from 1 February 2021
• Norway: Incorporated 26 October 2016

Scope 

The Web Accessibility Directive ensures that websites and mobile applications of public sector bodies are accessible to all individuals, including those with disabilities.

The directive applies to public sector bodies at the national, regional, and local levels, as well as entities that provide services on their behalf.

The directive aims to remove barriers and provide equal access to information and services online, promoting inclusivity and non-discrimination. Accessibility requirements includes such as providing alternative text for images, ensuring proper color contrast, and implementing keyboard navigation options.

Relevance

Public sector bodies and entities that provide services on their behalf, should be aware of the Web Accessibility Directive, as non-compliance may lead to legal consequences for non-compliance, including fines, and reputational damage. The specific legal consequences of non-compliance with the Web Accessibility Directive may vary depending on the laws and regulations of individual member states.

Key Obligations

Key obligations in the Web Accessibility Directive include ensuring compliance with accessibility requirements, providing accessibility statements, monitoring and reporting on accessibility, addressing identified issues, and collaborating with stakeholders to promote equal access to digital services.