Insights
Home / Insights / M&A and regulatory insights for Norway's Data Center Industry

M&A and regulatory insights for Norway's Data Center Industry

The Norwegian Parliament has enacted a new law on electronic communications (the Ecom Act), which took effect on 1 January 2025. For the first time, the law introduces requirements aimed at data centers. A regulation specific to data centers was also effective on 1 January 2025.
| Article | Written by Espen Tøndel , Stian Alexander Slaatta , Øystein Nore Nyhus , Øyvind Akerholt , Torunn Hellvik Olsen and Maria Alme Jensen
Teknologi_8

The Norwegian Parliament has enacted a new law on electronic communications (the Ecom Act), which took effect on 1 January 2025. For the first time, the law introduces requirements aimed at data centers. A regulation specific to data centers was also effective on 1 January 2025.

This entails that data center operators must adapt to new regulatory requirements, which include:

  • Registration obligation
  • Usage restrictions in emergency situations
  • Security requirements

Some more details

Registration Obligation: To provide the Norwegian Communications Authority (Nkom) with a better overview of the data center industry and the ability to supervise compliance with data center regulations, a registration obligation is introduced. Data center operators are required to register with the regulator before commencing operations. There is no approval procedure involved and from the time a data center operator is registered it can commence operations.

It is important to note that the registered legal entity must be a Norwegian legal entity or a legal entity in any other state within the EEA[1] registered in a public business register. Businesses outside the EEA can register a branch of a foreign legal entity if that is more convenient than establishing a separate Norwegian legal entity.

In the data center regulations,[2] the threshold value of 0,5 MW (megawatt) represents the minimum amount of power that a data center must have to be subject to the registration obligations.

As part of the required registration information, the data canter operator must provide the contact information of a representative who can physically meet with the authority and has knowledge to follow up on inquiries from the authorities.

An interesting piece of information that must be submitted in the registration is: [an] estimate of the percentage share of power consumption to be used for cryptocurrency mining”.[3] This aligns with the government’s declared intention to not allow data centers to mine crypto currency in Norway.

The registration obligation applies to all new data centers, but also to those existing as per 1 January 2025. The latter must register by 1 July 2025.

Permitted Usage Restrictions: In emergency situations that pose serious threats to life, health, national security, or public order, or in the event of a risk of sabotage, the authorities may impose necessary usage restrictions on the operators of the data centers.

Security Requirements: Data center operators must provide services with adequate security during both normal operations and emergencies. The authorities may require operators to implement specific security measures, the costs of which must be covered by the data center operator themselves. In cases where the measures ensure national security needs, the data center operator is entitled to compensation for any necessary additional costs. Additionally, further security requirements may be specified in regulations. This may include, among other things, that the data center operator must have an available representative with the necessary knowledge about the data center and maintain updated lists of its customers and their locations in the data center.

Who do the requirements apply for? The requirements will apply for operators of data centers, including enterprise-internal data centers, co-location data centers, and data centers that mine crypto. Operators of data centers are defined as any “natural or legal person who (…) offers others access to a date center service for a fee,” or “operates data centers with a subscribed electrical power over a threshold value”.[4] Data center services are defined in the act as «a service that facilitates the placement, connection, and operation of IT and network equipment for data storage, data processing, and data transmission. The service additionally includes physical security, power, and cooling and may include other related services.»[5]

The preparatory works indicate the new act is not intended to cover cloud services and data center services produced in the data center. However, it will be subject to further deliberation whether other providers, such as companies offering relevant storage and hosting services, should also be subject to the requirements.

New developments since 1 January 2025

Consultation paper on the data center regulation
The Ministry of Digitalization and Administration issued a consultation paper on 29 January 2025 regarding changes to the existing data center regulation, with a deadline for consultation replies by 28 March 2025.

The main purpose of the proposed changes is to facilitate crime prevention and ensure national security. The proposals aim to ensure that the authorities have access to necessary information and a better ability to implement necessary measures to prevent, avert, stop and investigate crime, as well as manage the loss of data center services that are significant to society. At the same time, the industry’s need for appropriate and predictable framework conditions should be safeguarded.

The proposed changes to the data center regulations introduce several significant obligations for data center operators:

  1. Updated Customer Information: Data center operators are required to maintain updated information about their customers, including names, contact details, and, where applicable, the physical location of customers’ equipment within the data center. This is considered necessary in light of today’s geopolitical security situation and the increase in digital crime.
  2. Information Disclosure: Operators must provide customer information to various authorities, such as the police, the Norwegian Security Service (PST), the National Security Authority (NSM), and the Norwegian Communications Authority (Nkom), under specific conditions.
  3. Response Time Requirements: There are specific requirements for how quickly operators must respond to requests for information or assistance from authorities, both during and outside of normal working hours.
  4. Building Ownership Information: Operators must register the name of the building owner where the data center is located, as part of their registration with the Norwegian Communications Authority.
  5. Penalties for Non-compliance: Operators may face penalties for failing to comply with these obligations, including maintaining updated customer information, providing information to authorities, having a physical representative, and meeting response time requirements.
  6. Available Representative in Norway: The requirement for an available representative in Norway as mentioned above is proposed to be more stringent. The representative must be present in Norway and have the necessary knowledge to follow up requests from the authorities.

It remains to be seen if all these requirements will be in be final regulation, but it should be expected.

Energy and building permits

Energy and grid connection
With a renewable energy share of almost 100%, Norway is an attractive country for the establishment of green industry. Electricity prices and good access to renewable energy have led to a large increase in new green industry establishments in Norway in recent years.

According to the Energy Act, new industrial players’ needs for electrical energy must be clarified with TSO Statnett. The grid connection process starts with the local grid operator. In the vast majority of cases, new grid customers will be connected via a local or regional grid operator. It will normally only be relevant to consider connecting directly to the transmission grid when connecting major power exchanges (in the order of 300 MW and upwards).

From 1 January 2025, new rules have been introduced for reserving grid capacity based on project maturity.  Maturity is about how likely it is that the project will be realized. The maturity criteria are now laid down in regulations. The grid operator must assess the project’s maturity when the project applies for capacity. Furthermore, the grid operator must assess the project’s progress on an ongoing basis in order for the project to retain its place in the capacity queue.  The new rules also apply to projects that have reserved capacity prior to 2025.

Zoning and building permits

Data centers normally require a zoning plan and building permit under the Planning and Building Act. The municipality is the zoning authority. The industrial land use category allows for data centers, as does the category “other commercial”.  From 1 July  2025 “data center” will be introduced as a separate land use category.

Areas that have already been set aside for industry or business in the municipal land use masterplan is normally easier to be zoned for data centers.

The use of surplus heat from data centers as a supplement to district heating etc. is a topic in many municipalities. This is a consideration that can be emphasized when zoning new areas for the development of data centers. Possible requirements for the use of surplus heat are being discussed nationally.

Our competence

There is an enhanced focus on the increasing importance of renewable energy in data centers due to their significant energy consumption. As data centers expand, driven by AI and digital services, integrating renewable energy sources like solar, wind, and hydropower is becoming crucial to address sustainability concerns and meet ESG criteria. Since Norway has most of its energy sources from hydropower it is becoming very attractive to build and invest in data centers in Norway, thus we see an increased activity in M&A within this sector. Both Norwegian investors and international investors (e.g. large infrastructure funds) are in the market for both greenfield and brown field projects.

Reports show that the M&A activity in the data center sector has significantly increased, with financial acquisitions by investment funds and financial sponsors expected to be particularly active over the next 24 months. Major tech companies, institutional investors, and financial sponsors are heavily investing in data centers. These investors are drawn by the strong demand for AI-driven infrastructure, cloud services, and the long-term growth potential of the sector. Partnerships with specialist data center operators and

Partners at Simonsen Vogt Wiig have been involved in both brownfield and greenfield data center projects in Norway and M&A related thereto. Beside the M&A competence we have in depth expertise on permitting, especially in relation to planning- and building law, energy law and electronic communications law and the “fresh from the mill” regulation.

 

[1] The European Economic Area consists of the EU member states in addition to Norway, Lichtenstein and Iceland.

[2] FOR-2024-12-18-3313 Section 1-2.

[3] FOR-2024-12-18-3313 Section 1-3 second paragraph no. 9.

[4] LOV-2024-12-13-76 (the Ecom Act) Section 1-5 no. 38.

[5] The Ecom Act Section 1-5 no. 37.