Back to Blog
6 minutes read

Navigating Norway’s 2025 Electronic Communications Act

Navigating Norway's 2025 Electronic Communications Act - icon

Table of Contents

Introduction

The Norwegian Electronic Communications Act is a cornerstone of Norway’s digital regulatory framework, governing electronic communications networks, services, and related equipment nationwide. Its 2025 revision implements the European Electronic Communications Code (EECC), aiming to secure “good, reasonably priced and future-oriented” communication services while safeguarding personal data and user privacy. By broadening the scope to include number-independent interpersonal communication services (NI-ICS), such as TikTok, Instagram, Messenger, and WhatsApp, the Act now covers a wider range of digital service providers, ensuring consistent data protection across emerging platforms.

At its core, the Act seeks to enhance user trust by embedding data protection and security measures directly into electronic communications services. It aligns Norway’s rules with the EU’s General Data Protection Regulation (GDPR) and ePrivacy Directive, thereby harmonizing consent requirements, data processing obligations, and user rights across European markets. The Norwegian Data Protection Authority (Datatilsynet) plays a pivotal role in interpreting the new provisions, issuing guidance on best practices for obtaining and managing consent, and enforcing compliance through audits and fines.

Understanding the Norwegian Electronic Communications Act

The 2025 E-Com Act introduces stricter requirements for obtaining user consent before deploying cookies or other online tracking technologies. Under the new regime, consent must be explicit, informed, specific, and unambiguousβ€”mere continued browsing or pre-ticked boxes no longer qualify as valid active consent. Websites and apps must clearly explain their data collection practices, including the types of personal data collected (e.g., device identifiers, location data, user behavior metrics), the purposes of processing, data storage duration, and any data transfers to third parties.

Implied consent mechanisms have been abolished: businesses can no longer rely on browser settings or assumed acceptances to legitimize tracking user behavior, emphasizing the need for informed consent. Instead, they must implement consent management platforms (CMPs) that record each user’s explicit choices, support granular consent options for different processing purposes, and allow data subjects to withdraw consent as easily as they grant it. Businesses must also respect user consent preferences, ensuring that data processing is limited before obtaining consent and clearly communicating these exceptions in privacy notices. These measures ensure that consent is freely given and that users retain control over their personal data throughout their digital interactions, as required by the new regulations that require consent for non-essential cookies.

Key Components

The E-Com Act comprises several key components that collectively strengthen data protection and user privacy in electronic communications:

  • Classification of cookies: Analytics and marketing cookies are considered non-essential and require explicit consent. Only strictly necessary cookies (e.g., for load balancing, security tokens) are exempt from consent requirements, and users must be provided with detailed information about these cookies.
  • Expanded scope: Inclusion of NI-ICS platforms and data centers under the Act’s remit, obliging them to register with Nkom and adhere to confidentiality and reporting duties.
  • Data processing agreements: Controllers must establish written agreements with processors (including CMP vendors and analytics providers) to ensure compliance with GDPR Articles 28–29 and the Act’s security management provisions.
  • Security measures: Providers must implement robust security management systems, covering risk assessments, incident response plans, and encryption, to protect personal and sensitive data from unauthorized access or breaches, in line with the Cyber Resilience Act.
  • Regulatory alignment: The Act dovetails with other Norwegian and EU data protection laws, including the Personal Data Act (Norwegian implementation of GDPR), the Marketing Control Act, the Norwegian Security Act, the Digital Services Act, the Digital Markets Act, and the Digital Operational Resilience Act (DORA), forming a comprehensive legal framework for data protection and electronic communications.

Compliance with these components not only reduces legal risk but also positions service providers to adapt swiftly to future regulatory changes, fostering consumer trust and operational resilience.

components

Effective consent management is central to the E-Com Act’s requirements, and a robust consent management platform (CMP) is essential for compliance. Consent management platforms (CMPs) must be designed to:

  1. Obtain valid consent: Ensure that consent is explicit, informed, and freely given, without default selections or dark patterns.
  2. Offer granular options: Allow users to consent separately to different categories of processing (e.g., analytics, marketing, personalization) in line with EDPB guidelines on consent specificity.
  3. Enable easy withdrawal: Provide a one-click mechanism to withdraw consent at any time, with no adverse consequences for users who opt-out.
  4. Maintain records: Log timestamped proof of consent for each user, including the details of the information provided and the specific options selected.
  5. Protect sensitive data: Implement extra safeguards when processing special categories of personal data (e.g., health, biometrics), ensuring such data is encrypted and access-restricted under both GDPR and the Norwegian Personal Data Act.

By adopting robust CMPs, organizations can demonstrate compliance with consent requirements, streamline data subject rights requests, and maintain user trust through transparent data practices, thereby maintaining compliance with the E-Com Act.

Under the new Act, cookie consent must satisfy four criteria: freely given, specific, informed, and unambiguous, reflecting the stricter rules introduced in 2025. Key obligations include:

  • No pre-ticked boxes: All non-essential cookies require affirmative user action (e.g., clicking “Accept”). Pre-ticked boxes and implied consent are not allowed.
  • Equal prominence: “Accept” and “Reject” options must be presented with equal visual weight, avoiding manipulative design that nudges users toward consent.
  • Detailed disclosures: Cookie banners and privacy policies must describe each cookie’s purpose, data collected, retention period, and third-party recipients, in clear, plain language easily accessible from every page, to enhance user privacy.
  • Reject non-essential cookies: Users who decline cookies must still be able to access core services. Non-essential cookies may only be set after consent is recorded.
  • Ongoing audits: Regularly scan websites and apps for new tracking technologies (e.g., pixel tags, local storage) and update consent mechanisms accordingly to maintain compliance and measure site performance.

These measures ensure that users retain real control over their online tracking preferences and that businesses adhere to transparent data collection practices.

Electronic Communications

Beyond cookies, the Act regulates the broader domain of electronic communications networks and services:

  • Registration and reporting: Providers of electronic communications servicesβ€”including ISPs, VOIP, messaging apps, and data centersβ€”must register with the Norwegian Communications Authority (Nkom) and report traffic data, security incidents, and network outages, and comply with the Norwegian Tax Administration’s regulations.
  • Confidentiality obligations: Traffic and location data may only be processed for specified purposes (e.g., billing, fraud prevention, customer support), and must be deleted or anonymized once no longer needed, with special care taken to protect sensitive personal data.
  • Security management: Operators must implement technical and organizational measures, such as encryption, intrusion detection, and resilience testing under DORA, to safeguard network integrity and protect data subjects from unauthorized access, ensuring that each service provider complies with these standards.
  • End-user rights: Consumers have the right to transparent information about the terms of service, data storage locations, data transfers outside Norway or the EEA, and mechanisms to lodge complaints with Datatilsynet or seek remedies under the Norwegian Personal Data Act, including how cookies and other tracking technologies are used on their device.

By codifying these obligations, the Act enhances Norway’s cyber resilience, ensures the secure flow of electronic communications, and upholds the privacy rights of Norwegian users, while also clarifying the legal implications under Norwegian law.

regulation

Data Privacy

Data privacy is a critical aspect of the Norwegian E-Com Act. The Act requires businesses to ensure that user data is collected and processed in a way that respects user rights and maintains the confidentiality, integrity, and availability of personal data. This includes implementing measures to prevent unauthorized access, disclosure, or destruction of user data. Businesses must also ensure that user data is not transferred to third parties without obtaining explicit consent, unless such transfer is necessary for providing a service or is required by law. The General Data Protection Regulation (GDPR) and the Norwegian Personal Data Act provide additional guidance on data protection and privacy requirements.

Benefits of Compliance

Compliance with the Norwegian E-Com Act has several benefits for businesses. By ensuring compliance, companies can maintain user trust and demonstrate their commitment to data protection and privacy. This can lead to increased customer loyalty and retention, as well as improved brand reputation. Compliance also helps businesses to avoid the risks associated with non-compliance, such as fines and reputational damage. Furthermore, compliance with the Act can help businesses to stay ahead of the competition and demonstrate their commitment to responsible and transparent data practices. By prioritizing data protection and privacy, companies can build trust with their users and establish a strong foundation for long-term success.

Conclusion

Norway’s 2025 Electronic Communications Act represents a paradigm shift in how electronic communications and online tracking are regulated, embedding GDPR-level consent standards, robust security measures, and transparent data practices into national data protection laws. Organizations operating in Norway must reassess their consent workflows, data processing agreements, and security management systems to ensure full compliance and avoid enforcement actions by Datatilsynet or Nkom while navigating the evolving legal frameworks.

Looking ahead, businesses should integrate E-Com Act requirements into their broader compliance strategies, alongside the Personal Data Act, the Marketing Control Act, the Digital Services Act, the Digital Markets Act, and the Digital Operational Resilience Act, to build comprehensive, future-proof data governance frameworks. By doing so, they will not only meet legal obligations but also foster user trust, enhance digital resilience, and maintain a competitive edge in Norway’s rapidly evolving digital landscape.

Make your Shopify Store GDPR/CCPA compliant today
Try for free
Pandectes GDPR Compliance App for Shopify
Share
Share
browser-search-icon

Scan your Shopify Store

Get the most accurate cookie scan of your store completely FREE.
Subscribe to learn more
pandectes
Andromachi Psomiadi
pandectes
Andromachi Psomiadi
Subscribe to learn more

Related Articles

Show all articles
g2-badges
Solutions
Free Tools
Regulations
Compare
Other Apps
Resources
Partners
Pricing
Company
Legal
SOC 2 Type 2
Microsoft Advertising UET
Pandectes IAB TCF v2.2 Certified CMP
shopify_monotone_white
capterra reviews
Pandectes
Youtube Linkedin X-twitter Facebook Pinterest Instagram Tiktok
Β©2025 Pandectes. All rights reserved.
The information provided on the Pandectes website, including all services, tools, and communications, is intended solely for general informational purposes. It should not be interpreted as legal or regulatory advice. For specific legal guidance, please consult a qualified attorney or law firm.