Proposed Changes to the Norwegian Data Center Regulation
New rules for data center operations
On January 1, 2025, the first set of rules specifically aimed at the data center industry in Norwegian law entered into force. The obligations are implemented in the new Electronic Communications Act, in the new section 3-7, as well as in a separate Data Center Regulation, which entered into force at the same time.
The new rules include, inter alia, a registration requirement for data center operators with the Norwegian Communications Authority (Nkom), as well as a number of requirements related to security and emergency preparedness.
The newfound willingness and intent to regulate this sector does, however, not appear to stop there. Only 30 days after the new rules entered into force, the government presented a new consultation paper, proposing further amendments and additions to the Data Center Regulation. The proposals are set forward in accordance with the new section 3-7 (5) of the Electronic Communications Act.
In this legal update, we provide a brief presentation of the latest proposed changes; but first, we will provide a short introduction to the context of the changes, and why this has become a new legislative focus area in Norway.
What's a data center and a data center operator?
Section 1-5 nr. 36 of the Electronic Communications Act defines "data center" as "a facility, part of a facility, or group of facilities, used for the placement, connection and operation of IT and network equipment for data storage, data processing or data transmission, and related activities" (our translation). In other words, a data center is a physical infrastructure where IT and network equipment is placed and operated, to store, process and transfer data. The infrastructure can also be said to be a "carrier" for a number of digital services.
Furthermore, a "data center operator" is defined in nr. 38 as a "natural or legal person" that either 1) "offers others access to data center services for a fee", or 2) "operates a data center with a subscribed electrical power above a given threshold value" (our translation). The term thus covers both operators that make data center services available to others, and those that only operate internal data center operations.
The need for regulation
As the world becomes increasingly more data driven, and Norway has become known as an attractive and convenient location for data centers, the scale of data center operations has grown exponentially in Norway in the recent years. Today, many critical business functions are linked to these centers, and many of them have access to and store a lot of critical information for society, either through the data flows from their customers, or from the data center operator's own business. This, however, has made these infrastructures attractive targets for cyber-attacks and other types of crime.
Norwegian legislators have therefore seen an increasing need to more specifically regulate this sector, to better ensure the robustness, operation and integrity of these critical infrastructures. The new section 3-7 in the Electronic Communications Act and the Data Center Regulation therefore include requirements for data center operator the establish prudent security levels in their infrastructures, through proportionate and adequate security measures, to ensure the stability and protection of the operations.
Suggested amendments
The latest proposals presented by the government on 30 January mainly aim to further strengthen the relevant authorities, such as the police, the Norwegian Police Security Service (PST), the National Security Authority (NSM), and Nkom, in their work on fighting crime and safeguarding national security in relation to data center operations.
Firstly, it is proposed than an obligation be imposed on data center operators to have updated information about their own customers' names and contact details readily available. Where relevant, the operator must also have an overview of where in the data center the various customers' physical equipment is located.
Secondly, new rules are proposed for the disclosure of this information to Nkom, NSM, PST and the police, and the prosecutor's office. The obligations to disclose customer information is intended to, among other things, strengthen the work on preventing, averting and stopping offenses associated with data centers, and to further ensure preventive security, robustness and incident management.
In addition to the above, it is proposed that a set response time for the operator be established in relation to inquiries from the authorities, as well as grounds to impose an infringement fee if the operator does not comply with the proposed obligations.
Some further clarifications to the requirements for the data center operator's physical representative in Norway have also been proposed.
Implications of the proposed amendments?
The proposed changes do not appear to be very extensive or overly burdensome. For example, it is reasonable to expect that data center operators already have an overview of who their customers are and where their equipment is located in the infrastructure. This obligation will therefore probably have more organizational significance, as the information, with the proposed change, will have to be readily available in case it is requested.
The right to disclosure for the proposed authorities and response time requirements also appear to be reasonable and natural extensions of the existing regulation, as such access and clearcut response time expectations will contribute to more efficient and effective fulfillment of the purpose of the regulation. Response time may, however, entail some further efforts on part of the data center operator.
The proposed changes are, however, as of now, only proposed changes, and stakeholders can provide their input, comments, or suggestions related to the proposed changes until March 28, 2025. Time will therefore tell if, and possibly how, data center operators' obligations will be expanded in the time to come.
DLA Piper Norway has one of the country's best legal teams related to data center operations, and we have assisted, and continue to assist, a number of major players and operators in the industry. If you have any questions or would like advice on any of the new and/or proposed requirements, please contact Line Voldstad (Regulatory) or Magnus Lutnæs (Real estate).
