EU laws affect almost every part of everyday life in Europe, all from the environment and consumer protection to digital issues and labor law. They are meant to create common rules that protect citizens and keep the internal market running smoothly. But even if the goal is the same in all countries, the implementation of EU rules varies significantly depending on the country.
The national differences makes it difficult for organizations operating in several EU countries to keep up. New court decisions, updates, and supervisory rulings affect how rules must be applied, and while requirements can never fall below the EU minimum standard, they often become stricter.
EU Decisions: Directives vs. Regulations
How a country chooses to incorporate EU rules into its own legislation matters greatly. It affects both legal certainty, determining how clear and predictable the rules are, and democratic legitimacy, deciding how well decisions are anchored in each country.
The EU has two main types of legal acts that member states must follow and implement: directives and regulations.
-
A directive states what countries must achieve but lets them decide how. Each country must therefore change or introduce national laws through a process called implementation.
-
A regulation works differently. It applies directly and automatically in all EU countries from day one, though countries may add some national rules to make sure the country can comply to the regulation. This results in more consistent regulation across the EU.
Why different national laws despite the same EU decisions?
Even though Sweden, Denmark, and Norway often base their rules on the same EU laws, the implementation process differs because of their legal status. Sweden and Denmark are EU members, while Norway, as a non-member, participates through the EEA Agreement, which covers only parts of the EU’s internal market.
When Norway needs to follow new EU rules, the rules must first be approved by the joint EEA Committee, where Norway and the other EFTA countries (Iceland and Liechtenstein) participate. After approval, the rules are implemented through localized Norwegian law.
This means that Norway often takes longer to implement EU rules compared to Sweden and Denmark. In Sweden and Denmark, EU regulations apply immediately, and directives can be quickly implemented through national legislation.
At the same time, the EEA system gives Norway slightly more flexibility. In theory, the country can choose not to adopt certain rules, although this rarely happens because it may disrupt trade with the EU.
Differences in speed, influence, and flexibility mean that EU rules do not always look identical in the Scandinavian countries, despite their close cooperation.
Implementation of the NIS2 directive in the Nordic region
The EU’s NIS2 Directive aims to strengthen cybersecurity in critical sectors and digital services. It requires organizations to protect their systems and report major incidents. Since it’s a directive, and Sweden, Denmark, and Norway each have a different relationship with the EU, they have implemented it in different ways.
NIS2 in Danish law
Denmark implemented NIS2 through the NIS2-loven on 1 July 2025, along with regulations from the Danish Digitaliseringsstyrelsen and Styrelsen for Samfundssikkerhed og Beredskab. Three sector-specific NIS2 laws have been added for the financial (DORA), telecommunications, and energy sectors.
The countries supervision is sector-specific, with different authorities responsible for different areas. At the same time, the Danish Ministeriet for Samfundssikkerhed og Beredskab has overall responsibility and develops guidance materials.
NIS2 in Swedish law
Sweden will implement NIS2 through the new Cybersäkerhetslagen, which is expected to enter into force on 15 January 2026, with additional regulations from the Swedish Myndigheten för samhällsskydd och beredskap (MSB) and the Swedish Post- och telestyrelsen (PTS).
Like Denmark, Sweden has sector-specific supervision. MSB issues regulations for most sectors, while PTS covers digital infrastructure, digital providers, ICT service management, space, and postal/courier services.
NIS2 in Norwegian law
Norway first implemented the NIS1 Directive on 1 October 2025 through the Digitalsikkerhetsloven. However, NIS2 has not yet been adopted in EEA law, so no date has been set for its entry into force in Norway.
Implementation of the DORA Regulation in the Nordic region
DORA (Digital Operational Resilience Act) is an EU regulation aimed at strengthening the resilience of financial entities against IT and cybersecurity risks. It requires robust systems, risk management, incident reporting, and continuity planning. Unlike NIS2, DORA is a regulation and applies automatically in all EU countries from 17 January 2025. However, implementation through additional national laws has differed across Denmark, Sweden, and Norway.
DORA in Danish law
Denmark adopted national legal amendments to enable the practical implementation of DORA in its country. It introduced rules on supervision and sanctions, and made the Financial Supervisory Authority (Finanstilsynet) responsible for enforcement.
The country did also adopt sector-specific financial regulations to complement the broader NIS2 law. Additionally, Finanstilsynet launched thematic investigations into how insurance companies and pension funds implement DORA.
DORA in Swedish law
Sweden has also introduced national amendments to designate responsible authorities, provide the Financial Supervisory Authority (Finansinspektionen) with supervisory and sanctioning powers, and regulate fees under the regulation.
DORA in Norwegian law
Norway implemented DORA through the national DORA Act (Lov om digital operasjonell motstandsdyktighet i finanssektoren) on 1 July 2025. At the same time, the previous ICT regulation for the financial sector was repealed for entities covered by the DORA Act.
It was also decided that the Norwegian Financial Supervisory Authority (Finanstilsynet) supervises compliance and may introduce additional regulations, including for threat-based penetration testing in cooperation with Norges Bank.
Implementation of GDPR in the Nordic region
GDPR is the EU’s data protection regulation that aims to protect personal data and give individuals more control over their information. It was applied directly in all EU member states from 25 May 2018 and left some freedoms to let each country add localized national rules.
GDPR in Danish law
Denmark adopted the Data Protection Act (Databeskyttelsesloven), which entered into force alongside GDPR. It includes Danish adaptations such as rules for processing personal ID numbers, public-sector provisions, and limitations on certain rights for public-interest reasons. The country also decided to make The Danish Data Protection Agency (Datatilsynet) responsible for supervision and guidance.
GDPR in Swedish law
Sweden introduced the Data Protection Act (Dataskyddslagen 2018:218) to regulate matters left open by the GDPR, such as the age of children’s consent, rules for employment-related data, public-sector processing, and sanctions. It was also decided to make The Swedish Authority for Privacy Protection (IMY) oversee compliance to GDPR.
GDPR in Norwegian law
Norway incorporated GDPR through the Personal Data Act (Personopplysningsloven) in July 2018. Since Norway is not an EU member, any changes to the GDPR must first be approved by the EEA Joint Committee, which means they often take effect a bit later than in EU countries. The national law includes rules on children’s consent, personal ID numbers, and processing for journalistic, artistic, academic, and public-sector purposes, where Norway’s Datatilsynet supervises compliance.
Why local adaptation in GRC is crucial for compliance
Managing laws and regulations across countries can quickly become unmanageable when not working with the right tools. Many organizations still rely on Excel, email, and manual processes for documenting risks, controls, and policies. This may work on a small scale but easily becomes chaotic as laws change and the organization grows. Versions get lost, updates are missed, responsibilities become unclear, and traceability breaks down.
These manual processes and scattered spreadsheets are no longer sufficient as regulatory demands increase and more responsibility is placed on leadership.
Structure and scalability with a modern GRC platform
For organizations operating in several EU countries, many of these challenges can be solved by using a modern GRC platform designed to support local requirements and dynamic markets.
Centralizing compliance efforts for all national laws in a single platform provides structure and visibility. Processes, policies, and controls can be managed consistently, updated, and monitored. Building GRC by design helps organizations adapt faster to new rules, ensure consistent reporting, and reduce administrative burdens.
For companies operating across markets, this offers:
-
Faster adaptation to new rules and court decisions
-
Less administration and fewer manual errors
-
Improved traceability and consistent reporting
-
Transparency between local units and central compliance teams
A modern, localized GRC platform makes it possible to combine central governance with local compliance. Each unit can follow its national requirements while contributing to a unified, transparent structure. In turn, this helps organizations meet today’s regulatory demands and stay resilient in an increasingly complex compliance landscape.
