In 2025 Norway shifted from strategy to implementation on artificial intelligence. The government designated Nkom as the national artificial intelligence supervisor, named Norsk akkreditering as the accreditation body and launched KI-Norge inside Digdir with a national sandbox. Datatilsynet continues to operate privacy sandboxes for pilots at agencies such as UDI, Lånekassen and NAV. The state also sustained a NOK 1 billion ´AI Research Billion´ to keep research and talent local and to support experimentation under controlled conditions.
The legal and operational picture aligns Norway with the EU artificial intelligence act while continuing to apply the Personal Data Act (GDPR). Public bodies must plan for data protection impact assessments, records of processing, risk management, human oversight and logging. The article highlights explicit duties including 72-hour breach reporting and potential fines up to EUR 35 million or 7 percent of global turnover for violations. Teams are advised to bake compliance costs into budgets up front for DPIAs, documentation and procurement clauses.
Practical data scale and reuse issues are emphasised. Norway is planning for very large data volumes, cited at about 72 gigabytes per person per day, which creates storage, governance and privacy trade-offs. Repurposing citizen data requires documented lawful bases and assessment under Article 6(4). Cross-border transfers need adequacy, standard contractual clauses or supplementary safeguards. Datatilsynet remains the privacy gatekeeper and agencies are urged to involve data protection officers early and keep records audit-ready.
Public-sector adoption is moving from pilots to production, with use cases including Lånekassen´s residence verification, DFØ´s automatic invoice posting and NAV´s expanded automated case processing. The potential eGovernment upside is estimated at roughly NOK 26 billion, with a workforce profile that the article describes as largely ready for digital adoption: about 96.5 percent basic digital skills and roughly 85 percent of roles complementable by artificial intelligence. Sandboxes and KI-Norge are presented as ways to reduce risk while scaling.
Risk management, procurement and generative model concerns are central. National security guidance calls for secure-by-design practices, supply chain mapping, vendor verification and an incident playbook tied to the 72-hour clock. Procurement thresholds and remedies are noted: contracts under NOK 100,000 are generally exempt, many authorities face stricter rules around NOK 1.3 million, KOFA complaints carry an approximate fee of NOK 8,000 and remedies can reach 15 percent of contract value. The article’s recommended next steps are clear governance first, run DPIAs and fundamental-rights assessments where relevant, require vendor documentation, build a 72-hour incident playbook, plan procurement early and upskill teams in prompts, tooling and governance.
