Foreign suppliers and Norway’s new procurement law

Last updated 18 June 2026

If your business supplies, or wants to supply, the Norwegian public sector, a reform of the Public Procurement Act takes effect on 1 July 2026 that you and your advisers should understand. The headline reassurance is that the reform does not allow Norwegian authorities to shut foreign suppliers out. The practical reality is that security, preparedness and supply-chain requirements will appear far more often, and that ownership and data will receive closer scrutiny.

What is changing in Norwegian public procurement from 1 July 2026?

The Norwegian Parliament adopted the amendments at first and second reading on 29 January and 5 February 2026 respectively, and they were enacted as the Act of 6 March 2026 No 8 amending the Public Procurement Act. Most provisions take effect on 1 July 2026. Four elements matter. Security and preparedness are written into the purpose clause (section 1). A new section 5d gives contracting authorities an express legal basis to impose security and preparedness requirements at every stage of a procurement. Section 5a introduces a duty to maintain a publicly available procurement strategy and suitable routines. And the threshold at which the Act applies is raised from NOK 100,000 to NOK 500,000 excluding VAT. The change is described by the Government as a clarification and an exercise in awareness rather than a new power, as set out in its account of the reform and on anskaffelser.no.

Can Norwegian authorities now favour domestic suppliers?

The answer is no, and this is the most important point for foreign suppliers. Section 5d does not extend the substantive room for action that contracting authorities already had, and that room is bounded by EEA law. A contracting authority cannot rely on section 5d, or on a general appeal to national supply security, to systematically exclude foreign suppliers in ordinary procurements. Unless the procurement engages an essential security interest covered by the carve-outs discussed below, all security and preparedness requirements must be framed in line with the principle of equal treatment. The reform reinforces that security is a legitimate consideration; it does not create a licence to discriminate on nationality.

What does section 5d actually change for a supplier?

The real shift is procedural rather than substantive. Contracting authorities are now expected to take an active, documented position on whether security and preparedness are relevant in each procurement, and the purpose clause will weigh in favour of treating those considerations as legitimate and weighty when requirements are challenged. For a supplier, the consequence is that security, preparedness and supply-chain requirements will appear in many more competitions, and across the whole life cycle: as qualification requirements, in the specification, as award criteria, and as contract terms. Where an authority chooses to impose such contract terms, the new section 5p requires it to build in suitable sanctions for breach. Suppliers should therefore expect security clauses to come with teeth, and should price and plan accordingly.

The indirect mechanisms to watch

Because outright national preference is unlawful, the practical pressure on foreign suppliers tends to come through neutral but demanding requirements. Three are common and entirely lawful. Authorities may divide a large national framework into smaller geographic lots, which lowers the barrier for local participation. They may set neutral response-time requirements justified by preparedness — for example, personnel on site within a set number of hours — which are legitimate quality requirements even if they effectively require a local presence or local sub-suppliers. And they may calibrate qualification requirements to the specific risk. None of these is discriminatory in form, but each can disadvantage a distant supplier in practice. The realistic response is to anticipate them. Consider local presence, partnerships or sub-supplier arrangements, and be ready to evidence supply-chain resilience.

Ownership, security clearance and the Security Act

For contracts that touch classified information or assets worthy of protection, the decisive regime is not the Procurement Act but the Security Act. It requires a security agreement with the supplier, supplier clearance and a duty to notify the authorities, and these obligations apply independently of section 5d. Of particular relevance to foreign-owned suppliers, ownership control has been extended so that it also captures acquisitions in suppliers that hold a supplier clearance. The primary instrument on a change of ownership is a fresh assessment, and where necessary withdrawal, of the clearance; intervention against the acquisition itself is secondary. Section 5d allows the authority to address this in the procurement — for instance by requiring transparency about ownership structure and beneficial owners, notification of ownership changes during the contract, and exit or change-of-control clauses. For a software, cloud or AI vendor with a complex or non-EEA ownership structure, these clauses are often the most precise instrument the authority controls.

Can a supplier be excluded because of its country of ownership?

This is the open question most directly relevant to suppliers owned outside Norway’s circle of security partners. The Government accepts that the rules leave room to reject suppliers that may pose a threat to national security, but has said expressly that whether an authority may exclude suppliers owned from countries with which Norway has no security cooperation should be assessed further. Until that is settled in practice and in the updated guidance, any such exclusion should rest on a concrete, documented security assessment tied to the specific procurement, not on a general reference to country of ownership. Foreign suppliers from outside the EEA should expect this area to develop.

When the procurement rules give way: defence, security and EEA Article 123

Two carve-outs matter. First, the societal-consideration provisions in sections 5a to 5p — including section 5d — do not apply to defence and security procurement under the dedicated regulation (FOSA) unless otherwise provided. For suppliers in the defence and security space, that specialist regime, together with the Security Act, governs. Second, Article 123 of the EEA Agreement permits measures derogating from the Agreement on grounds of essential security interests, the production of or trade in arms and war material, and serious internal disturbance, war or the threat of war. These are genuine exceptions, but they are not a general “defence opt-out”: reliance on them requires a concrete justification in essential security interests. A foreign supplier facing an unusually restrictive process should establish which regime the authority is actually invoking.

The digital layer: data, cloud and network-security rules

Technology procurements carry an additional layer. Norway’s Digital Security Act entered into force on 1 October 2025, implementing the original NIS Directive and requiring providers of essential and digital services to operate a management system for digital security, carry out documented risk assessments and report incidents, with responsibility placed at senior-management level. The NIS2 Directive (EU) 2022/2555 has not yet been incorporated into the EEA Agreement and is therefore not yet part of Norwegian law; transposition is expected during 2026, probably in a new act that also implements the CER Directive and replaces the Digital Security Act, though the timeline is not settled. Section 5d already allows authorities to require supply-chain security contractually before NIS2 applies. For a foreign supplier of cloud or AI services, expect requirements on encryption, access control, data localisation within the EEA, and handling of sub-processors. Where personal data is transferred outside the EEA, data-protection law applies in addition — a point we develop in our note on using AI tools lawfully.

What foreign suppliers and their advisers should do

Expect security and preparedness requirements as a normal feature of Norwegian public competitions, and be ready to satisfy them with documentation and recognised certification such as ISO/IEC 27001. Be prepared to evidence ownership structure and supply-chain resilience, and to accept transparency, notification and change-of-control clauses. Where contracts turn on response time or local presence, consider a Norwegian or Nordic footprint or partnerships. Clarify early which regime applies — ordinary procurement, defence and security procurement, or an Article 123 measure — because it determines the rules of engagement. And for digital services, address data localisation and any third-country transfer at the outset. Nordia Law advises across Norway, Sweden, Finland and Denmark, and can help international suppliers and their counsel position for the Norwegian public market.

Two developments at EU level are worth monitoring, although their direct relevance in Norway is limited and, in part, unsettled: the Foreign Subsidies Regulation and the International Procurement Instrument. These primarily bite when bidding into EU tenders; their EEA status should be checked before any argument is built on them in a Norwegian context.

Kilder: Act of 6 March 2026 No 8 (Lovdata, in Norwegian) · Parliamentary decision (Lovvedtak 26, 2025–2026) · Government on the reform · Government on the regulatory changes · anskaffelser.no · NSM on the Digital Security Act