The European Commission has got information on the official website (ec.europa.eu):
The Norwegian Data Protection Authority (Datatilsynet) has made public a list of processing activities that we consider likely to result in a high risk to the rights and freedoms of data subjects and that always will require a DPIA. Such an assessment must be carried out before the processing of personal data is initiated.
The Norwegian Data Protection Authority has developed guidelines to help organisations understand and comply with the requirement of data protection by design and by default in article 25 of the General Data Protection Regulation.
We have among others cooperated with security professionals and software developers in public and private sector to create the guidelines.