Regulation of Data Centers in Norway – Focus on Security and Preparedness
The Regulation on Data Centers (Data Center Regulation) came into effect on January 1, 2025, in Norway. The Data Center Regulation represents a significant change in the regulation of data centers in Norway, with focus on security, preparedness, and registration. The regulation requires data center operators to ensure compliance with the regulation’s requirements both by the operators themselves and by those performing work for them. As non-compliance may result in fines, data center operators should immediately ensure that their businesses comply with the regulation’s requirements.
One of these requirements is the registration obligation. Data center operators must register with the Norwegian Communications Authority (Nkom) before commencing operations. The Data Center Regulation requires various information to be registered, including details such as name, organization number, address, and information about services and power consumption. The registration requirements must be fulfilled by existing operators by July 1, 2025.
The Data Center Regulation also imposes requirements on the security and preparedness of data centers, including requirements for the establishment, compliance, training, quality assurance, and documentation of a security management system, and requirements for risk and vulnerability assessments that must be able to identify organizational, physical, logical, and human security measures. Data center operators must ensure adequate security in data centers through fundamental measures such as barriers, detection, verification, and reaction measures, and the basic security measures must be developed, implemented, and maintained. Data center operators must also plan and document additional measures and have a plan to restore an adequate security level. Furthermore, the regulation sets minimum requirements for securing information, information systems, and management systems, and requires emergency plans and exercises to ensure adequate security in the data center.
The Norwegian Communications Authority (Nkom) supervises compliance with the Data Center Regulation and have the authority to impose fines. The size of the fines depends on factors such as the operator’s culpability, the severity of the violation, and the company’s turnover. Nkom may also require data center operators to carry out security audits and demand national autonomy in crisis situations. If significant breaches occur that affect the availability, authenticity, integrity, or confidentiality of the data center or its services, such breaches may have to be reported to Nkom and the customers.
To strengthen national security and crime prevention, the Ministry of Digitalization and Defense has already proposed some amendments to the Data Center Regulation. According to the proposal, data center operators must have updated customer information, and operators may be required to disclose the information to Nkom, the National Security Authority (NSM), the Police Security Service (PST), and the police when necessary to prevent or avert criminal acts or safeguard national security. It has also been proposed that foreign operators must have local representative in Norway that must be able to physically appear. The representative shall also have the necessary authority and knowledge to follow up on inquiries from authorities, including orders to disclose information.