The Regulations on Electromagnetic Compatibility (2017) implement Directive 2014/30/EU of the European Parliament and the Council in Norway. Chapter 4 establishes a self-certification mechanism, which is fully detailed in Annex II of the regulations.

The Act on the Processing of Personal Data (Personal Data Act) implements the General Data Protection Regulation (GDPR) of the European Union in Norway. In addition to companies established in the EU, the Regulation applies extraterritorially to companies offering goods or services to data subjects in the EU and companies that monitor the behaviour of EU citizens (Art. 3). Norway thus has a fully established framework for the protection of personal data.

The Act on the Processing of Personal Data (Personal Data Act) implements the General Data Protection Regulation (GDPR) of the European Union in Norway. The GDPR requires that organisations conducting "regular and systematic monitoring of data subjects on a large scale" or whose activities include the processing of sensitive personal data on a large scale must appoint a Data Protection Officer (DPO).

The Act on the Processing of Personal Data (Personal Data Act) implements the General Data Protection Regulation (GDPR) of the European Union in Norway. Under the GDPR, Data Protection Impact Assessments (DPIAs) are mandatory for data processing activities that are likely to result in a high risk to the rights and freedoms of natural persons.

The Act on certain aspects of electronic commerce and other information society services (e-commerce law) implements Directive 2000/31/EC (E-Commerce Directive), establishing a conditional safe harbour for Internet Service Providers (ISPs) in Norway. The limitations on liability in the Directive apply to certain clearly delimited activities carried out by internet intermediaries rather than to categories of service providers or types of information. These are caching, conducting and hosting (Sections 16–18), while Section 19 releases ISPs from monitoring obligations.
In addition, ISPs are responsible for illegal content (including copyright infringement) if they obtain knowledge or awareness that such content is present and do not expeditiously remove or restrict access to the content. As a result, many ISPs have proactively introduced user agreements to allow them to remove any controversial content – including content that is not necessarily illegal – in order to protect themselves from liability. The Ministry of Culture is working on the implementation of Directive 2019/790 on Copyright in the Digital Single Market.

The Act on certain aspects of electronic commerce and other information society services (e-commerce law) implements Directive 2000/31/EC (E-Commerce Directive), establishing a conditional safe harbour for Internet Service Providers (ISPs) in Norway. The limitations on liability in the Directive apply to certain clearly delimited activities carried out by internet intermediaries rather than to categories of service providers or types of information. These are caching, conducting and hosting (Sections 16–18), while Section 19 releases ISPs from monitoring obligations.
In addition, ISPs are responsible for illegal content (including copyright infringement) if they obtain knowledge or awareness that such content is present and do not expeditiously remove or restrict access to the content. As a result, many ISPs have proactively introduced user agreements to allow them to remove any controversial content – including content that is not necessarily illegal – in order to protect themselves from liability. Finally, Norway is obliged to implement Directive 2019/790 on Copyright in the Digital Single Market. However, it has not yet done so as of May 2022.

It is reported that Norway imposes an identity requirement for SIM registration. Anyone wanting to purchase a SIM card has to provide their national ID card or a passport in case of foreigners to activate a new prepaid SIM card.

The "Regulations relating to the Export of Defence-Related Products, Dual-Use Items, Technology, and Services" harmonise Norway's export controls with those of the European Union by subscribing to the European Dual-Use Export Control Annex. The Annex identifies a range of dual-use items that face either authorisation requirements or outright bans for exportation outside of the EU.

The Norwegian Government controls 53.97% of shares in Telenor directly, as well as an additional 4.72% via the Government Pension Fund of Norway. Nonetheless, Norway has established a market regulator in the Norwegian Communications Authority, which has gradually sought to reduce the country's dependence on Telenor's networks.

It is reported that Norway does not mandate functional separation for operators with significant market power (SMP) in the telecom market. However, accounting separation is required in certain cases: in some markets susceptible to ex-ante regulation, the SMP operator (Telenor) is obliged to report accounting separation.

Norway has appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.

It is reported that the Norwegian Communications Authority (Nkom), the executive authority for the supervision and administration of services in the telecommunications sector, is independent from the government in the decision-making process.

The Norwegian Bookkeeping Act (Section 13) establishes local storage requirements for accounting data. However, exemptions can be sought – and are regularly granted – if adequate storage facilities cannot be found in Norway. Under an exemption, companies may store their data offshore so long as it can still be accessed by the Norwegian Tax Administration if required.

The Act on the Processing of Personal Data (Personal Data Act) implements the General Data Protection Regulation (GDPR) of the European Union in Norway. In addition to companies established in the European Economic Area (EEA), the Regulation applies extraterritorially to companies offering goods or services to data subjects in the EEA and companies that monitor the behaviour of EEA citizens (Art. 3).
The Regulation mandates that data is allowed to flow freely outside the European Economic Area (EEA) only in certain circumstances listed in Chapter 5 of the Regulation. The main conditions for such a transfer are the following: the recipient jurisdiction has an adequate level of data protection; the controller adduces adequate safeguards (for instance, by using model contract clauses, binding corporate rules or other contractual arrangements); the data subject has given his/her consent explicitly; or, the transfer is necessary for the performance of a contract between the data subject and the controller.
The GDPR allows for data transfers to countries whose legal regime is deemed by the European Commission to provide for an “adequate” level of personal data protection. The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom, and Uruguay as providing adequate protection. In addition, the EU-US Data Privacy Framework has acted as a self-certification system open to certain US companies for data protection compliance since July 2023.

Norway has joined two agreement with binding commitments to open transfers of data across borders. These include: Free Trade Agreement between Iceland, the Principality of Liechtenstein and the Kingdom of Norway and the United Kingdom of Great Britain and Northern Ireland (Art. 4.11.1), and the Free Trade Agreement Between The EFTA States And The Republic of Moldova (Art. 5.11)