Composition: the NordBastion polar-bear mascot in tactical armour standing on a wharf overlooking the Oslo opera-house silhouette with fjord cliffs behind, under aurora light, the Norwegian flag flying above a cyan-lit data-fortress on the horizon — evoking a Norwegian constitutional-jurisdiction VPS
Country · Norway · Bastion OSL.001

A Norway VPS, KYC-free.
EU-grade GDPR. Without EU-level cross-border production orders.

A VPS pinned inside Norway, under Section 100 of the Grunnloven and EEA-incorporated GDPR — without direct ECJ jurisdiction. No identity collection, paid in crypto, booted in 90 seconds.

Why Norway Go to Oslo bastion
TL;DR
  • 01

    Oslo bastion OSL.001 inside a tier-III carrier-neutral facility, 100 Gbps private backbone to Stockholm, Helsinki and Reykjavík.

  • 02

    Section 100 of the Grunnloven + EEA-incorporated GDPR enforced by Datatilsynet, without direct ECJ jurisdiction or EU e-Evidence reach.

  • 03

    Pay in Bitcoin or Monero, no identity check — provisioned in 90 seconds, billed against a prepaid balance.

Why a Norwegian VPS

Norway is the rarest combination in European hosting. GDPR inside, ECJ outside.

Norway's constitutional anchor for free expression is Section 100 of the Grunnloven, comprehensively rewritten in 2004 to become one of the most explicit speech clauses in Europe. It entrenches freedom of expression as a fundamental right, forbids prior censorship by name, and protects the right to receive and impart information. The Norwegian Supreme Court reads it alongside ECHR Article 10 jurisprudence, which gives journalists and publishers a robust right to refuse to disclose the identity of an anonymous source — read across to an infrastructure operator, that doctrine reinforces the same model NordBastion ships under by choice.

The structural advantage of Norway, however, is not the Constitution — it is the EEA-without-EU posture. GDPR applies in Norway through EEA incorporation, so customers get the same Article 5 minimisation and Article 17 erasure rights as in any EU country, enforced by the Datatilsynet, one of the most active DPAs on the continent. But Norway is outside the direct jurisdiction of the European Court of Justice. Schrems-style cross-border data-sharing rulings, the EU e-Evidence regulation, EU-level production-order frameworks — none of those automatically apply. EU-grade standards, regulatory distance from EU-level enforcement instruments. That combination is rare.

Add to that the climate. Norway has spent two decades near the top of every press-freedom and rule-of-law index published. The courts are independent, the executive is bound by statute, and the digital-rights ecosystem (EFN, the Norwegian Bar Association's Surveillance Committee) is active and well-respected. For an infrastructure operator that climate matters: the legal protections only matter if they are reliably enforced, and in Norway they are.

The Norwegian bastion

Oslo — OSL.001.

City landing

Oslo VPS — pinned cores, Norwegian jurisdiction.

The full city page. Five-tier strip pinned to the bastion, four-card "Why Oslo" grid (Section 100, EEA-without-EU, Datatilsynet enforcement, NIX peering), and the city-specific FAQ. Latency to Stockholm around 11 ms, to Helsinki 17 ms, to Reykjavík 28 ms over the private backbone.

Open the Oslo page
Bastion code
OSL.001
Latency · Stockholm / Helsinki / Reykjavík
~11 / 17 / 28 ms
Constitutional citation
Section 100 · Grunnloven
Norway vs the other three

Four Nordic legal regimes. Pick the one that fits the workload.

The four Nordic jurisdictions are close cousins but not identical. Some workloads want Norway specifically; others are better served by Sweden, Finland or Iceland.

Norway · this page

EEA outside the EU

Section 100 of the Grunnloven plus EEA-incorporated GDPR, enforced by Datatilsynet — without direct ECJ jurisdiction or EU e-Evidence reach. EU-grade standards, regulatory distance.

Oslo bastion
Sweden

Oldest constitutional press freedom

Tryckfrihetsförordningen (1766), criminal-statute source secrecy, IMY-enforced GDPR. The publishing-first jurisdiction with the longest written track record. EU member.

Stockholm bastion
Finland

Strongest source secrecy in the EU

Section 12 of the Constitution + Sananvapauslaki (2003) — an absolute statutory right to refuse to disclose sources, with one of Europe's strictest GDPR regulators on top. EU member.

Helsinki bastion
Iceland

IMMI — written for publishers

The Icelandic Modern Media Initiative (IMMI, 2010) explicitly designed source protection, intermediary immunity and prior-restraint limits for digital publishers. Outside the EU entirely; geographically isolated.

Reykjavík bastion
Pick a tier

The right tier for a Norwegian VPS. Three calls, three workloads.

  1. $5.90 / MO

    Sentinel — sidecar, personal

    2 vCPU, 4 GB RAM, 120 GB NVMe. Good for a small Mastodon, a Wireguard exit in Oslo, a personal mail bridge or a Tor relay sitting under Norwegian law.

  2. $11.90 / MO

    Garrison — production single-service

    4 vCPU, 8 GB RAM, 240 GB NVMe. The sweet spot for one production application under EEA-incorporated GDPR — a publication site, a hardened nginx + PHP-FPM, a small Postgres outside ECJ reach.

  3. $23.90 / MO

    Ravelin — multi-service stack

    8 vCPU, 16 GB RAM, 480 GB NVMe. Comfortable for a multi-service publication or SaaS infrastructure — CMS, database, search, queue and worker, all under a single Norwegian jurisdiction.

Full tier line — Sentinel · Garrison · Ravelin · Bulwark · Citadel — on /oslo-vps/.

Verdict

Choose Norway when the workload needs GDPR-grade standards without EU-level enforcement reach.

Norway is the right Nordic jurisdiction when the workload benefits from GDPR-grade data-protection standards but should sit outside the direct reach of the European Court of Justice and EU-level cross-border instruments. EEA-without-EU is the unusual combination that gives both at once — and that is the structural argument for an Oslo bastion.

If your priority is the longest written constitutional press-freedom track record, Sweden is the natural alternative. If you want the strongest source-protection statute in the EU, look at Finland. If you want geographic isolation and a digital-publisher charter, look at Iceland. For workloads that want EU-grade data protection at one regulatory step's remove, Norway is the answer.

FAQ · Norway

Norway-specific, answered.

Questions that come up specifically about hosting a VPS under Norwegian law — constitution, EEA-without-EU posture, retention, mobility.

Is Oslo the only Norwegian location?

For now, yes. NordBastion operates one bastion in Norway — OSL.001 — inside a tier-III carrier-neutral facility in the Oslo metropolitan area. Oslo is also the densest peering point in Norway (NIX1, NIX2), which is why we put the Norwegian bastion there rather than in Bergen or Stavanger. A second Norwegian site is not on the published 18-month roadmap.

What does Section 100 of the Grunnloven protect?

Section 100 of the Norwegian Constitution (Grunnloven) entrenches freedom of expression as a fundamental right. After the 2004 amendment it is one of the most comprehensive constitutional speech clauses in Europe, explicitly forbidding prior censorship and protecting access to information and the right to receive and impart ideas. The Norwegian Supreme Court reads Section 100 alongside the ECHR Article 10 jurisprudence to give journalists and publishers a robust right to refuse to disclose the identity of an anonymous source — which translates cleanly into the crypto-paid, no-identity hosting model NordBastion runs.

Norway is in the EEA but not the EU — what does that change?

This is the key Norwegian privacy advantage. GDPR applies in Norway through EEA incorporation, so customers get the same Article 5 minimisation and Article 17 erasure rights as in any EU country. But Norway is outside the direct jurisdiction of the European Court of Justice, which means schrems-style cross-border data-sharing rulings, the EU e-Evidence regulation, and EU-level production-order frameworks do not automatically apply. The combination — EU-grade data-protection standards plus regulatory distance from EU-level enforcement instruments — is unusual and useful for operators who want both.

How strict is the Datatilsynet?

The Datatilsynet (Norwegian DPA) is one of the most active GDPR regulators in Europe, with a documented record of fining municipalities, ministries and large private actors for over-collection and breach mishandling. It also publishes detailed guidance and is unusually willing to push back on government surveillance proposals. For a privacy-first hosting operator that posture is welcome: it is a third-party regulator reinforcing the same doctrine NordBastion ships under by choice.

Can Norway compel logs from NordBastion?

Only through a Norwegian court order, on a named subject, for data we actually hold — and that intersection is narrow by design. Norwegian criminal procedure additionally recognises a press-freedom-grounded right of refusal for material that would identify an anonymous source of a publication. By doctrine, NordBastion does not collect identity at signup, does not retain payment-card data, does not log application-level activity, and rotates infrastructure logs aggressively. What does not exist cannot be compelled.

What about Norway's data-retention laws?

Norway's previous data-retention regime (DLD) was never fully implemented and the 2014 Digital Rights Ireland CJEU ruling — and Norway's own Supreme Court — closed off the bulk-retention path. What remains is a much narrower targeted regime for electronic communications service providers. As a hosting provider — not a telecom — NordBastion is not subject to bulk retention obligations under that statute. We retain only what is operationally necessary, on the schedules published in the transparency report.

How does the SLA work in Norway specifically?

The NordBastion SLA is 99.99 percent per-bastion, computed independently for each of the four locations. The Oslo OSL.001 uptime is broken out on /status/ alongside the other three bastions. SLA credits are applied to your prepaid balance automatically — no ticket required.

Can I move my VPS from Norway to Sweden or Iceland later?

Yes. Every VPS can be snapshot-redeployed to any other Nordic bastion through the panel — Oslo to Stockholm, Stockholm to Reykjavík, anywhere. The snapshot transfer runs over the 100 Gbps private backbone, so even a Ravelin migration completes in a few minutes. You re-point DNS at the new IP; nothing else changes.