Developing General Guidelines for the Public Procurement of Artificial Intelligence in Digital Health Services in Norway: Addressing Legal and Practical Challenges

Abstract

Abstract

Background – Norwegian health trusts face significant challenges translating complex regulatory requirements from GDPR, the Medical Devices Regulation, the AI Act, NIS2, and public procurement law into concrete technical specifications for AI procurement. Current "one-size-fits-all" templates and prescriptive specifications often stifle innovation, overlook algorithmic risks, and expose trusts to privacy and security non-compliance.

Methods – The study employed an interdisciplinary, research design combining legal doctrinal analysis, case study examination, and literature review. Legal requirements were systematically mapped to technical AI capabilities. Three Norwegian health trust procurement processes and regulation were analyzed to identify current practices and challenges. Academic and grey literature provided broader context. The Adaptive Compliance Integration Framework (ACIF) was developed through iterative analysis and received preliminary validation through structured interviews with three procurement professionals.

Results – Analysis revealed four persistent gaps: (1) legal-framework mismatch between static laws and dynamic AI lifecycles; (2) process rigidity where over-prescriptive specifications block outcome-based innovation; (3) documentation deficits where vendors seldom supply evidence on bias-mitigation, transparency, or continuous-monitoring plans; (4) fragmented expertise where procurement, clinical, and legal teams work in silos. ACIF addresses these gaps through six cyclical stages: needs identification and justification, legal compliance and market analysis, risk management and stakeholder engagement, procurement process design, implementation and monitoring, and validation and feedback. The framework emphasizes legal-to-technical translation, risk-based accountability, and multi-stakeholder alignment. Validation interviews confirmed the framework addresses recognizable challenges and could improve current procurement practices.

Conclusions – ACIF enables Norwegian health trusts to move from checklist-driven purchasing to adaptive, outcome-oriented governance that keeps pace with evolving AI regulation, safeguards patient data, and encourages market innovation. The framework provides systematic guidelines for bridging legal requirements with technical implementation in AI procurement. Future research should pilot ACIF at scale and evaluate its impact on procurement outcomes, compliance effectiveness, and stakeholder satisfaction.

Keywords: artificial intelligence; digital health; public procurement; GDPR; AI Act; information security; Norway; adaptive compliance integration framework