The Data Centre Industry in Norway – Opportunities, Challenges and New Regulation

Norway has emerged as an attractive destination for the establishment of data centres, and interest has increased significantly in recent years. In an increasingly tense security policy environment, the data centre industry plays a key role in strengthening digital sovereignty, cybersecurity and national preparedness.

However, the development is not without challenges. Data centre establishments are highly energy-intensive, and a number of stakeholders have raised questions as to whether there is sufficient focus on ensuring that data centres are used for purposes that benefit society and what strain they place on the power system.

In this newsletter, we provide an overview of the latest developments relating to the data centre industry in Norway and what they mean for industry stakeholders.

1. A national licensing system for data centres - what's on the table?

1.1 Where things stand today

Norway's data centre market is growing fast, but there is no national framework to coordinate where or how many data centres are built. Today, it is up to each municipality to decide whether to approve new establishments, with no overarching strategy in place. If this continues unchecked, power consumption from data centres could jump from around 2 TWh today to 8-10 TWh by 2030.

Against this backdrop, a proposal was made in November 2025 by certain political parties, calling for a national licensing scheme and a ban on data centres used for cryptocurrency mining.

Based on the proposal, the Norwegian Parliament's Energy and Environment Committee made a recommendation to the government on 26 February 2026. The recommendation did not include the implementation of a national licensing scheme, and instead recommended the government to:

(i) Carry out a broad assessment of the societal value of data centre establishments – looking at employment, value creation, security and the impact on the power system.

(ii) Propose a ban on data centres dedicated to cryptocurrency operations.

The recommendation does not imply an immediate change to the regulatory framework for data centres. However, it indicates that changes may be implemented including relating to assessment of the location of data centres, the impact on the power system, the data centres' purpose and the data centres' social value. It is currently unclear which amendments to the regulatory framework the recommendation may lead to and when such amendments will be implemented.

1.2 What are the arguments on each side?

Supporters of a licensing scheme point to the lack of national coordination, meaning there is no way to ensure that electricity and land for data centres are used where they deliver the most value. As of March 2026, data centres account for around 5,360 MW out of a total capacity queue of 10,882 MW – nearly half – and that share is expected to grow.

On the other side, critics warn that adding a licensing layer could make Norway less attractive for data centre investment. The industry already faces significant regulation following the new Electronic Communications Act and Data Centre Regulation, both of which took effect on 1 January 2025. Further requirements could create uncertainty and put Norway at a disadvantage compared to neighbouring countries like Sweden and Denmark.

2. Which Security requirements already apply to data centres?

2.1 The Data Centre Regulations

On 1 January 2025, data centre operators in Norway became subject to the Electronic Communications Act (ekomloven) for the first time. This marked a significant regulatory shift, as data centre operators were for the first time subject to specific statutory requirements relating to adequate security, emergency preparedness and a mandatory registration obligation with the Norwegian Communications Authority (Nkom).

The key provision is Section 3-7 of the Electronic Communications Act, which imposes the following obligations on data centre operators:

(i) a duty to register with the relevant ministry before commencing operations;

(ii) an obligation to offer and maintain data centre services with adequate security for users in peacetime, crisis and war, and to maintain adequate emergency preparedness, with priority given to critical societal actors as needed; and

(iii) a duty to systematically monitor security and emergency preparedness and to document an adequate level of security, taking into account, inter alia, the ability to withstand any event that causes or may cause a breach of availability, authenticity, integrity or confidentiality, best available technical solutions, recognised standards, the cost and benefit of measures, and the significance of the data centre service.

These requirements are further detailed in the Data Centre Regulations (datasenterforskriften), which set out specific obligations relating to security management, risk and vulnerability assessments, basic security and damage mitigation measures, security plans, contingency plans, exercises and incident notification.

2.2 Nkom's inspection findings

In autumn 2025, Nkom conducted a mapping inspection of 17 data centre operators. The findings indicate that data centre operators generally assess themselves as performing well in the categories of security culture, overall asset mapping and ICT mapping. However, the categories of "servers and clients" and "verification and security monitoring" were identified as having the greatest potential for improvement across the majority of operators and are areas where several operators should implement measures to enhance their security posture.

It is noteworthy that the inspection was conducted in accordance with the National Security Authority's (NSM) basic principles for ICT security, with self-reporting carried out through NSM's cyber check tool. This means that data centre operators should actively utilise these guidelines and tools in their efforts to comply with the security requirements applicable to their operations.

3. Our advice to data centre operators

(i) Monitor regulatory developments closely, as the regulatory framework is evolving and further changes may occur in the near term.

(ii) Ensure compliance with the registration obligation under Section 3-7 of the Electronic Communications Act before commencing operations. Data centre operators should familiarise themselves with the specific obligations set out in the Data Centre Regulations, including requirements relating to security management, risk and vulnerability assessments, security plans, contingency plans, exercises and incident notification.

(iii) Actively utilise the National Security Authority's (NSM) basic principles for ICT security and NSM's cyber check tool as part of ongoing security and emergency preparedness efforts. These guidelines and tools provide a practical framework for documenting an adequate level of security as required under the Electronic Communications Act, and operators should ensure that their security posture is continuously monitored and updated in accordance with best available technical solutions and recognised standards.

Contact us

We have extensive expertise in the energy sector, including the regulatory framework applicable to critical infrastructure, and security and emergency preparedness regulation. We regularly advise energy sector participants on the legal and regulatory challenges arising in these areas, including grid connection, licensing, security obligations and regulatory compliance. Please do not hesitate to contact us if you have any questions.