Detailed overview
Norway, Iceland and Liechtenstein are not EU Member States, but they participate in the European Economic Area. The EU AI Act has been marked by EFTA as a proposed act with possible EEA relevance and is under scrutiny by EEA EFTA, with a draft Joint Committee Decision under consideration. This means that the EU AI Act is the expected benchmark for the EEA, but its exact EEA incorporation status must be checked before treating it as fully incorporated into the EEA Agreement.
Expected effect after incorporation
Once incorporated, the AI Act framework would be expected to affect EEA businesses in the same general structure as EU businesses: prohibited AI, high-risk AI, transparency obligations, general-purpose AI duties, national competent authorities and penalties. Until incorporation is completed, AI compliance in Norway, Iceland and Liechtenstein depends on existing national laws, data-protection law, sectoral rules and any local supervisory guidance.
Norwegian sandbox
Norway is particularly active in AI and privacy. The Norwegian Data Protection Authority operates a regulatory privacy sandbox. The sandbox provides free guidance to selected public and private organisations developing or using AI and other new technologies, with a focus on privacy-enhancing innovation and compliance with data-protection rules. It helps organisations assess transparency, explainability, discrimination, bias, data sharing and other AI privacy issues.
Read together with the EU AI Act entry
The EEA article should be read together with the EU AI Act article. The core AI Act concepts are the same: an AI provider develops or markets the system, a deployer professionally uses it, high-risk AI is allowed only under strict controls, and general-purpose AI models have their own documentation and transparency duties. The timing, competent authorities and penalties in the EEA depend on EEA incorporation and local implementation.