Data Centres – The new act relating to Electronic Communications

On 12 April 2024, the Norwegian Ministry of Digitalisation and Public Governance (the "Ministry") submitted a proposal for a new act relating to Electronic Communications ("Proposal"). The Proposal will provide a framework for the electronic communication sector, including the data center industry, for years to come. In this article, we will take a closer look at the effect of the Proposal on data centers.

• Definitions: The Proposal includes a clarification of key terms such as "data center", "data center service" and "data center operator". 
• Registration and security requirements: The Proposal introduces mandatory registration for data center operators as well as security requirements to safeguard against threats to national security and ensure the resilience of essential digital infrastructure. 
• Police certificate: Data center operators may require extended police certificates for individuals in sensitive positions such as employees or job candidates, or for a supplier's employees.
• Restriction on Use: The Ministry may mandate data center operators to implement "use restrictions" during emergencies or against certain threats.

There are currently few specific legal requirements for data centers and none in the act relating to Electronic Communications (the "Act"). The data center industry is a fast-growing industry and is the basis of Norway's national digital infrastructure. A solid legal framework is therefore important to ensure safety and stability. At the same time, it is important to avoid regulatory burdens which may be less attractive for foreign investors.

Definitions

A company will have to consider whether it is subject to the scope of the Proposal. It is therefore necessary to become familiar with the following suggested definitions.

"Data center" is a facility, part of a facility, or group of facilities that are used to accommodate, connect, and operate IT and network equipment for data storage, data processing, or data transmission, and related activities. 

This definition is far-reaching and includes everything from a single data room, co-hosting facilities, edge data centers and "hyperscale" data center facilities. The definition is not, however, supposed to cover cloud services or digital services which are at a data center. 

"Data center service" is a service that facilitates the accommodation, connection, and operation of IT and network equipment for data storage, data processing, and data transmission. This includes physical security, power, and cooling, and may include other related services. However, the operation of the IT and network equipment for data storage, data processing or data transfers are not covered by the definition, e.g. digital services and cloud services. 

"Data center operator" is a physical or legal person who offers others access to data center services for a fee, e.g. a co-location data center. This also includes a person who operates or rents a data center, including for their own business, with a subscribed electrical effect over a specific threshold (this threshold will be determined by the Ministry in a regulation). The purpose of the limitation is to ensure that the Act targets major players operating data centers and data center services that have a significant critical importance, while smaller players are not included. Any data center operators that manage and operate several smaller data centers which, in total, exceed the threshold value for subscribed power will nevertheless be included. 

Duty to register, security requirements 

The Proposal includes a registration requirement for data center operators. This does not, however, involve a consent or approval arrangement, and the purpose of the requirement is to provide the authorities with an overview of data center players, including contact information. 

Data center operators are also required to offer and maintain data center services with proper security, with additional details to be set out in a regulation. The data center operator is to maintain proper preparedness and, if necessary, give important customers priority. The relevant authority may make individual decisions to ensure that the data center operator implements measures that provide adequate security and preparedness. For instance, the relevant authority may decide that customer data is separated with any costs associated in doing so to be borne by the data center operator. 

In the assessment of what is considered adequate, emphasis is placed on the ability to withstand any event that results in, or may result in, breaches of availability, authenticity, integrity, or confidentiality in data center services. The proper security level becomes stricter the more important the services the data center carries but shall be proportionate and strike a balance between the level of security and costs for the operator. The data center operator must therefore be aware of what services their customers produce to be able to assess the sufficiency of the security of the facility and data center services.

Certificate

Data center operators may require that individuals present an extended police certificate. This can be requested for those who have been offered or are nominated for a position where they will have access to electronic communication networks, accompanying facilities, data centers, equipment, systems, or information of significant importance to the security of the network or services, confidential information or for other reasons of a particularly sensitive nature. Such a certificate may also be required from employees of suppliers. However, a certificate cannot be required from existing employees unless the employee receives new assignments which give a justifiable reason for the certificate. 

Restriction on use

The relevant authority may require a data center operator to put in place restrictions on the use of data center services for the sake of national security or other vital public interests. In addition, data center operators are required to carry out restrictions on the use of data center services during emergencies which may constitute a serious threat to life or health, national security or public order, or risk of sabotage.

The proposed rules will likely impact various types of data centers, either internal data centers that have only one user, or large, commercial data centers with hundreds of customers. Data center players, its value chain and service providers (security, power, cooling, etc.) need to be prepared and must evaluate whether they are  subject to the new requirements and what steps they need to take to comply. The new rules will likely enter into force on 1 January 2025.