New Requirements for Data Centers in the New Electronic Communications Act

Background

On 12 April 2024 the Ministry of Digitalization and Public Governance presented a new Electronic Communication Act (the “ECA“) and an associated Electronic Communication Regulation (the “ECR“). Subject to a parliamentary adaptation, the ECA and the ECR impose new legal requirements on data center operators such as a registration obligation, a general restriction on use obligation and obligations to meet certain minimum-security standards. The obligations are subject to penal provisions and may increase the data centers’ operational costs.

Which data centers and operators are affected?

The obligations of the ECA and the ECR apply to data center operators. Data center operators are persons or companies that (i) provide third parties with access to data centers through the offering of services and physical space for payment or (ii) own, rent or operate one or more data centers that have a total electricity consumption capacity of at least 1 MW.[1] For regulation purposes, a data center is a structure, part of a structure or a group of structures that are used to house, connect or operate IT- and network equipment for data processing, storage and/or distribution as well as related activities.

Thus, the new requirements firstly extend to providers of so-called colocation data centers that offer services such as physical storage or security, electricity, cooling, surveillance and analytics, network access and IT infrastructure services (e.g wholesale data center rentals and data center as a service providers). Secondly, they extend to owners, lessees or operators of one or more so-called hyperscale data centers (e.g. Google, Amazon, Meta etc.) that offer digital services such as cloud services, software services or crypto mining from one or more physical facilities with a total potential electricity consumption of at least 1 MW.

It is worth noting that the actual operations of the IT and network infrastructure for storage, processing and transfer, as well as the operation of other digital services, produced in the data center are excluded. Moreover, several persons or companies operating out of the same physical data center can be considered a data center operator as either owner, lessee or service provider from the same data center.

The new requirements

Registration obligation

Data center operators are obligated to register electronically with the National Communication Authority. Operations can commence once the registration has been submitted. The data center operator is required to update changes to registered information no later than two weeks after the change occurred.

The registration shall include information such as the operator’s name, Norwegian or EEA registration number, Norwegian or EEA address, website, the data center(s)’s physical location(s), contact person and his/hers contact information, description of offered services, list of state, county and municipality entities that are customers, an estimate of the percentage of power usage utilized for crypto mining and estimated commencement date.

Minimum usage and security standards

The ECA and ECR oblige data center operators to offer and maintain data center services with reasonable security levels during times of peace, emergency and war. Under this obligation, data center providers must maintain reasonable emergency preparedness and prioritize important societal actors if required. The data center provider will need to cover the associated costs of this obligation.

The term “reasonable” is understood as an obligation to keep data centers and services operational, and that the integrity, authenticity and confidentiality of the data center and its associated services must be protected. Moreover, the data center operators shall effectuate necessary measures to ensure availability of data center services during force majeure events, e.g. during natural disasters, war and terrorism. When assessing what security and preparedness measures are reasonable, one shall inter alia consider best available technical solutions and practices, proportionality between costs and effect and the data center service’s significance.

To ensure compliance with the minimum-security standard, the data center operators are obliged to establish, maintain, assess and document the existence of certain security and preparedness routines and systems. This includes a safety management system, risk and vulnerability assessments, basic safety measures (barriers, detection, verification and reaction measures) and preparedness planning and drills.

The Norwegian Communication Authority can instruct the data center operator to prioritize important societal actors during recovery after shutdowns and to carry out a security revision to be executed by an independent and qualified third-party. Where several data center operators operate out of the same data center, it is uncertain whether they may combine efforts to satisfy some of the mentioned security measures.

Restriction on use obligation

The Norwegian Communication Authority can direct data center operators to impose usage restrictions on data center services insofar its necessary to protect national security interests or other important societal interests. Potential usage restrictions may include the withdrawal of services to specific customers insofar such a withdrawal is considered proportional. The data center operator is also obligated to impose necessary usage restrictions on its own volition in emergency situations that involve serious threats to life or health, national security or public order.

Other rights and obligations

The proposed ECA and ECR also encompass other rights and obligations for data center operators. These include:

  • The data center operator may require certificate of good conduct issued by the police from employees and other service providers that will have access to the data center.
  • The data center operator must notify the Norwegian Communication Authority of substantial security incidents which have resulted in breaches in availability, authenticity, integrity or confidentiality of the data center and its services.
  • The Norwegian Communication Authority can inspect the data center operator’s compliance with the minimum-security standards.
  • The data center operator may be required to cover the Norwegian Communication Authority’s costs of inspection and administration of the ECA and the ECR.

[1] Please note that the 1 MW threshold is currently under review by the Ministry of Digitalization and Public Governance and may be subject to changes.

Magnus N. Ryenbakken

Amund Berthelsen Erdal