Cross-Border E-Commerce
Nordic consumers have achieved an above average level of maturity when it comes to e-commerce, and foreign players enjoy good prospects for success in the Nordic region. End users in the region, including in Norway, are technology-savvy and qualified spenders and are at the very top of e-commerce usage in Europe and globally. Manufacturers, vendors, and retailers considering selling through the Internet can get in contact with customers more easily, but still need to consider challenges related to fulfillment, shipping, taxes, value added tax (VAT), and EU regulations. Norway is among the countries in Europe with most cross-border shopping, and Norwegians are generally very receptive to international websites.
The EU’s Electronic Commerce Directive (2000/31/EC) provides rules for online services in the EU. It requires providers to abide by rules in the country where they are established (country of origin). Online providers must respect consumer protection regulations such as indicating contact details on their website, clearly identifying advertising, and protecting against spam. The Directive also grants exemptions to liability for intermediaries that transmit illegal content by third parties and for unknowingly hosting content. For more details, see:
Current Market Trends
Mobile shopping is becoming the norm, and omni channel is still a powerful strategy in many segments. On the payment side, the local payment option VIPPS has a major market share. Other payment options like Apple Pay are also popular. Data-driven customer focus and partnerships with strong synergies seem to be the fortification strategy.
VAT requirement
Value Added Tax (VAT) is payable on sales of most goods and services in Norway. The VAT rate is currently 25% on most goods and services but is 15% on the sale of food items and non-alcoholic beverages, and 12% on services like passenger transport, sporting events, movie tickets, hotel rooms and other accommodation.
As of April 1, 2020, web shops selling products to consumers in Norway are required to collect and pay VAT. Businesses do not need to have a presence in Norway, and can register through the “VAT on e-commerce” program, called VOEC. The U.S. company will be assigned a VOEC number, to be attached to the parcel. When compliant, goods will be exempt from customs clearance and will arrive to the customer without delay and unpredictable handling costs, at par with European competing vendors. This arrangement will contribute to levelling the playing field. Norway was the first European country to implement a system for collecting VAT from foreign online sellers on low-cost products, and EU has now followed. More information on VOEC here.
E-Commerce Services
A wide range of service providers are present in Norway and throughout Europe and are set up to help vendors and marketplaces with all aspect of their e-commerce business in Norway.
From a logistical point of view, e-commerce often becomes a question of volume and scale. Depending on the product, individual parcels sent from the United States may experience prohibitive shipping costs and shipping time. This is true especially for low value parcels. Several service providers in Europe specialize in hosting shipping, handling-, and fulfillment services for small, non-EU companies.
Online Payment
Payment by debit card and credit card is a preferred option for consumers in Norway, but other electronic and wireless payment options are growing rapidly. Less than 30% of consumers think it is important to have the option to pay via invoice. VIPPS, owned by most major banks in the region, is considered the market leading payment method. Apple Pay, PayPal, PayEx, Nets, Google Pay, Klarna, and other payment methods in the market. Vendors that have a system for value-added tax collection (e.g. VOEC) and provide a seamless experience for the consumers, will have a major advantage over those who ship from abroad and let the customer handle all the paperwork and risks.
Major Buying Holidays
The pre-Christmas holidays and post-holiday sales, as well as Black Friday, are the peak buying holidays. In some market segments, sales around Constitution Day, Valentine’s Day, Halloween, and Easter and Winter Breaks, could be opportunities. In general, understanding the seasons is very important in this part of the world, as needs change dramatically from summer to winter.
Data Transfer
General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR), which governs how personal data of individuals in the European Union, or European Economic Area - EEA (which Norway is a member of) may be processed, went into effect on May 25, 2018. The GDPR, which replaces the Data Protection Directive 1995/46, is a comprehensive privacy legislation that applies across sectors and to companies of all sizes. Personal data is defined by the GDPR as any information that relates to an identified or identifiable living individual (a “data subject”) such as a name, e-mail address, tax ID number, or online identifier. Processing of data as defined by the Regulation includes actions such as collecting, recording, storing, or transferring data.
A company that is not established in the European Union may need to comply with the Regulation when processing personal data of residents of the European Union, EEA residents, and Switzerland, if the company offers goods or services to data subjects in the European Union/EEA; or if the company is monitoring data subjects’ behavior, which is taking place within the European Union. The European data protection authorities published Guidelines 3/2018 on the territorial scope of the GDPR (see Article 3), to help companies determine whether they fall within the GDPR’s territorial scope. For example, the mere accessibility of a company’s website in the European Union/EEA is insufficient to subject a company to the GDPR, but other evidence of the intent to offer goods or services (such as advertising) to data subjects in the European Union/EEA might mean that the Regulation is applicable.
Generally, companies that are not established in the European Union/EEA but that are subject to the GDPR must designate in writing an EU/EEA representative for purposes of GDPR compliance. There is an exception to this requirement for small scale and occasional processing of non-sensitive data. Fines in case of non-compliance can reach up to four percent of the annual worldwide revenue or twenty million euros – whichever is higher.
The European Data Protection Board released official guidelines to help companies with their compliance process.
Transferring Personal Data Outside of the European Union/EEA
The GDPR not only provides for the free flow of personal data within the European Union/EEA but also for its protection when it leaves the region’s borders. The Regulation sets out obligations on data controllers (those in charge of deciding what personal data is collected and how or why it is processed) and on data processors (those who act on behalf of the controller) and gives rights to data subjects (as mentioned, the individuals to whom the data relates). These rules were designed to provide a high level of privacy protection for personal data and were complemented by measures to ensure that the protection is maintained when data leaves the region, and whether it is transferred to controllers, processors, or third parties (e.g., subcontractors). In addition, restrictions on transfers of personal data outside of the European Union specify that such data can only be exported if “adequate protection” is provided.
The European Commission is responsible for assessing, in the form of an adequacy decision, whether a country outside the European Union has a legal framework that provides enough protection when transferring personal data from the EU to that country. On July 16, 2020, the Court of Justice of the European Union issued a judgment declaring as invalid the European Commission’s Decision (EU) 2016/1250 of July 12, 2016, on the adequacy of the protection provided by the EU-U.S. Privacy Shield. That decision invalidated the EU-U.S. Privacy Shield Framework as a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States. After extensive consultation with stakeholders and negotiation between the European Union and the United States, in March 2023 the European Union and the United States announced the establishment of a new EU-U.S. Data Privacy Framework. On July 10, 2023, the European Commission adopted an adequacy decision recognizing the United States as having sufficient protection for EU personal data under the Framework, thereby enacting the Framework and reestablishing a legal mechanism for transfers of personal data from the European Union to the United States. See the
Data Privacy Framework website for more information.
Cybersecurity
Revision of the Network and Information Systems (NIS) Directive
The Directive on security of network and information systems (NIS), applicable since 2016, sets baseline requirements to ensure better protection of critical infrastructures in the European Union. The NIS Directive set basic principles for Member States for common minimum capacity building and strategic cooperation. It also directs operators of essential services and digital service providers to ensure that they apply basic common security requirements. Obligations for operators of both groups include taking technical and organizational measures for risk management; to prevent and minimize the impact of security incidents; and to notify, without undue delay, incidents having a significant impact on the continuity of the essential services they provide. Member States have implemented this directive in different ways, particularly with respect to operators of essential services, which led to a proposed legislative modification of the NIS Directive (so-called the NIS 2 Directive) in December 2020. NIS 2 Directive obligates more entities and sectors to strengthen security requirements, addresses the security of supply chains, streamlines reporting obligations, and introduces more stringent supervisory measures and stricter enforcement requirements. A political agreement was adopted in November 2022 and the directive entered into force in January 2023. EU member states have until October 2024 to bring the rules into their national law. The Norwegian Parliament has not yet ratified NIS 1 or NIS 2 but is expected to do so.
Cybersecurity Act
The March 2019 Cybersecurity Act set up a mechanism to develop a voluntary certification scheme for information and communications technology security products, processes, and services. The European Commission has not yet proposed the specific areas that would benefit from certification schemes, and the European Union Agency for Cybersecurity has created ad-hoc stakeholder groups to help it create certification schemes, which includes industry participation in accordance with the Act. The Act is under consideration with the EEA EFTA States and is likely to be implemented.
The EU Data Act
The EU Data Act proposal is now being evaluated by co-legislators and is expected to be formally endorsed by the end of 2023. Once passed and implemented it would set standards for data sharing and the use-reuse of data at an EU-wide level. It covers aspects of the use of various business-to-business and government-to-business data across all sectors in relation to the use of various data.
The proposal includes measures to allow users of connected devices to gain access to data generated by them and to share such data with third parties to provide aftermarket or other data-driven innovative services. It also includes measures to rebalance negotiation power for SMEs by preventing abuse of contractual imbalances in data sharing contracts. The Act includes mechanisms for public sector bodies to access and use data held by the private sector that is necessary for exceptional circumstances, particularly in case of a public emergency or to implement a legal mandate if data are not otherwise available. The Act also includes rules allowing customers to effectively switch between different cloud data-processing services providers and putting in place safeguards against unlawful data transfer. The EU Data Act is relevant also for the EEA EFTA States.
Digital Markets Act
The Digital Markets Act regulates the market power of large online platforms to achieve fairer and more open digital markets within the European Union. The Act regulates certain “gatekeeper firms” – large online platforms that impact how other companies interact with users online through digital services such as searching, social networking, cloud computing, and advertising services. It prohibits gatekeepers from engaging in self-preferencing activities and restricting access to services connected to their platforms, such as online marketplaces like an app store, and be barred from preventing users from removing pre-installed software or apps. Under the Act, EU regulators can levy fines of up to ten percent of global annual turnover of these firms, and, limitedly, break up certain parts of their corporate operations. The companies designated as gatekeepers will have to comply with the respective obligations and prohibitions by March 2024, and is relevant also for the EEA EFTA States.
Digital Services Act
The Digital Services Act will harmonize mechanisms throughout the European Union for the removal of illegal content for online service providers, including internet access providers, domain name registrants, cloud and webhosting services, and online platforms. The Act bans targeted advertising aimed at children or based on sensitive data such as religion, gender, race, and political opinions, and it bans tactics that mislead people into giving personal data to companies online. It regulates “very large online platforms” – those online platforms that would reach at least ten percent of the population in the European Union. The Commission would be able to charge them a supervisory fee of up to one percent of their annual turnover. Sanctions would be gradual and unprecedented in their scope. Fines will amount to up to six percent of the global turnover of the conglomerate for violations of the Act. In the event of serious and repeated breaches, national courts can go as far as a ban on operating on European territory. The text will apply across the European Union from February 2024, and is relevant also for EEA EFTA States.
AI Act
On April 21, 2021, the European Commission published its proposal for the Artificial Intelligence Act. The proposed law defines artificial intelligence systems, employs a risk-based approach to regulating AI systems, and applies differentiated obligations to various actors, to include the AI systems’ manufacturers, importers, and users. The Act is currently in trilogue negotiations between the European Parliament, Council and Commission. A finalized version is expected at the end of 2023 or early 2024, also relevant for EEA EFTA States.