The EU AI Act is coming to Norway in 2026. Here's what actually matters for an SMB.

The EU AI Act is on its way into Norwegian law. The original target was summer 2026, but EEA negotiations may delay it — most likely the law takes effect in Norway sometime in 2026, possibly slightly later. The consulting industry is already in motion — you've probably received at least one email about "AI Act compliance packages" in the past month.

Most of what they're selling doesn't apply to you.

The AI Act is designed primarily for two groups: providers of AI systems (OpenAI, Anthropic, Microsoft) and businesses that use AI for high-risk decisions — biometric identification, hiring, credit assessment, critical infrastructure, law enforcement. If you run a 40-person SMB that uses Microsoft 365 Copilot for emails and ChatGPT for drafting proposals, you most likely fall into the "minimal risk" category. Your obligations are minimal.

One important nuance if you sell into the EU market: the ban on certain AI practices (social scoring, manipulation of vulnerable groups) has been in force in the EU since February 2025. Rules for general-purpose AI models have applied since August 2025. If your business delivers services directly to EU customers, you may already be covered by these parts — regardless of when Norway formally implements.

But there are three concrete realities you do need to deal with. Let's take them in order.

First: are you actually in the high-risk category?

Yes, if you use AI for any of these: automated screening of job applications, automated credit assessment of customers, biometric identification (face recognition at the door), AI-assisted HR decisions affecting salary or position, AI that controls critical infrastructure (power, water, transport). The list comes from Annex III of the regulation. If you do any of these, the AI Act has a lot to say about what you must document, how you must monitor it, and the risk management you need in place.

If you do NOT do any of that — as most Norwegian SMBs don't — you can breathe more easily.

Second: if you use someone else's high-risk AI, you still have obligations.

This is where the consultants have a point. The AI Act distinguishes between those who BUILD the AI system (providers) and those who USE it (deployers). Both have obligations. If you buy an HR screening tool from a vendor and use it on your job applications, you are a deployer of a high-risk system — and that triggers your own set of requirements.

You must be able to document that there is human oversight, not just automated decision-making. You must be able to explain to the applicant how the system was used. You must be able to show that you've done a basic risk assessment.

It's not rocket-science demanding. But it isn't free either. Audit your tools before August.

Third: the fines are real, but proportional.

The worst fine — 35 million euros or 7% of turnover — applies to prohibited AI practices (social scoring, manipulating vulnerable groups, and the like). The vast majority of Norwegian SMBs will never come anywhere near those prohibitions.

The fine for high-risk breaches is 15 million euros or 3% of turnover. For an SMB with 50 million in revenue, that's 1.5 million — still serious, but not company-breaking. And it requires an actual breach, not just a grey-area judgment call.

The realistic risk for a Norwegian SMB isn't a financial catastrophe. It's a GDPR-style sliding-scale situation: a customer complains, an auditor asks, a partner requests an AI statement you can't provide. That's what you're preparing for.

The boring work that actually helps you:

You don't need a compliance package from a consultant. You need to do three things, and you can do them yourself in an afternoon.

First: make a list of every AI tool in use across your company. Copilot. ChatGPT. Invoice scanning in Tripletex. Any agents or automations running in the background. Don't estimate — actually ask employees what they're using.

Second: per tool, classify the risk. Most will land in "minimal" or "limited." If something is used for hiring, credit assessment, or anything else on the list above — flag it as high-risk and document it further.

Third: write down who is responsible for what. The "human oversight" requirement in the AI Act isn't about a lawyer sitting next to Copilot. It's about someone in the organisation having the authority to override the AI — and knowing they have it.

Nkom will be the coordinating supervisory authority in Norway. Datatilsynet will continue to enforce GDPR for the data-protection side. Both have signalled a pragmatic enforcement period to begin with — they aren't going to be hunting down 30-person accounting firms in January 2027.

You're going to be fine. But you should make the list.