The Norwegian Government controls 53.97% of shares in Telenor directly, as well as an additional 4.72% via the Government Pension Fund of Norway. Nonetheless, Norway has established a market regulator in the Norwegian Communications Authority, which has gradually sought to reduce the country's dependence on Telenor's networks.

It is reported that Norway does not mandate functional separation for operators with significant market power (SMP) in the telecom market. However, accounting separation is required in certain cases: in some markets susceptible to ex-ante regulation, the SMP operator (Telenor) is obliged to report accounting separation.

Norway has appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.

It is reported that the Norwegian Communications Authority (nkom), the executive authority for the supervision and administration of services in the telecommunications sector, is independent from the government in the decision-making process.

The Norwegian Bookkeeping Act (Section 13) establishes local storage requirements for accounting data. However, exemptions can be sought – and are regularly granted – if adequate storage facilities cannot be found in Norway. Under an exemption, companies may store their data offshore so long as it can still be accessed by the Norwegian Tax Administration if required.

The Act on the Processing of Personal Data (Personal Data Act) implements the General Data Protection Regulation (GDPR) of the European Union in Norway. In addition to companies established in the European Economic Area (EEA), the Regulation applies extraterritorially to companies offering goods or services to data subjects in the EEA and companies that monitor the behaviour of EEA citizens (Art. 3).
The Regulation mandates that data is allowed to flow freely outside the European Economic Area (EEA) only in certain circumstances listed in Chapter 5 of the Regulation. The main conditions for such a transfer are the following: the recipient jurisdiction has an adequate level of data protection; the controller adduces adequate safeguards (for instance, by using model contract clauses, binding corporate rules or other contractual arrangements); the data subject has given his/her consent explicitly; or, the transfer is necessary for the performance of a contract between the data subject and the controller.
The GDPR allows for data transfers to countries whose legal regime is deemed by the European Commission to provide for an “adequate” level of personal data protection. The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom, and Uruguay as providing adequate protection. In addition, the EU-US Data Privacy Framework has acted as a self-certification system open to certain US companies for data protection compliance since July 2023.

Norway has joined an agreement with binding commitments to open transfers of data across borders. Art. 4.11 (Cross-Border Data Flows) of the Free Trade Agreement between Iceland, the Principality of Liechtenstein, the Kingdom of Norway and the United Kingdom of Great Britain and Northern Ireland states that the parties are committed to ensuring cross-border data flows to facilitate trade in the digital economy. To that end, cross-border data flows shall not be restricted between the parties by a party requiring the use of computing facilities or network elements in that party for processing, including by imposing the use of computing facilities or network elements that are certified or approved in that party; requiring the localisation of data in the party for storage or processing; prohibiting the storage or processing of data in another party; or making the cross-border transfer of data contingent upon use of computing facilities or network elements in the parties or upon localisation requirements in the parties.

The Act on the Processing of Personal Data (Personal Data Act) implements the General Data Protection Regulation (GDPR) of the European Union in Norway. In addition to companies established in the EU, the Regulation applies extraterritorially to companies offering goods or services to data subjects in the EU and companies that monitor the behaviour of EU citizens (Art. 3). Norway thus has a fully established framework for the protection of personal data.

The Act on the Processing of Personal Data (Personal Data Act) implements the General Data Protection Regulation (GDPR) of the European Union in Norway. The GDPR requires that organisations conducting "regular and systematic monitoring of data subjects on a large scale" or whose activities include the processing of sensitive personal data on a large scale must appoint a Data Protection Officer (DPO).

Norway has not signed the World Intellectual Property Organization (WIPO) Performances and Phonograms Treaty.

Norway is a signatory of the World Trade Organization (WTO) Information Technology Agreement (ITA) of 1996 and its 2015 expansion (ITA II).

The Public Procurement Act grants rights to engage in public procurement only to those public and private enterprises "as defined in international agreements to which Norway is bound". This restricts public procurement to partners in regional trade agreements and members of the WTO's Government Procurement Agreement.

Although Norway is a signatory to the WTO Government Procurement Agreement (GPA), its coverage schedules do not include "telecommunications-related services" (CPC 754), which is an important services sector for digital trade.