What is visitor registration?

Visitor registration is the process of documenting who arrives and leaves a business’s premises. It sounds trivial — and it was, as long as a receptionist stood at the front desk with a book and a pen. In 2026, the picture is different: regulations are stricter, security requirements are higher, and expectations from guests and employees are more professional.

In practice, visitor registration covers a series of events:

• Advance invitation with practical information for the guest
• Arrival and check-in — manually, via kiosk or with QR code
• Notification to host (typically via SMS or email)
• Any confirmation of HSE instructions, confidentiality agreement or ID verification
• Access through gates, doors and locks
• Check-out upon departure
• Automatic deletion in line with privacy regulations

In addition, a professional setup generates two important by-products: a evacuation list in real time, and a audit log for security and compliance work.

Why visitor registration is becoming increasingly important

Three parallel trends have made visitor registration a topic that management teams, IT managers and HSE managers are actively discussing:

1. The regulations have tightened. The 2018 GDPR set clear boundaries for how personal data about guests can be processed. The NIS2 Directive from 2024 expands the requirements for critical infrastructure businesses to include traceability and access control. The Norwegian Data Protection Authority has repeatedly stated that paper-based solutions rarely satisfy the data minimization principle.

2. The reception has changed. Hybrid work models, shared commercial buildings and pressure to streamline have made the full-time reception a costly setup that many no longer see the value of. At the same time, guests expect a recognizable, professional arrival experience — which cannot be delivered with a forgotten guest book and a locked door.

3. The security picture is more complex. Norwegian businesses — from municipalities to industry — are experiencing increased risk of both physical and cyber threats. An up-to-date overview of who is in the building is no longer a "nice to have", but part of basic security.

Legal requirements for visitor registration in Norway

Many people ask us about visitor registration. legally required in Norway. The answer is nuanced: no single law says "all businesses must register visitors". But several regulations create indirect and direct requirements that in practice make digital visitor registration necessary:

Working Environment Act §3-1

The law requires that the employer “ensure that systematic health, environmental and safety work is carried out.” In practice, this means documented procedures for evacuation — which requires knowing who is in the building.

Internal control regulations

The regulations provide specific requirements for documented routines, including for the allocation of responsibilities, risk assessment, and follow-up of measures. Visitor registration is part of this documentation for most businesses.

The Security Act and security-approved businesses

Businesses with security approval — offshore, defense, critical infrastructure — are required to have documented access control. Here, visitor registration is not optional; it is a prerequisite for maintaining approval.

NIS2 Directive (expected to be introduced in Norway in 2026)

For businesses in the “critical and important sectors” — energy, transport, health, finance, water supply and digital infrastructure — NIS2 requires both physical and logical access control. Access logs and traceability are part of this.

The Personal Data Act and GDPR

If you first register visitors, you are subject to the Personal Data Act and GDPR. This is where most businesses go wrong — often with paper-based solutions.

GDPR and visitor registration — what the Norwegian Data Protection Authority actually says

When you register a visitor, you are processing personal data. GDPR applies in full. The Norwegian Data Protection Authority has published specific statements about visitor registration — here are the most important ones:

Legal basis — not consent

The most common legal basis for visitor registration is legitimate interest (GDPR art. 6 no. 1 letter f), not consent. The Norwegian Data Protection Authority has pointed out that consent can hardly be "freely given" when registration is a condition for access.

Obligation to provide information

The visitor has the right to information about data processing before it takes place. A good visitor system displays this information directly in the registration flow — not in a long privacy statement that no one reads.

Data minimization

You should not collect more than the purpose requires. Do you really need a national ID number? A license plate number? A photo? Each field must be justified.

Storage limitation

Data should not be stored longer than necessary. Recommended practice is 10–90 days with automatic deletion. Configurable retention time is a minimum requirement for a serious visitor system.

Data Processor Agreement

If you use an external provider (such as onVisit), the provider is the data processor and you are the data controller. GDPR requires a signed data processor agreement.

The NIS2 Directive and visitor registration

The NIS2 directive (Network and Information Security Directive 2) is expected to be implemented in Norwegian law in 2026 and sets stricter requirements for cybersecurity for businesses in critical and important sectors. Many people think of NIS2 as “something the IT department handles” — but the directive actually sets requirements that directly affect visitor registration:

• Physical and logical access control must be documented and traceable
• Access logs shall be maintained and available to the supervisory authority
• Supplier risk must be assessed and documented — also for the visitor system provider
• Event handling requires knowing who was in the building during an incident

A digital visitor system contributes to NIS2 compliance on all these points. As part of the Visma Group, onVisit delivers the subcontractor transparency required by NIS2 — something smaller, independent suppliers often cannot offer.

HSE, evacuation and the requirements of the Working Environment Act

The most important practical argument for visitor registration is simple: during an evacuation, the fire chief needs to know who is in the building. Without that, it is impossible to verify that everyone has made it out.

What does the law say about evacuation?

The Working Environment Act's requirement for systematic HSE work, combined with the Fire Prevention Regulations, requires that the business has documented evacuation procedures. In practice, this means an up-to-date overview of everyone in the building — including guests, suppliers and electricians who "just happened to be dropping by."

The digital evacuation list

In a digital visitor system, the evacuation list is automatically generated and updated in real time. The fire manager can retrieve it on their mobile phone at the meeting point — not from a computer at a reception that may not be available. Guests receive automatic SMS notification of the evacuation, with instructions on where to meet.

Traceable documentation for supervision

After an incident — fire, accident, or other critical situation — regulatory authorities often require documentation of who was present. A digital visitor log provides this documentation immediately, while a paper book is often incomplete or damaged.

Paper-based vs. digital visitor registration

Many Norwegian businesses still have paper-based visitor registration — often a book at the reception or a spreadsheet that the receptionist updates manually. Here's an honest comparison:

The only real argument for paper is the price — and even that quickly fades when you factor in the cost of a receptionist or the risk of a privacy breach.

How digital visitor registration works

A modern visitor system like onVisit handles the entire visitor flow through several connected components:

1. Pre-registration via Outlook

The host sends a standard meeting invitation in Outlook or Google Calendar. The system captures the invitation and automatically sends a professional confirmation to the guest — with meeting time, address, map, parking information, public transportation, and any HSE instructions. The guest also receives a unique QR code.

2. Arrival and check-in

Three options, depending on setup:

• QR code on mobile: The guest scans their own QR code on the front door — completely contactless, no queues.
• Kiosk screen at the reception: self-service registration on iPad or Surface.
• Receptionist registration: If you still have a staffed reception, the receptionist registers the guest on the computer.

3. Notification and access

The host is immediately notified via SMS or email. If you have integration with access control, the guest's QR code automatically opens relevant gates and doors. If necessary, identity is verified with BankID.

4. During the visit

The guest is now on the evacuation list. Fire managers have real-time visibility. If the visit lasts longer than planned, the system can send reminders or extend access.

5. Check-out and deletion

Upon departure, the guest simply checks out — with a QR code or kiosk. After a configured storage period (typically 10–90 days), all personal data is automatically deleted.

How to choose the right visitor system

The visitor registration market in Norway has grown rapidly. Here's what we recommend Norwegian buyers look for — regardless of whether you end up with us or a competitor:

1. Data storage within the EU/EEA

Data should be stored within jurisdictions that satisfy Norwegian data protection legislation. Ask specifically where data is stored, and demand a written response.

2. Data processing agreement as standard

Should be included — not something you have to negotiate. If the vendor only offers DBA upon request, that's a red flag.

3. Configurable storage time with automatic deletion

GDPR requirements. If the retention period is fixed or deletion is manual, the solution is not mature enough.

4. Norwegian technical support

When something doesn't work on a Monday morning, you want to talk to someone who understands Norwegian requirements, the Norwegian language, and Norwegian working hours.

5. Scalability

Even if you start with one location, check if the system can handle multiple locations without a costly upgrade.

6. Integration with existing tools

Outlook, Microsoft 365, Google Workspace, Entra ID, access control, BankID. If the system is an isolated island, it will be forgotten.

7. Supplier stability

Check the vendor's credit rating, ownership, and history. A visitor system is not something you want to replace every year. AAA ratings, long-term owners, and 10+ years of operation are good signals.

8. Clear pricing

Per location? Per user? Per guest? Commitment periods of 3 to 5 years? Ask for a binding offer that includes all price elements.

Frequently asked questions about visitor registration

Read more