Data Centre Regulation

On 1 January 2025, the Norwegian Government adopted a new regulation on data centres. Until that point, there had been no comprehensive regulatory framework governing data centre operations in Norway, despite data centres becoming an increasingly important part of the digital infrastructure.

The Data Centre Regulation has changed how data centre operations must be established, documented, secured, and supervised in practice, and it has had significant practical implications. Among other things, it has provided the authorities with a complete overview of all data centres in Norway, strengthened security and preparedness, clarified the regulatory framework for investors and municipalities, and improved the ability to regulate power consumption and cryptocurrency mining.

The Government's data centre strategy, published on 27 June 2025, states that the data centre sector is considered critical digital infrastructure, further sharpening the focus on data centres. Below is an overview of the main content of the regulation and the practical implications it has for both new and existing actors in the industry.

What Is a Data Centre?

A data centre is a facility, part of a facility, or a group of facilities used to house, connect, and operate IT and network equipment for data storage, data processing, or data transmission, and related activities. This may range from a small room with a few server racks to enormous halls containing hundreds of cabinets.

Data centres are important because they enable the storage of vast amounts of data, the operation of applications and websites, data analytics, machine learning, and the delivery of cloud services to businesses and private individuals. Operating a data centre requires large amounts of electricity due to servers running 24/7 under high load. To avoid overheating, data centres must have advanced cooling systems, which are often as energy-intensive as the servers themselves. As a result, the total electricity consumption of a data centre is very high.

Electricity consumption in Norwegian data centres increased by 70% from 2024 to 2025 (from 1.64 TWh to 2.79 TWh, respectively), and consumption is expected to increase to between 4 and 9 TWh by 2030.

Background to the Adoption of the Regulation

In recent years, Norway has experienced rapid growth in the data centre industry. Data centres have evolved from a niche activity into critical infrastructure for everything from public services to banking, healthcare, industry, and everyday digital activities. Nevertheless, the regulatory framework has long been fragmented and not adapted to this type of business activity.

High energy consumption—driven in part by the AI boom—and increased pressure on the power system, combined with land use and local impacts, have created a need for clearer frameworks and greater predictability for both the industry and the authorities. In addition, security and preparedness have become particularly important in light of the current geopolitical situation.

The adoption of a dedicated data centre regulation was therefore an important step toward ensuring increased predictability and security for data centres in Norway.

Content of the Regulation

The Data Centre Regulation establishes a basic framework for the establishment, operation, and supervision of data centres in Norway. The most important elements are:

1. Registration Requirement

All data centres with subscribed electrical capacity exceeding 0.5 MW must be registered with the authorities. The purpose is to ensure an overview of who is behind the operations, where the data centre is located, and who is designated as the responsible contact person. This gives the authorities oversight of the actors involved, as well as the ability to conduct supervision and manage incidents.

2. Security and Preparedness

The regulation imposes extensive requirements relating to security and preparedness, including:

• Security management requirements: Data centres must establish systems for managing physical and digital security, including procedures for access control, monitoring, and operations.
• Risk and vulnerability assessments (RVA): The undertaking must regularly conduct risk and vulnerability analyses to identify threats, vulnerabilities, and potential consequences.
• Protection and preparedness: Requirements are imposed for contingency planning, handling of adverse incidents, emergency power supply, fire protection, and measures to ensure continuity of services.

3. Supervision and Right of Appeal

The authorities are granted legal authority to supervise data centres, require documentation, and impose necessary measures. A formal right of appeal is also established for undertakings subject to regulatory decisions.

Practical Implications

For existing data centres, the regulation requires operators to register within specified deadlines. In addition, they must document their security management systems and conduct risk and vulnerability analyses, which may necessitate upgrades to physical security and preparedness systems.

For new data centres, the regulation provides clearer frameworks that can contribute to greater predictability in planning and investment decisions.

Overall, the regulation will give authorities and local communities better oversight of where data centres are established and who operates them. This will improve the basis for assessing the impact of data centres on local infrastructure, the power grid, and the environment.

Similar Regulation Abroad

Norway is not alone in regulating data centres. Several countries have introduced, or are in the process of introducing, similar regulatory frameworks:

• The EU is developing regulatory frameworks for data centres through, among other things, the NIS2 Directive, which imposes requirements relating to cybersecurity and preparedness for critical infrastructure. The EU also has initiatives under the Energy Efficiency Directive aimed at improving energy efficiency and sustainability in data centres, including requirements for reporting energy consumption and environmental impact.
• Denmark has established strict requirements relating to energy consumption, cooling systems, and environmental impact.
• Germany has introduced requirements for energy efficiency, use of renewable energy, and utilization of waste heat. In addition, data centres are subject to strict security requirements under German IT security legislation.

Conclusion

The Data Centre Regulation marks a clear shift in how Norway regulates a sector that has rapidly become crucial for national security, digital value creation, and energy management. With a more comprehensive and predictable regulatory framework, authorities, local communities, and industry participants are better equipped to manage the growth of the data centre industry. At the same time, the regulation imposes higher requirements for security, preparedness, and documentation, which will affect both established and new actors in the years ahead.

The regulation aligns Norway with other countries that are tightening requirements for data centres and lays the foundation for a more sustainable and secure development of the sector. As the demand for computing power, artificial intelligence, and digital infrastructure continues to grow, the regulation will be a key instrument in ensuring that this growth takes place in a responsible and socially beneficial manner.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.