Norway - Country Commercial Guide
eCommerce

Describes what a company needs to know to take advantage of e-commerce in the local market and covers prominent B2B websites.

Last published date: 2022-09-12

Cross-Border E-Commerce 

Nordic consumers have achieved an above average level of maturity when it comes to e-commerce, and foreign players enjoy good prospects for success in the Nordic region.  End users in the region, including in Norway, are technology-savvy and qualified spenders and are at the very top of e-commerce usage in Europe and globally.  Manufacturers, vendors, and retailers considering selling through the Internet can get in contact with customers more easily, but still need to consider challenges related to fulfillment, shipping, taxes, value added tax (VAT), and EU regulations.  Norway is among the countries in Europe with most cross-border shopping, and Norwegians are generally very receptive to international websites. 

The EU’s Electronic Commerce Directive (2000/31/EC) provides rules for online services in the EU.  It requires providers to abide by rules in the country where they are established (country of origin).  Online providers must respect consumer protection regulations such as indicating contact details on their website, clearly identifying advertising, and protecting against spam.  The Directive also grants exemptions to liability for intermediaries that transmit illegal content by third parties and for unknowingly hosting content.

In 2015, the European Union, launched the Digital Single Market Strategy, of which e-commerce was a priority area.  Since then, the Electronic Commerce Directive has provided rules for online services in the European Union, including requiring providers to abide by regulations in the country where they are established (the country of origin); to meet certain consumer protection rules, such as indicating contact details on their website, clearly identifying advertising, and protecting against spam.  The Directive also grants exemptions to liability for intermediates that transmit illegal contact by third parties and for unknowingly hosting content.

For more information: 

eCommerce

e-Commerce Directive

Current Market Trends 

Mobile shopping is becoming the norm, and omni channel is still a powerful strategy in many segments.  On the payment side, the local payment option VIPPS has a major market share.  Other payment options like Apple Pay are also popular.  Data-driven customer focus and partnerships with strong synergies seem to be the fortification strategy.

VAT requirement

Value Added Tax (VAT) is payable on sales of most goods and services in Norway.  The VAT rate is currently 25% on most goods and services but is 15% on the sale of food items and non-alcoholic beverages, and 12% on services like passenger transport, sporting events, movie tickets, hotel rooms and other accommodation.

As of April 1, 2020, web shops selling products to consumers in Norway are required to collect and pay VAT.  Businesses do not need to have a presence in Norway, and can register through the “VAT on e-commerce” program, called VOEC.  The U.S. company will be assigned a VOEC number, to be attached to the parcel.  When compliant, goods will be exempt from customs clearance and will arrive to the customer without delay and unpredictable handling costs, at par with European competing vendors.  This arrangement will contribute to levelling the playing field.  Norway was the first European country to implement a system for collecting VAT from foreign online sellers on low-cost products, and EU has now followed.  More information on VOEC here.

E-Commerce Services 

A wide range of service providers are present in Norway and throughout Europe and are set up to help vendors and marketplaces with all aspect of their e-commerce business in Norway.  

From a logistical point of view, e-commerce often becomes a question of volume and scale.  Depending on the product, individual parcels sent from the United States may not be able to compete in Europe because of prohibitive shipping costs and shipping time.  This is true especially for low value parcels. Several service providers in Europe, most notably in The Netherlands, specialize in hosting shipping-, handling-, and fulfillment services for small, non-EU companies.  However, there is typically a fixed cost associated with this type of service, and U.S. vendors should not expect to be profitable from the first parcel. 

GDPR

U.S. companies with an online presence offering/selling goods and services to Norway, must comply with the European General Data Protection Regulation (GDPR).  This EU data privacy law went into effect May 25, 2018. The GDPR, which replaced the Data Protection Directive 1995/46, is a comprehensive privacy legislation that applies across sectors and to companies of all sizes.  Personal data as defined by the GDPR as any information that relates to an identified or identifiable living individual (a “data subject”) such as a name, e-mail address, tax ID number, or online identifier.  Processing of data as defined by the Regulation includes actions such as collecting, recording, storing, or transferring data.

A company that is not established in the European Union may need to comply with the Regulation when processing personal data of residents of the European Union, European Economic Area residents (i.e., Norway, Lichtenstein, and Iceland), and Switzerland, if the company offers goods or services to data subjects in the European Union; or if the company is monitoring data subjects’ behavior, which is taking place within the European Union. The European data protection authorities published Guidelines 3/2018 on the territorial scope of the GDPR (see Article 3), to help companies determine whether they fall within the GDPR’s territorial scope.  For example, the mere accessibility of a company’s website in the European Union is insufficient to subject a company to the GDPR, but other evidence of the intent to offer goods or services (such as advertising) to data subjects in the European Union might mean that the Regulation is applicable.

Generally, companies that are not established in the European Union but that are subject to the GDPR must designate in writing an EU representative for purposes of GDPR compliance.  There is an exception to this requirement for small scale and occasional processing of non-sensitive data.  Fines in case of non-compliance can reach up to four percent of the annual worldwide revenue or twenty million euros – whichever is higher. 

The European Data Protection Board released official guidelines to help companies with their compliance process.

For more information:

Full GDPR text

Official Press Release

Who does the data protection law apply to?

Transferring Customer Data to Countries outside the EU/EEA

The GDPR not only provides for the free flow of personal data within the EU/EEA but also for its protection when it leaves the region’s borders.  The Regulation sets out obligations on data controllers (those in charge of deciding what personal data is collected and how or why it is processed), on data processors (those who act on behalf of the controller) and gives rights to data subjects (as mentioned, the individuals to whom the data relates).  These rules were designed to provide a high level of privacy protection for personal data and were complemented by measures to ensure that the protection is maintained when data leaves the region, and whether it is transferred to controllers, processors, or to third parties (e.g., subcontractors).  In addition, restrictions on transfers of personal data outside of the European Union specify that such data could only be exported if “adequate protection” is provided.

The European Commission is responsible for assessing whether a country outside the EU has a legal framework that provides enough protection for it to issue an “adequacy finding” to that country.  There has not been an adequacy finding with respect to the United States, such that U.S. companies can only receive personal data from the EU if they provide appropriate safeguards (e.g., standard contractual clauses or binding corporate rules), or refer to one of the GDPR’s derogations.

Important note:  The legal environment for data transfers to the United States continues to evolve.  Companies that transfer EU/EEA citizen data to the United States as part of a commercial transaction should consult with an attorney, who specializes in EU data privacy law, to determine what options may be available for a transaction.

The EU-U.S. Privacy Shield / Trans-Atlantic Data Privacy Framework

The EU-U.S. Privacy Shield Framework was established by the U.S. Department of Commerce and the European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce.  On July 16, 2020, the Court of Justice of the European Union issued a judgment declaring as invalid the European Commission’s Decision (EU) 2016/1250 of July 12, 2016, on the adequacy of the protection provided by the EU-U.S. Privacy Shield.  As a result of that decision, the EU-U.S. Privacy Shield Framework is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States.  This decision does not relieve participants in the EU-U.S. Privacy Shield of their obligations under the Privacy Shield Framework.  For more information, consult the website of the U.S. Department of Commerce, Privacy Shield Framework.  

In March 2022, the United States and the European Commission reached a deal in principle on the Trans-Atlantic Data Privacy Framework, which will enhance the existing Privacy Shield Framework. The U.S. government and the European Commission are continuing their cooperation with a view to translate this arrangement into legal documents that will need to be adopted on both sides to put in place this new framework.  For that purpose, these U.S. commitments will be included in an Executive Order that will form the basis of the Commission’s assessment in its future adequacy decision.

Cybersecurity

Revision of the Network and Information Systems (NIS) Directive

The Directive on security of network and information systems (NIS), applicable since 2016, sets baseline requirements to ensure better protection of critical infrastructures in the European Union.  The NIS Directive sets basic principles for Member States for common minimum capacity building and strategic cooperation.  It also directs operators of essential services and digital service providers to ensure that they apply basic common security requirements.  Obligations for operators of both groups include taking technical and organizational measures for risk management; to prevent and minimize the impact of security incidents; and to notify, without undue delay, incidents having a significant impact on the continuity of the essential services they provide.  Member States have implemented this directive in different ways, particularly with respect to operators of essential services, which led to a proposed legislative modification of the NIS Directive (the NIS 2 Directive) in December 2020.  If adopted into law, the NIS 2 Directive would obligate more entities and sectors to strengthen security requirements, address the security of supply chains, streamline reporting obligations, and introduce more stringent supervisor measures and stricter enforcement requirements.   The proposed expansion of the scope of the NIS 2 Directive, by effectively obliging more entities and sectors to take measures, would strengthen cybersecurity in the European Union in the long term.  The European Parliament is expected to vote on a draft of the NIS 2 Directive, which had been agreed to by the Council of the European Union, in the second half of 2022.

Cybersecurity Act

The March 2019 Cybersecurity Act set up a mechanism to develop a voluntary certification scheme for information and communications technology security products, processes, and services.  The European Commission has not yet proposed the specific areas that would benefit from certification schemes, and the European Union Agency for Cybersecurity has created ad-hoc stakeholder groups to help it create certification schemes, which includes industry participation in accordance with the Act.

European Strategy for Data

On November 25, 2020, the European Commission introduced the Data Governance Act, the Digital Services Act, and the Digital Markets Act under the rubric of the European Strategy for Data, the Commission’s vision for a single market that supports global competitiveness and data sovereignty, among other goals.

Data Governance Act

The Data Governance Act focuses on providing a legal framework, processes, and structures to promote data sharing.  While the General Data Protection Regulation regulates international transfers of personal data, the Data Governance Act regulates international transfers of non-personal data by a user who was granted access to such data by the public sector.  The Data Governance Act focuses on the transfer of non-personal data, rules around the reuse of public sector data, and introduces a regime for data intermediaries, It also facilitates the collection and processing of data made available through a voluntary registration system for “data altruism organizations” and creates a European Data Innovation Board to enable the sharing of best practices by Member States as well as advise the Commission on cross-sector interoperability standards.  The Data Governance Act will be applicable across 27 Member States starting from September 2023.

The EU Data Act

The EU Data Act makes data sharing and the use/reuse of data easier for all by setting standards at an EU-wide level.  It covers aspects of the use of various business-to-business and government-to-business data across all sectors in relation to the use of various data.

It includes measures to allow users of connected devices to gain access to data generated by them and to share such data with third parties to provide aftermarket or other data-driven innovative services.  It also includes measures to rebalance negotiation power for SMEs by preventing abuse of contractual imbalances in data sharing contracts.  The Act includes mechanisms for public sector bodies to access and use data held by the private sector that is necessary for exceptional circumstances, particularly in case of a public emergency or to implement a legal mandate if data are not otherwise available.  The Act also includes rules allowing customers to effectively switch between different cloud data-processing services providers and putting in place safeguards against unlawful data transfer.

The proposal is now being evaluated by the co-legislators, expected to be ongoing until late 2023.  

Digital Markets Act

The Digital Markets Act regulates the market power of large online platforms to achieve fairer and more open digital markets within the European Union.  The Act regulates certain “gatekeeper firms” – large online platforms that impact how other companies interact with users online through digital services such as searching, social networking, cloud computing, and advertising services.  It prohibits gatekeepers from engaging in self-preferencing activities and restricting access to services connected to their platforms, such as online marketplaces like an app store, and be barred from preventing users from removing pre-installed software or apps.  Under the Act, EU regulators can levy fines of up to ten percent of global annual turnover of these firms, and, limitedly, break up certain parts of their corporate operations.  The companies designated as gatekeepers will have to comply with the respective obligations and prohibitions by February 2024.

Digital Services Act

The Digital Services Act will harmonize mechanisms throughout the European Union for the removal of illegal content for online service providers, including internet access providers, domain name registrants, cloud and webhosting services, and online platforms.  The Act bans targeted advertising aimed at children or based on sensitive data such as religion, gender, race, and political opinions, and it bans tactics that mislead people into giving personal data to companies online.  It regulates “very large online platforms” – those online platforms that would reach at least ten percent of the population in the European Union.  The Commission would be able to charge them a supervisory fee of up to one percent of their annual turnover.  Sanctions would be gradual and unprecedented in their scope.  Fines will amount to up to six percent of the global turnover of the conglomerate for violations of the Act.  In the event of serious and repeated breaches, national courts can go as far as a ban on operating on European territory.  The text will be in force across the European Union from January 2024.

Some popular e-Commerce Sites (marketplaces and vendors) 

    • Komplett (Norway)
    • Zalando (Germany)
    • Power (Norway)
    • Elkjøp (UK/Norway)
    • eBay (USA)  
    • Ikea (Sweden)
    • NetOnNet (Sweden)
    • Netthandelen.no (Norway)
    • Ellos (Sweden)   
    • CDON (Sweden)
    • XXL (Norway)
    • BliVakker.no (Norway)
    • Boozt (Sweden)
    • H&M (Sweden)

Amazon has not yet entered the Norwegian market but is active in the Nordic region through its regional office in Sweden.  

Online Payment 

Payment by debit card and credit card is a preferred option for consumers in Norway, but other electronic and wireless payment options are growing rapidly.  Less than 30% of consumers think it is important to have the option to pay via invoice.  VIPPS, owned by most major banks in the region, is considered the market leading payment method.  Apple Pay, PayPal, PayEx, Nets, Klarna, are other payment methods in the market.  Vendors that have a system for value-added tax collection (e.g. VOEC) and provide a seamless experience for the consumers, will have a major advantage over those who ship from abroad and let the customer handle all the paperwork and risks. 

Major Buying Holidays 

The pre-Christmas holidays and post-holiday sales, as well as Black Friday, are the peak buying holidays.  In some market segments, sales around the Constitution Day, Valentine’s Day, Halloween, and Easter and Winter Breaks, could be opportunities.  In general, understanding the seasons is very important in this part of the world, as needs change dramatically from summer to winter.