Q1 2025 Technology and IP Quarterly
In this Q1 2025 edition of the Technology and IP Quarterly, we offer a comprehensive overview of the latest developments in intellectual property rights, life sciences, and regulatory and data protection. We highlight the most significant advancements in Norway and the EU during the first quarter of 2025, covering regulatory updates, case law and other important news.
Intellectual Property Rights
BAHR’s intellectual property practice covers all areas of contentious and noncontentious intellectual property law. The team has litigated numerous cases and has extensive experience providing legal advice to both domestic and international clients within the fields of patents, trademarks, copyright, design and trade secrets. For more information regarding patent litigation in Norway, BAHR has authored the Norwegian chapter in Lexology In-Depth: Patent Litigation, accessible here
This section will present recent regulatory developments and case law in the field of intellectual property from Norway, the European Union, and other European jurisdictions, offering insights into the latest legal trends and decisions during the first quarter of 2025.
Norway
Regulatory updates
Two amendments to the Norwegian Copyright Act have been made this quarter that are worth mentioning. According to Section 33 of the Copyright Act, the Act does not prevent copyrighted works from being used in connection with police crime prevention, or as evidence or in proceedings under the Patents Act, the Designs Act, or the Trade Marks Act. Following the amendment, the Copyright Act also does not hinder the use and availability of works when fulfilling the obligation to report data and findings on ground investigations and natural hazard assessments pursuant to Section 2-4 of the Planning and Building Act.
The second amendment is found in Section 87 of the Copyright Act. This provision governs when providers of electronic communication services may disclose information about the owners of subscriptions to copyright holders. The amendment involves an updated reference to the new Electronic Communications Act, which also came into effect on 1 January 2025.
Norway is also working with the implementation of the Directive on Copyright in the Digital Single Market (DSM Directive) (EU 2019/790). The preliminary legislative proposal has been circulated, and the consultation period has ended. However, the Ministry of Culture and Equality has announced that the legislative proposal will not be presented within the first quarter of 2025.
Case law
Trademark – Oslo District Court case 24-129026TVI-TOSL/04
The Norwegian Board of Appeal for Industrial Property Rights denied registration of the trademark CANPACK. The Board found that the mark was descriptive and lacked distinctiveness for the specified goods and services, such as tins and preserving boxes. The Oslo District Court upheld the Board’s decision, noting that the Norwegian public is proficient in English, and the average consumer would view the text element CANPACK as descriptive for the goods or services for which trademark protection was sought. The court stressed the importance of keeping the expression CANPACK available for use by all businesses in the canning industry for marketing and product or service descriptions. The decision is accessible here.
Trademark - Oslo District Court case TOSL-2024-153647
This case concerned the exhaustion of the rights conferred by a trademark. Maramarbirlik, a Turkish food producer, distributes its products across Europe. In Norway, Elite holds the rights to utilise the Maramarbirlik trademark under a licence agreement, allowing them to import and redistribute these goods on the Norwegian market. Conversely, Exotic, a Norwegian company, acquired products directly from a German distributor and subsequently marketed them within
Norway. Elite sought a preliminary injunction to cease Exotic’s sales activities. The Oslo District Court found that Maramarbirlik’s trademark rights were not exhausted by prior transfers, and that Exotic had infringed Maramarbirlik’s trademark rights. The court found that the criteria for granting a preliminary injunction were satisfied.
EU Case law
C-575/23 - Copyright,Orchestre national de Belgique v. the Belgian Government
This quarter the EU Court of Justice delivered a ruling concerning copyright law. The musicians of the Belgian National Orchestra were in dispute with the orchestra over the remuneration due for their performance rights. Despite efforts to resolve the matter amicably, no agreement was reached. Subsequently, a Royal Decree was issued, transferring the musicians’ performance rights to the orchestra. The performers contested the decree, arguing that such a transfer could not occur without their consent. The Belgian Supreme Administrative Court referred the matter to the EU Court of Justice, questioning whether the Royal Decree’s transfer of rights complied with EU copyright directives.
The EU Court of Justice underscored the importance of robust copyright protection within the EU. The Court further stressed that EU legislation must ensure a high level of protection for performing artists, guaranteeing their right to fair remuneration. The Court concluded that involuntary transfer of rights through a Royal Decree contradicts the principles of strong copyright protection. Consequently, the Court determined that such a transfer was inconsistent with EU copyright legislation. This judgment reinforces the prominence of performance rights in EU law and interprets directives applicable to Norway as well. The decision is accessible here
3.2.1.2 The Unified Patent Court the Düsseldorf Local Division UPC_
CFI_355/2023 - FUJIFILM Corporation v. Kodak GmbH
FUJIFILM claimed that Kodak had infringed its European patent and sued Kodak. Kodak denied infringing the patent rights and additionally argued that Fujifilm’s patent was invalid and should be revoked. The European patent was effective in Germany and the UK. As is well known, the UK is no longer part of the EU and is not a member of the UPC. Nevertheless, the UPC concluded that the UPC could assess whether Kodak had infringed the patent in the UK. The decisive factor for the UPC was that the defendant — Kodak — was based in Germany, which is party to the UPC agreement. However, the UPC also determined that it did not have jurisdiction to rule on the validity of the UK part of the patent in suit. The decision is accessible here
3.2.1.3 C-339/22 - Patent and jurisdiction - BSH Hausgeräte GmbH v. Electrolux AB
Also the EU Court of Justice has dealt with a case concerning patents and jurisdiction this quarter. While the UPC considered patent infringement in jurisdictions not party to the UPC agreement, the EU Court of Justice examined whether asserting invalidity as a defense in an infringement case prevents the court where the alleged infringer is domiciled from hearing the case.
In BSH vs Electrolux (CJEU judgement of 25 February 2025) BHS Hausgeräte GmbH (BHS), the owner of brands such as Bosch and Siemens, had brought an infringement action against the Swedish home appliance manufacturer Electrolux AB (Electrolux). BHS claimed that Electrolux had infringed BHS European patent, which had been granted in several EU Member States, including Sweden. BHS filed the infringement action in Sweden, where Electrolux had the proper venue, in accordance with Article 4 of the Brussels Regulation.
Electrolux argued, as a defence, that BHS’s patent rights were invalid. Referring to Article 24 of the Brussels Regulation, Electrolux contended that the Swedish court did not have jurisdiction to decide the dispute. According to Article 24 of the Brussels Convention, only the court where the patent right is registered can rule on disputes regarding the validity of the registration.
The Svea Court of Appeal in Sweden asked the Court of Justice of the European Union whether a defence of invalidity against patents that were not effective in Sweden meant that a Swedish court was no longer the proper venue. The CJEU concluded that when an invalidity defence is raised in an infringement case, this defence does not mean that the court ceases to be the proper venue for the infringement case. If the court were to find the patent invalid, such a decision would only be binding inter partes and would not affect third parties. The decision is accessible here
The Enlarged Board of Appeal of the European Patent Organisation: G1/24:
In February, the Enlarged Board of Appeal (EBA) issued a preliminary opinion on admissibility of the questions raised in the highly anticipated case G1/24. The case concerns fundamental questions on claim interpretation and the role of the patent description. The patent at issue faces a novelty challenge, where a central term used in the claims (“gathered” tobacco) is interpreted quite broadly in the description. If the broad interpretation of the description is applied to the interpretation of the term in the patent claim, the patent is at risk of being anticipated by the prior art and thus invalid. However, if the term in the patent claim is interpreted in isolation, the term would not be understood as broadly by the person skilled in the art.
The general question to be answered is whether the EPC’s rules on claim interpretation requires the description (and drawings) of the patent to be consulted at all times, or whether it is only relevant if the patent claims are unclear. In addition, the EBA will rule on whether art. 69 EPC (1) second sentence and Article 1 of the Protocol on the Interpretation of Article 69 EPC- which regards patent infringement- is relevant during pre-grant examination and opposition.
The EBA deemed these two questions admissible but rejected a third question, which asked if a definition of a term used in the claims which is explicitly given in the description can be disregarded when interpreting the claims to assess patentability. The court considered the question redundant to reach a decision on the case. Oral proceedings were held on 28 March 2025, and the communication from the EBA can be found here
The general role of the patent description in infringement proceedings has also been addressed in the UPC. In a separate case, The United Patent Court Paris Local Division in Dexcom v. Abbott (UPC_CFO_230/2023) ruled that the description should always be taken into account when interpreting patent claims in validity proceedings. It also deviated from the above-mentioned protocol on interpreting article 69 EPC, which states that the description shall only be consulted when “resolving an ambiguity found in the claims.” Although the protocol applies to infringement assessments, the Local Division ruled that principles of claim interpretation must be applied uniformly to assessments of infringement and validity. Thus, the UPC provides one approach to be considered by the Enlarged Board of Appeal.
Other Jurisdictions
Case law
Sweden: Patent and Commercial Court (Sw. Patent och Marknadsdomstolen) in OMC 166666-23:
The Swedish Patent and Commercial Court (PMC) recently delivered a judgment regarding the interpretation of ‘product’ under Article 1(b) of the Supplementary Protection Certificate (SPC) Regulation, focusing on the case involving STADA and Takeda. STADA challenged the validity of Takeda’s SPC for the prodrug lisdexamfetamine, marketed as Elvanse® for treating attention deficit/ hyperactivity disorder, arguing that the ‘product’ should be dexamfetamine, the active metabolite, rather than the prodrug itself. The PMC examined the Explanatory Memorandum related to SPCs, which aligns the concept of ‘product’ with both patent and pharmaceutical regulatory systems. The court ruled that the definition of ‘active ingredient’ should be consistent with the pharmaceutical regulatory system’s definition of ‘active substance’ under the Medicinal Products
Directive. Consequently, the PMC concluded that lisdexamfetamine is the active substance in the marketing authorisation process for Elvanse®. The PMC further evaluated relevant CJEU case law, including Forsgren, Santen, MIT, GSK, and Abraxis, but found these cases not directly applicable as they did not involve prodrugs. The court affirmed that lisdexamfetamine is the active ingredient of Elvanse® and thus the ‘product’ under the SPC Regulation, supported by both the regulatory framework and the EU legislature’s intentions. This Swedish judgment contrasts with a previous ruling by the German Federal Patent Court, which declared the German SPC invalid, identifying dexamfetamine as the active ingredient. The German court’s decision did not consider the marketing authorisation process where lisdexamfetamine was recognised as the active substance, and this decision is currently under appeal.
Germany: Supreme Court (De. Bundesgerichtshof) in I ZR 16/24:
The German Supreme Court dismissed the appeal concerning the copyright protection of Birkenstock’s sandal models ‘Madrid’ and ‘Arizona’, confirming the decision of the Higher Regional Court. According to the German Copyright Act, artistic works, including architecture and applied art, are protected by copyright if they are the author’s own intellectual creation. The Court referred to the consistent case law of the Court of Justice of the EU (CJEU) to define ‘work’, which requires originality as the author’s own intellectual creation and expression of their free and creative choices. The subject matter must reflect the author’s personality and not be dictated by technical constraints, with sufficient precision and objectivity to qualify as original. The Court emphasised that designs do not necessarily qualify for copyright protection, as design and copyright pursue different objectives and are subject to distinct rules, although they are not mutually exclusive. Aesthetic effect alone is insufficient for copyright protection unless it reflects an artistic achievement and expresses the author’s creative freedom and personality.
The Court further clarified that for copyright protection, a personal intellectual creation must exhibit individual character and aesthetic content to be considered an artistic achievement by those familiar with artistic views. The aesthetic effect must be based on artistic achievement, and mere exploitation of creative freedom or technical feature exchange is insufficient. The threshold for copyright protection should not be set too low, and purely technical creations using formal design elements cannot enjoy copyright protection. The term ‘artistic’ in the Court’s jurisprudence aligns with CJEU case law, focusing on the creative decision-making process rather than establishing a qualitative threshold. The Court noted that Birkenstock bore the burden of proof to demonstrate that the models “Madrid” and “Arizona” were personal intellectual creations, which they failed to do. The decision is accessible here
Life Sciences
BAHR is a trusted advisor to business professionals across the dynamic life sciences sector, encompassing pharmaceuticals, biotechnology, health services, and medical devices. Our team is renowned for representing leading pharmaceutical originators in cutting-edge patent disputes. Beyond litigation, BAHR offers comprehensive support in regulatory compliance and strategic counsel on unfair competition. We also provide expert guidance on marketing law, distribution, and agency matters, ensuring our clients have everything they need to thrive in the competitive life sciences landscape.
This section will present updates on the life sciences sector within Norway and the EU, offering insights into recent developments and trends during the first quarter of 2025.
Norway
Norwegian regulatory bodies have conducted a joint operation against cosmetic treatment clinics
In a recent joint regulatory action “Operation Injection”, the Norwegian Medical Products Agency (“NOMA”), the Consumer Authority, and the Norwegian Board of Health Supervision uncovered widespread illegal marketing practices among cosmetic treatment clinics.1 These regulatory bodies have overlapping areas of supervision concerning the marketing of cosmetic treatments. The operation highlights violations in pharmaceutical and medical device marketing, stressing the need for industry compliance with regulations to avoid legal repercussions. Nearly 50 clinics were affected: 40 received warnings and guidance, while four faced financial penalties and three additional warnings are being processed that could also lead to financial penalties. Violations included marketing pharmaceuticals for “off-label” use, misleading medical device claims, and advertising fillers to minors. Cosmetic treatment providers must follow strict marketing rules, with fines for violations. Advertising of prescription-only medicines to the public is prohibited in Norway. Medical device marketing must accurately reflect intended use, safety, and performance, prohibiting misleading claims like promoting surgical threads for cosmetic purposes such as “foxy eyes”.
All feedback on the proposed amendments to the Health Research Act and related regulations is now published
In the last quarter of 2024, the Norwegian Ministry of Health and Care Services launched a public consultation on proposed amendments to the Health Research Act, Health Register Act, and Health Personnel Act, with feedback due by 6 January 2025. These amendments aim to enhance research quality, strengthen participant protection, and streamline research processes. 2
In their response, the Regional Committees for Medical and Health Research Ethics (REK) support many proposals, such as clarifying definitions, adjusting consent requirements, establishing a five-year data retention period, and specifying rules for research involving minors. However, they have concerns about removing the legal assessments under the Health Research Act, excluding registry studies from its scope, allowing research on humans without consent, and changing consent rules for minors. REK strongly opposes the removal of legal assessments, arguing it contradicts the Helsinki Declaration and undermines ethical oversight. They emphasise that legal assessments are integral to ethical evaluations and that removing them would impair REK’s mission to promote ethical research. The Norwegian Data Protection Authority (DPA) shares concerns about removing the legal assessments in their response, emphasising
1 https://www.dmp.no/nyheter/begrenser-leges-autorisasjon-etter-storaksjon
2 https://www.regjeringen.no/no/dokumenter/forslag-til-endringer-i-helseforskningsloven-ogtilhorende-regelverk/id3059028/
REK’s unique expertise in providing independent assessments of research projects.3 They argue that REK’s preliminary reviews are crucial for ensuring the legality and integrity of research, offering assurances that retrospective oversight by the DPA cannot match.
Consultation on proposed amendments to the Medical Devices Act launched
The Norwegian regulatory framework for medicinal products and medical devices is based on EU regulations and directives that are implemented in Norway through the EEA Agreement, with certain national adaptions and requirements. In February 2025, the Norwegian Ministry of Health and Care Services launched a public consultation on proposed amendments to the Norwegian Medical Devices Act, with feedback due by 11 April 2025.4 The proposal aims to incorporate Regulation (EU) 2024/1860 into Norwegian law. This regulation modifies the existing MDR and IVDR. The regulation extends transitional provisions for certain types of equipment, introduces phased implementation rules for the European database on medical devices (EUDAMED), and mandates reporting obligations in the event of medical device supply shortages.
EU
EMA has launched the European Shortages Monitoring Platform
Supply issues with pharmaceuticals are on the rise across Europe, typically stemming from production challenges, raw material shortages, or higher-thanexpected demand. Additionally, the supply chain is influenced by the commercial priorities of major international companies.5 In a significant move to enhance the stability of the pharmaceutical supply chain, the European Medicines Agency (EMA) launched the European Shortages Monitoring Platform (ESMP) at the end of January 2025.6 This innovative platform is designed to monitor medicine supply and demand, with the goal of preventing, detecting, and managing shortages across the EU and EEA. As of 2 February 2025, marketing authorisation holders are obligated to exclusively use this platform to report any shortages and availability issues. EMA has published guidance and training materials to support ESMP stakeholders in the adoption and use of the platform here
3 https://www.regjeringen.no/no/dokumenter/forslag-til-endringer-i-helseforskningsloven-ogtilhorende-regelverk/id3059028/
4 https://www.regjeringen.no/no/dokumenter/horing-forslag-til-endring-i-lov-om-medisinskutstyr-gjennomforing-av-europaparlaments-og-radsforordning-eu-20241860-i-norsk-rett/ id3089674/?expand=horingsbrev
5 https://www.dmp.no/forsyningssikkerhet/legemiddelmangel/legemiddelmangel-arsaker-ogtiltak#Europeisk-samarbeid-5
6 https://www.ema.europa.eu/en/news/european-shortages-monitoring-platform-fullyoperational-monitoring-shortages-eu
The Regulation on Health Technology Assessment has come into effect
On 12 January 2025, Regulation (EU) 2021/2282 on Health Technology Assessment (HTAR) came into effect, initiating an interim period until 2030.7 During this time, agencies will transition to fully comply with the new regulation, which aims to enhance the quality of healthcare technologies, medicines, and medical devices through coordinated assessments based on scientific evidence. HTAR seeks to improve patient access to innovative healthcare solutions across the EU, ensuring efficient resource use and strengthening HTA quality. It fosters a transparent framework for joint clinical assessments and evaluations of scientific evidence supporting reimbursement applications, reducing duplication for national HTA authorities and companies. In 2025, approximately 25 Joint Clinical Assessments (JCAs) are expected to begin, with the first completed JCAs anticipated by Q3 or Q4 2025.8 The Commission has published guidance on clinical study validity for JCAs here. The number of assessments will increase annually, initially focusing on cancer medicines and advanced therapies, with tight deadlines to ensure efficiency.
The Commission has launched a public consultation on the medical device regulations
The Commission has launched a public consultation to evaluate the implementation and effectiveness of the Medical Devices Regulation (MDR) and In Vitro Diagnostic Medical Devices Regulation (IVDR).9 Initially set for evaluation in 2027, the Commission decided to launch a targeted evaluation of the Regulations in 2024. The consultation aims to assess their effectiveness, identify challenges, and explore improvements. The MDR and IVDR, effective since May 2021 and May 2022, replaced previous directives to ensure high safety and performance standards for medical devices in the EU. Despite their comprehensive scope, these regulations have posed challenges due to their complexity and impact. The Commission seeks feedback from manufacturers, notified bodies, healthcare professionals, and patient advocacy groups. Open until 21 March 2025, the Commission has already received negative feedback on systemic issues, costs, and patient safety concerns.
7 https://health.ec.europa.eu/health-technology-assessment/implementation-regulation-healthtechnology-assessment_en
8 https://www.nyemetoder.no/om-systemet/europeisk-samarbeid-htar/
9 https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/14155-EU-rules-onmedical-devices-and-in-vitro-diagnostics-targeted-evaluation_en
The transition to CTIS is completed
The final deadline for transferring ongoing studies approved under Directive 2001/20/EC to the European Clinical Trials Information System (CTIS) was 30 January 2025. Since 31 January 2024, all new clinical trial applications have been required to be submitted through CTIS, in compliance with Regulation (EU) No. 536/2014. The transition is now fully complete. This system not only streamlines the application process but also enhances transparency and collaboration.
Care Law -
Joined cases C-119/22 (Teva v MSD) and C-149/22 (MSD v
Clonmel)
In December 2024, the Court of Justice of the European Union (CJEU) rendered its much-awaited decision in the joined cases C-119/22 (Teva v MSD) and C-149/22 (MSD v Clonmel) concerning the conditions for obtaining a Supplementary Protection Certificate (SPC) for medicinal products under Regulation (EC) NO 469/2009 (the SPC Regulation). For key takeaways from the decision, read our newsletter here
Regulatory and Data Protection
At BAHR, we recognise the vital role of data privacy and security in today’s digital world. Our team of legal experts is committed to providing clear guidance on regulatory matters to ensure businesses remains compliant and secure. We offer customised solutions to help businesses navigate the complexities of the Norwegian and EU Digital regulations. This section will provide updates on the regulatory framework within Norway and the EU, offering insights into recent developments and trends.
Norway
Norway’s plan to implement the AI Act and establish AI Norway
In a press release on March 21, available here, the Government announced that the EU’s AI Act will be implemented into Norwegian law. It has been indicated that a preliminary legislative proposal will be circulated for consultation before the summer, and that legislation implementing the AI Act will come into effect in late summer 2026. The Government will also establish AI Norway (Nw. KI Norge), which will be under the jurisdiction of the The Norwegian Digitalisation Agency. At the same time, it is already clear that the Norwegian Communications Authority (Nkom) will ensure that the EU’s AI regulations are implemented and managed consistently in Norway. The Norwegian Communications Authority will also monitor that AI systems in the Norwegian market are safe and responsible to use.
The new Electronic Communications Act
On 1 January 2025, the new Norwegian Electronic Communications Act (ekomloven) came into effect. In addition to a complete modernisation of its traditional telecom rules, the act also strengthens the consent requirements for the use of cookies and similar technologies.10 This change aligns Norwegian law with EU regulations, providing stronger protection for internet users in Norway against online tracking. Previously, default browser settings permitting cookies were deemed sufficient as cookie consent. Under the new law, consent for using cookies must meet the stringent criteria outlined in the GDPR to be valid. This shift requires organisations to reassess and potentially modify how they obtain consent for cookies and similar technologies to ensure full compliance. The Norwegian Data Protection Authority (DPA) and the Norwegian Communications Authority (Nkom) will jointly supervise adherence to these regulations. Nkom will determine whether technical solutions fall under the provision and assess if any exceptions apply, while the DPA will evaluate if the provided information is adequate and if the consent aligns with GDPR standards. Additional guidance from the DPA and Nkom will be available in due course, but organisations should proactively review their use of cookies and consult existing resources such as the Electronic Communications Act and guidelines from the European Data Protection Board (EDPB) on valid consent under GDPR.
New rules for data centres
On 1 January 2025, the new Norwegian Data Center Regulation (datasenterforskriften) came into effect, aiming to ensure that data centers operate securely and efficiently, recognising their critical role in today’s
10 https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2024/nye-cookie-regler-fra-1.-januar/
technology-driven landscape.11 Applicable to operators providing data center services for a fee or those exceeding a power threshold of 0,5 MW, the regulations emphasise security while allowing flexibility for businesses to tailor their measures. Key requirements include developing a comprehensive security management system that integrates policies, plans, and risk assessments to mitigate risks to service availability, integrity, and confidentiality. Documentation is crucial, with operators required to regularly update records to reflect evolving threats. The responsibility for compliance extends to third parties like suppliers and contractors. Nkom oversees compliance, possessing authority to issue orders, conduct audits, and impose fines up to five percent of revenue for violations. Proposed amendments announced on 30 January 2025 aim to enhance crime prevention and manage the loss of critical services by requiring operators to maintain updated customer information and promptly respond to government inquiries.
Proposal for implementation of DORA into Norwegian law
On 17 January 2025, the EU’s Digital Operational Resilience Act (DORA) came into effect in the EU.12 DORA aims at strengthening the IT security of financial entities such as banks, insurance companies and investment firms and making sure that the financial sector in Europe is able to stay resilient in the event of a severe operational disruption. A proposal for implementing DORA into Norwegian law was subject to consultation in spring 2024. The Norwegian Ministry of Finance presented a bill on 7 March 2025 for the implementation of DORA into Norwegian Law. According to the proposal, DORA will be incorporated into a new Norwegian law on digital operational resilience in the financial sector. Read more about the implementation of DORA and what managers of alternative investment funds need to prepare for, in our newsletter here
The DPA has begun the work on implementing the DSA into Norwegian law
On 28 February 2025, the government announced in a press release the commencement of efforts to incorporate the EU’s Digital Services Act (DSA) into national law, with a draft proposal expected to be circulated for consultation before summer 2025.13 The DSA aims to enhance internet safety and strengthen consumer rights by imposing strict requirements on tech companies providing social media, search engines, messaging services, and other online platforms. The DSA is already in effect in EU countries. Nkom will act as the national coordinator, ensuring compliance with the new digital service regulations in Norway. Nkom will manage administrative tasks, information flow, enforcement,
11 https://lovdata.no/pro/#document/SF/forskrift/2024-12-18-3313?searchResultContext=1393&ro wNumber=1&totalHits=2
12 https://www.regjeringen.no/no/sub/eos-notatbasen/notatene/2023/jan/dora-forordningen/ id3084128/
13 https://www.regjeringen.no/no/aktuelt/gjor-det-tryggere-a-bruke-internett/id3090015/
and consistent application of the rules. The Norwegian Media Authority, the Consumer Authority and the DPA are designated as competent authorities in their respective areas. 14
Norway is preparing for the implementation of NIS1 in the Digital Security Act
While NIS2 and its stringent new cybersecurity rules were scheduled for implementation in EU countries by 18 October 2024, Norway is preparing to implement rules based on NIS1 starting in 2026. During a seminar hosted by BAHR in January 2025, the Norwegian National Security Authority (NSM) informed attendees that the work on implementing NIS1 and NIS2 is proceeding in parallel. NIS1 is intended to be incorporated into the new Norwegian Cyber Security Act (the “CSA”, Nw.: Digitalsikkerhetsloven), which has not yet come into force. Meanwhile, efforts on the regulations for implementing NIS2 will continue throughout 2025 and 2026.
To understand the implications for Norwegian service providers operating in Europe and European providers conducting business in Norway read our newsletter on NIS1 and NIS2 here
The DPA advises businesses to develop an exit strategy in case data transfers to the US become restricted following the recent developments in the US
Recent developments in the US are also affecting data privacy. In July 2023, the Commission adopted a new adequacy decision for the EU-U.S. Data Privacy Framework, affirming that the US provides a level of personal data protection comparable to EU standards. This decision enables secure data transfers from the EU to US companies within the Framework without requiring additional safeguards. However, in a recent statement, the DPA anticipates that these regulations may eventually be challenged in the Court of Justice of the European Union (CJEU).15 Recent developments in the US, including the president’s dismissal of four members of the Privacy and Civil Liberties Oversight Board, have added to the uncertainty. Businesses should consider these factors when engaging with US service providers. The DPA advises businesses to develop an exit strategy in case data transfers to the US become restricted. Additionally, the use of US cloud services in Europe may be disrupted if the adequacy decision is revoked, with no transition period expected.
14 https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2025/datatilsynet-skal-folge-opppersonvernet-i-dsa/
15 https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2025/informasjon-om-overforinger-til-usa/
The Norwegian DPA will reconsider the NAV-case
In the spring of 2024, the Norwegian Data Protection Authority (DPA) imposed an infringement penalty of EUR 1,725,000 (MNOK 20) and issued several orders to the Norwegian Labour and Welfare Administration (NAV) due to serious non-conformities in NAV’s confidentiality safeguards, particularly in access management and log control. According to the DPA, the decentralised design of NAV’s systems complicates legal compliance verification, as local offices have significant autonomy in organising their operations. Consequently, the ‘needto-know’ access principle is inconsistently applied, undermining centralised oversight and GDPR compliance. According to the DPA, such inadequate management poses a high risk of accidental non-compliance. The penalty was set to reflect NAV’s prolonged exposure of sensitive personal data without proper security measures and its insufficient response to repeated requests for prioritising data security.
NAV challenged this decision and brought it before the Norwegian Privacy Appeals Board (Nw: Personvernnemnda). The Board found that the orders issued by the DPA had been so generally formulated that it was not possible for NAV to understand what must be done to comply with the order. They were not sufficiently specified and justified, and therefore did not meet the requirements of the Public Administration Act (Nw: forvaltningsloven). Therefore, the orders could not form the basis for coercive fines and penalties. Additionally, the Board concluded that the DPA’s evaluation of the fault requirement was inadequate and that it was unclear what the authority had meant, both factually and legally. This led to a partial overturn by the Board in December 2024.
The DPA announced in January 2025 that it will reconsider the case, taking the Board’s feedback into account.16 Although the initial decision has been overturned, it underscores the critical importance for our clients – especially those processing large amounts of personal data and with decentralised operations – to implement robust access management and centralised oversight to ensure compliance with GDPR requirements and avoid substantial penalties.
Telenor ASA sanctioned by the Norwegian DPA
On 10 March 2025, the Norwegian DPA issued a decision imposing sanctions on Telenor ASA, available here. During their inspection, the DPA uncovered inadequate follow-up of the Data Protection Officer (DPO) and deficiencies in internal control. Telenor is required to conduct a documented internal analysis to determine whether it is obliged to appoint a DPO, considering the company’s role in various processing activities. If it is found that Telenor must have a DPO, the company must implement organisational measures and establish appropriate guidelines regarding the DPO’s role and responsibilities, ensuring
16 https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2024/klagen-fra-nav-er-behandlet-avpersonvernnemda/
the DPO’s independence and preventing conflicts of interest. Furthermore, the company must revise its processing records in accordance with GDPR Article 30. In addition to these orders, Telenor received a reprimand for failing to establish a reporting line for the DPO to the highest management level and was fined 4 million NOK for lack of internal control.
EU
DORA has come into effect
As noted above, DORA came into effect in the EU on 17 January 2025. In February 2025, the EU has introduced several regulatory developments under DORA to ensure a robust and harmonised approach to managing digital risks within the EU’s financial sector.17 One significant development is the release of a draft delegated regulation concerning regulatory technical standards for ThreatLed Penetration Testing (TLPT).18 The EU has specified criteria for identifying financial entities required to perform TLPT, including guidelines on the use of internal testers, the scope and methodology of testing, and cooperation mechanisms to facilitate mutual recognition of testing results across member states. Additionally, new delegated regulations outline standardised procedures and templates for financial entities to report significant ICT-related incidents.19 This seeks to improve the efficiency and consistency of incident reporting, enabling authorities to respond promptly to emerging threats and coordinate actions across the EU. Furthermore, the EU has published delegated regulations detailing the oversight framework for critical third-party ICT service providers. This includes harmonised conditions enabling supervisory activities, mechanisms for monitoring compliance, and guidelines for cooperation between lead overseers and competent authorities. 20
Commission has proposed an updated Cybersecurity Crisis Management framework
Commission has proposed EU-wide coordination in responding to large-scale cyber incidents On 24 February 2025, the Commission unveiled a proposal to enhance EU-wide coordination in responding to large-scale cyber incidents.21 The updated Cybersecurity Crisis Management framework aims to clarify the roles of relevant EU actors throughout all stages of a crisis - from preparedness
17 https://europalov.no/rettsakt/dora-forordningen-gjennomforingsbestemmelser-om-standarderprosedyrer-for-rapportering-om-ikt/id-33519, https://europalov.no/rettsakt/dora-forordningenutfyllende-bestemmelser-om-varsling-av-rapport-om-ikt-relaterte-hendelser/id-33178, and https:// europalov.no/rettsakt/dora-forordningen-utfyllende-bestemmelser-om-tilsynsvirksomhet/id-33184
18 https://ec.europa.eu/transparency/documents-register/detail?ref=C(2025)885&lang=en
19 https://eur-lex.europa.eu/eli/reg_del/2025/301/oj
20 https://eur-lex.europa.eu/eli/reg_del/2025/295/oj
21 https://europalov.no/rettsakt/eu-strategi-for-handtering-av-cybersikkerhetskriser/id-33529
and detection to response and recovery - promoting shared situational awareness and effective mitigation of cyber threats. The proposal builds on existing frameworks like the Integrated Political Crisis Response and aligns with recent initiatives such as the Critical Infrastructure Blueprint. It seeks to strengthen collaboration between civilian and military entities, including NATO, and promotes secure communication while countering disinformation. More information is found here
Commission has published a draft regulation concerning the Cyber Resilience Act
On 13 March 2025, the Commission released a draft regulation concerning the Cyber Resilience Act, with a feedback deadline set for 10 April 2025.22 This regulation mandates the Commission to define the technical specifications for categories of important and critical products with digital elements, as outlined in Annexes III and IV. These products may be subject to more rigorous conformity assessment procedures, as detailed in Article 32. Stakeholders are invited to provide feedback during the specified period.
The Cyber Resilience Act came into force on 10 December 2024, and lays down rules for horizontal cybersecurity requirements for products with digital components and software. The act has a broad scope, covering digital products that have either a direct or indirect data connection to a device or network, meaning it will apply to everything from smartwatches and smart devices to firewall programs. The act will however not apply to product areas covered by the MDR or IVDR. The purpose of the act is to reduce and mitigate vulnerabilities in products placed on the market, requiring manufacturers and retailers to ensure cybersecurity throughout the lifecycle of their products, thereby affecting the entire supply chain. The act sets forth rules governing the marketing, design, development and production of products, as well as requirements for vulnerability handling. These requirements which vary depending on the risk category of the product and whether the operator is an importer, distributor or manufacturer. Most of the act’s requirements will become applicable starting 11 December 2027.
The Cyber Solidarity Act and the Cybersecurity Act has become applicable
The Cyber Solidarity Act became applicable on 4 February 2025, and targeted amendment of the Cybersecurity Act (CSA) was adopted on 15 January 2025. The Cyber Solidarity Act introduces measures to enhance solidarity and capacities within the Union to detect, prepare for and respond to cyber threats and incidents. The act establishes a European Cybersecurity Alert System, and
22 https://europalov.no/rettsakt/rammeverk-for-digitale-produkters-tjenesters-robusthet-tekniskbeskrivelse-av-kategoriene-viktig/id-33579
where member states choose to participate in the European system, they shall establish national cyber hubs. These hubs will cooperate and coordinate with other member states and Union level institutions. The Cybersecurity Act amends the previous act, with a particular focus on establishing certification schemes for “managed security services”. These services involve performing or assisting with activities related to cybersecurity risk management. The certification schemes will include a comprehensive set of rules, technical requirements, standards and procedures to ensure that the quality of the cybersecurity risk management services provided.
Furthermore, the Common Criteria-based Cybersecurity Certification Scheme (EUCC) became applicable on 27 February 2025. The EUCC is a voluntary certification scheme established under the CSA, designed to enable ICT suppliers to undergo a EU commonly understood assessment process for certifying their ICT products.23 As of 27 February, Member States are authorised to issue EUCC certificates for ICT products, such as chips, smart cards, software, and hardware. EUCC aims to harmonise the recognition of the level of cybersecurity of ICT products across the EU. 24
Commission has published its work programme for 2025
The Commission recently published its work programme for 2025, available here The programme informs that the Commission will start a simplification process for the Digital package, work on the Digital Networks Act, a non-legislative AI Continent Action Plan, an action plan for the cybersecurity of hospitals and healthcare providers. Notably, the Commission has withdrawn the Proposal for the AI Liability Act, stating that there is no foreseeable agreement, and that the Commission “will assess whether another proposal should be tabled or another type of approach should be chosen”. The Commission has also withdrawn the proposal for Regulation on Privacy and Electronic Communications, stating that there is no foreseeable agreement and that “the proposal is outdated in view of some recent legislation in both the technological and the legislative landscape”.
Third Draft of the General-Purpose AI Code of Practice published
The European Commission has published the third draft of the General-Purpose AI Code of Practice on 11 March 2025. This draft, developed by independent experts, marks the final stage of development of the Code, incorporating stakeholder feedback to refine the structure and commitments. The Code includes high-level commitments and detailed measures for implementation, focusing on transparency, copyright, safety and security for providers of general-purpose AI models. The draft aims to help these providers demonstrate
23 https://certification.enisa.europa.eu/news/eucc-application-2025-02-27_en
24 https://certification.enisa.europa.eu/index_en
compliance with the AI Act by May 2025.
Stakeholders, including member state representatives and international observers are invited to provide feedback by 30 March 2025.
Guidelines and Caselaw Guidelines on pseudonymisation
The EDPB published its draft Guidelines on Pseudonymisation on 16 January 2025. The Guideline review themes such as the legal definition of pseudonymisation, the objectives and advantages of pseudonymisation and technical measures and safeguards for pseudonymisation. The draft was published for public consultation, which ended 14 March 2025. Among the recommendations, the EDPB advises that data controllers should clearly identify and define the risks they aim to mitigate through pseudonymisation. The effectiveness of pseudonymisation in reducing these risks should be the primary goal in the specific processing activity, ensuring that the measures are tailored to achieve this objective.
Case C-203/22 - CK v. Dun & Bradstreet Austria GmbH and Magistrat der Stadt Wien
The case was a request for a preliminary ruling concerning the enforcement of a court order requiring Dun & Bradstreet, which specialises in the provision of credit assessments, to provide CK with meaningful information about the logic involved in profiling relating to her personal data. The court held that the right to get “meaningful information about the logic involved” must be understood as “a right to an explanation of the procedure and principles actually applied” in order to use the data with a view to obtaining a specific result. In this particular instance, the court held that it may be sufficient to provide the data subject with information of the extent to which a variation in the personal data would have led to a different result.
The second issue was whether the controller is obligated to provide supervisory authorities and courts with information when the question before them concerns the scope of the data subject’s right of access, and the controller has taken the view that the information is protected by trade secrets. The court held that the controller is required to provide the allegedly protected information to the supervisory authority or the court, for them to be able to balance the rights and interests at issue to determine the extent of the data subject’s right of access.
C-394/23 – Association Mousse v. Commission nationale de l’informatique et des libertés (CNIL) and SNCF Connect
This case concerned whether it was necessary to process data relating to customer’s gender prefix in connection with the online sale of train tickets, thereby collecting data on the customer’s gender. The court concluded that the processing of a customer’s gender prefix by a transport undertaking, when the
purpose is to personalise commercial communication based on their gender, is not essential for the performance of a contract nor is it necessary for the purposes of a legitimate interest pursued by the controller. Consequently, for such processing to be legal, gender prefix should only be collected through the means of an explicit, freely given informed consent.
C-416/23 - Österreichische Datenschutzbehörde v. F R and Bundesministerin für Justiz
The request concerned the Austrian DPA’s refusal to act on a complaint related to an alleged infringement of the data subject’s right to access to his personal data. The DPA had refused to act on the complaint, on account of its excessive nature. The data subject had, within a period of 20 months, filed 77 similar complaints. The court ruled that the requests cannot be classified as excessive solely on account of their number during a specific period - the DPA must demonstrate that the requests have an abusive intention. The decision likely did not receive a warm welcome by European DPA’s as it raises the bar even further for their ability to dismiss complaints and thereby prioritise their resources.
C-638/23 - Amt der Tiroler Landesregierung v. Datenschutzbehörde and Others
The case concerned the interpretation of the term “controller”. The court ruled that national legislation can designate an entity without its own legal personality as a controller. This is permissible even if the legislation does not precisely specify the particular data processing operations for which the entity is responsible or the purposes of those operations, as long as two conditions are met. Firstly, the entity must be capable of fulfilling the obligations of a controller towards data subjects concerning the protection of personal data, in accordance with national legislation. Secondly, the national legislation must either explicitly or implicitly define the scope of the data processing for which the entity is responsible.
BAHR Technology
BAHR’s multi-disciplinary Technology group is tailored to meet the diverse needs of technology companies, covering all areas from litigation and M&A to contracts and regulatory matters. We are dedicated to maintaining in-depth knowledge and active engagement with industries at the cutting edge of technological advancement, delivering market-leading expertise to tackle the legal challenges these sectors face. Our clients benefit from lawyers who not only understand their business but also grasp the commercial opportunities and challenges inherent within their industry.
Editorial Team
Anja Stensrud Elverum anelv@bahr.no
Hilde-Marie Pettersen hipet@bahr.no
Morten Smedal Nadheim monad@bahr.no
Ylva Høsøien ylhos@bahr.no
Anna Medbøe Tamuly antam@bahr.no
Jacob A. Møller jam@bahr.no
Sander Bøe Bertelsen saber@bahr.no
Eirik Basmo Ellingsen eiell@bahr.no
Kjetil Wick Sætre kjesa@bahr.no
Tuva Fretheim Walle tufwa@bahr.no
“ – Legal 500
BAHR’s Intellectual Property and TMT practice is outstanding and the best in Norway due to its deep expertise and innovative approach to complex legal matters. The team is uniquely adept at providing strategic advice that aligns with our business objectives, specially in the rapidly evolving IP and TMT sectors.
“
The lawyers at BAHR are excellent. They are experts on patent litigation and are resultsoriented and super responsive.
– Chambers Contact us
PARTNER
+47 928 80 017
+47 920 88 112 eiell@bahr.no
Jacob A. Møller