The Nordic countries share a cultural commitment to transparency and individual rights, but their approaches to data protection enforcement have diverged significantly since GDPR came into effect. Understanding these differences is essential for businesses operating across the region.
Sweden's IMY has evolved from one of Europe's quieter DPAs to a technically focused enforcement body. Its 2025 priorities center on automated tracking technologies, cookie compliance, and cross-border transfers. IMY's enforcement style is methodical — it conducts sector-wide audits, publishes detailed guidance, and escalates penalties for repeat offenders. Fines have increased year-over-year, with the largest 2025 penalty reaching SEK 12 million.
Norway's Datatilsynet takes a broader approach, focusing on systemic issues rather than individual complaints. The authority has been particularly active on children's data protection, facial recognition technology, and surveillance. Norway's position outside the EU but inside the EEA creates unique dynamics — it implements GDPR through the EEA Agreement but maintains independent enforcement discretion. Datatilsynet has issued some of the Nordic region's largest fines, including a NOK 65 million penalty against Grindr.
Denmark's Datatilsynet operates differently again. It has historically preferred guidance and dialogue over punitive enforcement, issuing relatively few fines compared to its Nordic neighbors. However, this approach has shifted in recent years, with the Danish authority increasingly issuing formal reprimands and referring cases for prosecution under the Danish Data Protection Act. Denmark's unique approach to criminal prosecution for data protection violations sets it apart from most EU member states.
For businesses operating across all three jurisdictions, the practical takeaway is that a single compliance strategy may not suffice. Cookie consent requirements are enforced differently — Sweden's technical scanning approach, Norway's complaint-driven investigations, and Denmark's prosecutorial model each demand different levels of documentation and evidence.
Vakteye's scanning platform addresses this by evaluating compliance against the strictest interpretation across all relevant jurisdictions. If your website passes a Vakteye audit, it will meet the requirements of all three Nordic DPAs — and most other European authorities as well.