The Norwegian Ministry of Local Government and Regional Development has proposed changes in the Norwegian Electronic Communications Act and the Norwegian Electronic Communications Regulations to implement legal requirements for data centers. The Ministry proposes, inter alia, that data centers will be required to register and comply with a set of security requirements. This proposal has been submitted for consultation, and the deadline for contributions is 9 September 2022. The proposal is expected to be presented to Parliament during the autumn.
There are currently few specific requirements for data centers under Norwegian law. However, in light of rising concerns regarding cybersecurity and new digital threats, the Norwegian Government has expressed that the national digital infrastructure should be strengthened to ensure safe and flexible solutions across the country. Data centers deliver many essential services such as energy management, mobile services, payment services, health and welfare services, TV and radio distribution as well as emergency communications. Thus, the dependence on data centers makes our society vulnerable as a potential shutdown in the digital infrastructure may affect essential functions.
In the Norwegian Electronic Communications Act § 1-5, the Ministry proposes to include new definitions of data centre, data centre service and data centre operator. The definition of data centre is proposed to be far-reaching and to include everything from a single data room to "hyperscale" data centre facilities.
Further, the definition of a data centre service will refer to services that are offered from a physical data centre, often referred to as a "colocation data centre". Also, this definition will be quite wide-ranging and include services such as infrastructure-as-a-service, platform-as-a-service and software-as-as-service, but also associated services linked to the physical data centre such as power supply, cooling, physical security and access control.
The most interesting point is perhaps the definition of a "data centre operator" which will be a natural or legal person that operates a data centre or provides data centre services in Norway. The Ministry has stated that the definition will also include data centers dedicated to cryptocurrency mining.
New registration requirement
A new provision in the Norwegian Electronic Communications Act is proposed under which all data center operators will be required to register. The purpose is to ensure supervision and control by relevant authorities of providers of electronic communications services and networks. However, the requirement is only to register the operations as such, and it will not be necessary to obtain permission or license from the authorities. The registration can be completed electronically with the Norwegian Communications Authority (Nkom), which is also the supervisory authority.
The registration requirement is further specified in the Norwegian Electronic Communications Regulations. Here it is proposed that an obligation for the operators to inform the authorities about who their customers are is established. This is proposed to ensure that the authorities have an overview of data centre customers which provide essential functions and services (e.g., financial services such as banks). Additionally, it is proposed that the registration includes an estimate of the percentage share of the power consumption to be used for cryptocurrency mining.
New security requirements
The Ministry also proposes security requirements for data centers based on the obligations that apply to electronic communications networks and services. These security requirements are even proposed to be implemented in a separate chapter of the Norwegian Electronic Communications Regulations.
First, it is proposed that data centers shall have proper security. The term "proper" means that the data centre and services must be available, and that integrity, authenticity and confidentiality shall be protected. Furthermore, the data centre operator must maintain adequate contingency plans for the data centre and related services. This includes, inter alia, that data centre operators are to implement necessary measures to ensure service availability also in the event of any force majeure incidents.
Moreover, the proposed provisions also require systematic follow-up of the security and contingency related to the data centre services, and the operators shall retain documentation of security assessments. Data centre operators will also be required to consider additional measures if a technical solution has known weaknesses, and the more essential the functions and services provided through the data centre are the stricter the requirements will likely be.
Furthermore, the Ministry is of the opinion that security routines for control of employees are necessary to reduce potential risks of insider threats. It is thus proposed that data centers with significant importance to the security of networks or services may ask employees for a police certificate of conduct. The purpose is to enable data centre operators to prevent unfit personnel accessing information, equipment and systems in the data centre.
Permitted restrictions on use
As for ecom providers the Ministry holds that in some cases there may be a need for data centre operators to implement necessary and proportional restrictions on use. Hence, the Ministry has proposed that the authorities may order the data centre operators to implement certain restrictions on use because of national security and important public interests. There will, however, be a high threshold for giving such orders as customers may lose crucial data centre services for a period. In addition, it is proposed that the data centre operators shall be obligated to implement necessary restrictions on use in case of emergencies which involve threats to life or health, security or public order, or networks or services.
Takeaways and how to prepare
The proposed legal requirements are nuanced and apply differently depending on what kind of customers the relevant data centre operator may have. However, it seems inevitable that data centre operators with activities in Norway must update contingency plans and evidence their digital security, and eventually assess which measures may be needed to mitigate any identified weaknesses. In this way, data centre operators will be better positioned for the new requirements to be passed through the Parliament, and subsequently to actually implement the measures that will be necessary and legally required.
This article is intended to be a general summary of the law and does not constitute legal advice. Consult with counsel to determine applicable legal requirements in a specific situation.