Norway and the AI Act: how the EU rulebook reaches beyond the Union through the EEA

The AI Act is an instrument of the European Union, but its map does not stop at the Union's external border. Three European states sit inside the single market without sitting inside the EU — Norway, Iceland and Liechtenstein, the EEA EFTA states — and they are legally committed to taking EEA-relevant EU law into their own legal orders. Norway, much the largest of the three, is now doing exactly that with the AI Act, and the way it is doing it shows how far the Brussels rulebook travels.

The mechanism: not EU, but bound through the EEA

Norway is not an EU member and did not vote on the AI Act. Yet under the Agreement on the European Economic Area it participates in the single market and is obliged to incorporate acts that are "EEA-relevant" into Norwegian law. The AI Act is such an act. As Nkom, the Norwegian Communications Authority, puts it plainly: in Norway the Regulation is taken in through the EEA Agreement and adapted to Norwegian law and administration. The substance is the EU's; the legal vehicle is national. This is a different route from the United Kingdom's — which, outside both the EU and the EEA, is free to design its own model — and a different route again from third countries that merely take inspiration from the Act.

KI-loven: the Norwegian bill

On 30 June 2025 the Ministry of Digitalisation and Public Governance sent a proposal for a new Norwegian AI law — the KI-loven — out for public consultation, with a deadline of 30 September 2025. The bill implements the EU AI Regulation and adds national provisions where the Regulation leaves member states discretion. On the institutional design, the government has proposed Nkom as the national coordinating market-surveillance authority and EU contact point, with existing sector regulators supervising AI within their own domains; a regulatory sandbox is being developed jointly by Datatilsynet (the data protection authority), the Digitalisation Agency and Nkom.

Timing — and why it slipped

Norway aims for the law to take effect in late summer 2026, roughly when the bulk of the AI Act becomes applicable across the EU. The alignment is intentional: the point of EEA incorporation is that the same rules apply at broadly the same time, so that a provider faces one regime across the single market rather than a Norwegian island within it.

Getting there has proved slower than planned. The original ambition was to put the bill before the Storting around Easter 2026; that timetable has slipped because the EEA adaptations — the technical adjustments that let an EU regulation operate within the EEA's two-pillar structure — have taken longer to negotiate than expected. The EU's own Digital Omnibus simplification, which reopens parts of the AI Act, adds a moving target Norway must track before locking in its national text. Alongside the bill, the consultation also covers Norway's ratification of the Council of Europe Framework Convention on AI, which Norway signed on 5 September 2024 among the first group of signatories.

Why this matters beyond Norway

For organisations mapping where the AI Act actually applies, the EEA is the quiet enlargement of its footprint. Once Norway, Iceland and Liechtenstein complete incorporation, the Act's risk-based obligations and its general-purpose AI duties govern a market noticeably larger than the 27 — with the same prohibitions, the same conformity assessment and the same systemic-risk threshold, applied a little later and through national statutes rather than directly. As our overview of international AI governance argues, the real story of 2026 is convergence; Norway is the clearest case of a country that converges not by copying the AI Act but by being bound to it.