4 An industry that contributes to a more secure and prepared Norway
Data centres in Norway contribute to critical digital services being produced domestically and help build a more secure and prepared digital Norway. The Government has set the following goal:
Data centres and data centre services shall contribute to Norway’s security and preparedness in times of peace, crisis and war.
4.1 Data centres – the heart of our digital infrastructure
Status
Data centres represent the heart of Norway’s digital infrastructure and is an integral part of our critical digital infrastructure. This infrastructure forms the basis for the ever-increasing use of critical internet services and cloud-based services within most sectors of society, such as public services, health services and banking and financial services. Data centres are also referenced in the white paper on total preparedness as one of the key services for managing crisis situations. Data centres are where data is stored and digital services are produced.
Most data centres are designed with redundancy and emergency systems to ensure high uptime and reliability. Data centres store and process large amounts of data that are essential for industry, the business sector, public authorities and individuals. Data centres are also venues where we process and store some of our most sensitive and strategic data, making both ownership and location crucial to security interests. A single interruption in the operation of a data centre can have significant consequences – from large financial losses to threats to public services and national security.
The infrastructure in data centres can also be misused for criminal activities and activities that threaten national security. The Norwegian police has found that cybercriminals and other threat actors who have the ability and willingness to commit crime against businesses, infrastructure and services can connect to data centres in Norway, and that data centres in Norway are used for criminal activities both domestically and against other countries.
The way forward
For Norway, as one of the most digitalised countries in the world, it is imperative to maintain adequate security and preparedness for its entire digital infrastructure. In the white paper National control and cyber resilience to safeguard national security (Meld. St. 9 (2022–2023)), the Government expresses the need to strengthen legislation in areas including digital security and data centres. As more sensitive data is stored in data centres, the threat environment is also becoming increasingly challenging. An increasing number of state and non-state actors are devoting considerable resources to attempt to disrupt the functioning of data centres or exploit the data processed there. Therefore, data centres need to be prepared.
The new Electronic Communications Act sets important requirements for adequate security and preparedness in data centres to safeguard Norway’s digital infrastructure in times of peace, crisis and war. The requirements for adequate security are evolving in line with technological developments and what is technically feasible. The requirements are also influenced by the services the data centre provides. The data centre industry in Norway is fairly new, but today, many essential services are provided by data centres. Dependence on data centres can pose a major societal vulnerability, as the loss or degradation of services may lead to significant challenges. The Government’s aim is to ensure that data centres and data centre services can manage situations outside normal operations and to enhance digital preparedness so that the digital infrastructure can be recovered if something fails.
The Ministry of Digitalisation and Public Governance regards Norwegian data centres as significant to national security interests and has designated them as a fundamental national function in terms of their capacity to store and process data within Norway. Some data centres are already subject to the Security Act, and more will be assessed in the future.
4.1.1 The most critical societal functions are provided from data centres in Norway or with allies
In the National Digitalisation Strategy and the white paper on national control and cyber resilience (Meld. St. 9 (2022–2023)), the Government emphasised the importance of being able to deliver critical data centre services from Norway or allied countries. Furthermore, in 2024, the Government appointed an Expert Committee for National Control of Critical Digital Communications Infrastructure (Electronic Communications Security Committee). The Electronic Communications Security Committee prepared a report recommending measures to strengthen control over critical digital communications infrastructure, including data centre capacity. To ensure that Norway can protect critical services and information, it is not only necessary to have sufficient data centre capacity, but also to ensure that the data centres from which these services are delivered are secure. At the same time, the current security policy situation has demonstrated how vital it is to maintain a robust digital infrastructure, including geo-redundancy and the ability to migrate data centre services out of the country on short notice. Similarly, allied countries may wish to have their critical data services delivered from Norway. Ownership structures and an overview of entities that manage digital communications infrastructure are also significant for national control, and the Electronic Communications Security Committee highlights that digital communications infrastructure is made up of complex value chains that are subject to ongoing development.
4.1.2 Total Defence and critical needs
To ensure that the state can maintain control and freedom of action throughout the entire crisis spectrum, it is essential to have access to both proprietary and commercially operated data centres with an appropriate level of security.
The Total Defence must have access to data centre capacity under national technical and legal control in times of peace, crisis and war, with authorised personnel and central government oversight. Therefore, it is important to have data centres on Norwegian soil.
4.1.3 Preventing data centres in Norway from being misused for criminal purposes
The Government is committed to preventing data centres in Norway from being misused for criminal purposes. Another phenomenon observed in Norway is that state actors rent servers in data centres, under the guise of being legitimate businesses. They can use the servers they rent to compromise targets in both Norway and the rest of the world. The Ministry of Digitalisation and Public Governance will therefore ensure that the authorities are able to prevent, avert, stop, and investigate criminal conduct, as well as address the loss of data centre services that are important to society. Among other things, data centre operators should have access to up-to-date information about their own customers’ names and contact details, and on specific terms disclose such information to the Norwegian Communications Authority (Nkom), the National Security Authority (NSM), the Norwegian Police Security Service (PST), the police and the prosecution authorities. The purpose is to enable the authorities to carry out their tasks related to crime prevention. It will also help reduce the attractiveness of data centre misuse in Norway to criminal actors. At the same time, it is important to ensure the desired establishment and development of data centres in Norway and to provide appropriate framework conditions for the data centre industry.
4.1.4 Specification of requirements for the physical and logical security of data centres and documentation of an adequate level of security
Data centres underpin an increasing number of critical societal functions and values. Knowledge of relevant security assessments is therefore important when businesses are to procure data centre services. The thematic report Anskaffelse av datasentertjenester [Procurement of data centre services. Available in Norwegian only], prepared by Nkom and NSM in November 2024, is a helpful guide for businesses that need data centre services. Among other things, the report provides guidance on physical security and outlines the requirements that should be set for personnel with access.
The Government wants public and private enterprises to be more aware of the need to establish robust security requirements when purchasing data centre services, including requirements for physical security, personnel, and subcontractors. This is particularly important due to the risk of value chain attacks, which both NSM and PST have mentioned in their annual risk and threat assessments.
4.1.5 Assessments of critical societal functions’ use of data centres
The National Digitalisation Strategy includes the goal of strengthening digital security and preparedness. In a report on Norwegian data centres and digital autonomy, NSM recommends assessing where critical societal functions are produced. 4
The Ministry of Digitalisation and Public Governance has carried out assessments of critical societal functions’ use of data centres and will continue to conduct such assessments. The aim is to identify whether sectors and their redundancy are concentrated in a few data centres, and whether this poses a concentration risk in that several critical societal functions are dependent on only a few data centres.
4.1.6 Priority connection to the power grid in the interests of national security
Under the Energy Act, anyone who wishes to do so has the right to be connected to the grid, cf. section 5.1. Connections can only be made once the necessary grid investments have been completed, and in many areas, multiple actors are queued for access. The current Energy Act does not allow for national security interests to be given special priority in assessments of priority in the queue for connection to the power grid. The current security policy situation necessitates a legal basis with clear and predictable frameworks for prioritised connection to the grid when it is necessary in the interests of national security, such as the defence industry and critical societal functions.
The Government
- wants critical digital services to be able to be produced domestically, so that we achieve a more secure and prepared digital Norway
- wants critical societal functions to use data centres in Norway or with allies
- will ensure, with the new Electronic Communications Act, that data centre operators maintain an adequate level of security and preparedness, and that critical societal actors are given priority where necessary
- Wants the functions on which society is most dependent to be delivered from data centres in Norway or with allies and partners, and investigate the need for more data centres in Norway with Norwegian majority ownership
- will ensure appropriate framework conditions for the data centre industry to safeguard both national security interests and crime prevention interests, and the desired establishment and development of data centres in Norway
- wants public authorities and bodies, when purchasing data centre services, to specify requirements for the physical and logical security of data centres and require data centre operators to document an adequate level of security in accordance with recognised security standards
- will continue to conduct assessments of the use of data centres by critical societal functions
- will establish a fundamental national function for data centres that is adapted to the security policy situation, and continuously assess which data centres support fundamental national functions and national security interests, with corresponding application of the Security Act
- will establish relevant forums for data centre operators subject to the Security Act
- will participate actively in European co-operation to contribute to appropriate, and primarily pan-European, solutions for safeguarding digital security, combating crime, and national security interests related to data centre activities
- will establish a new authority in the Energy Act to enable the prioritisation of connections for specific end-users where necessary in the interest of national security.
4.2 Establishment of data centres and international transmission routes throughout the country
Status
The authorities have long placed great emphasis on strengthening the security, robustness and diversity of our national and international fibre-optic infrastructure. A key objective of the Government’s National Digitalisation Strategy is to provide high-speed broadband to everyone by 2030 and to ensure that we have robust electronic communications networks throughout the country. An important element of this is ensuring that Norway has high-capacity links to multiple countries from all parts of the country.
The recommendations from the Committee on Digital Vulnerabilities in Society (the Lysne Committee) in 2015 have been followed up by, among others, Nkom through national goals for robust and secure fibre-optic infrastructure towards 2030. 5 The goals represent an operationalisation of the overriding strategies in the white paper on mobile, broadband and internet services (Meld. St. 28 (2020–2021)). One of the goals is “robust transmission grids throughout the country”. This means working to ensure that fibre-optic networks are available throughout the country, that each fibre operator has good redundancy, and that different networks are physically and logically independent of each other. Another goal is that “Norway has a good supply of high-capacity fibre-optic connections to several countries from all regions”. This also entails good distribution of internet and data traffic between Norway and other countries via these connections, to reduce concentration risk.
Norwegian broadband policy is market-based, and fibre roll-out is mainly carried out on a commercial basis. Therefore, facilitating market-based development is also an important means of achieving the goal of a robust and secure fibre infrastructure. In recent years, the Norwegian data centre industry has been an important driver of market-based development towards meeting the mentioned goals, particularly with regard to subsea fibre-optic cables.
The way forward
4.2.1 Norwegian data centres contribute to strengthening the national and international fibre infrastructure
Since 2020, new high-capacity international subsea fibre-optic connections have been established from Norway both to the United States (Bulk), the United Kingdom (Bulk and Tampnet), Denmark (Altibox), and Sweden (Tampnet). In addition, new high-capacity fibre-optic connections have been established along entirely new routes domestically – including new coastal fibre between Bergen and Trondheim (N0r5ke Fibre) and between Stavanger and Oslo over the mountains (Altibox). Several new national and international projects are also in the planning stage.
Major fibre infrastructure projects in recent years driven by demand from the data centre and cloud services industry
Subsea fibre-optic connections in operation:
- Altibox – Skagenfibre, Larvik–Hirtshals (Denmark)
- Altibox – NO–UK, Stavanger–Newcastle (England)
- Altibox – land fibre, Stavanger–Oslo
- Bulk – Havfrue, Kristiansand–New Jersey (USA)
- Bulk – Havsil, Kristiansand–Hanstholm (Denmark)
- Bulk – Inter-City Ring, Oslo– Kristiansand– Stavanger– Bergen
- N0r5ke – N0r5ke Viking I, Bergen–Trondheim
- Tampnet – Egersund–Ula–Aberdeen (Scotland)
- Tampnet – Norfest, Stavanger–Oslo–Sweden
Subsea fibre-optic connections in the planning stage:
- N0r5ke – N0r5ke Viking II, Bergen–Oslo–Trondheim
- Far North Fibre – Norway/Ireland–Japan via the Northwest Passage
- Polar Connect – Norway–Asia via the Arctic Ocean
- Bulk – Leif Erikson, Kristiansand–Canada
Strengthening the national fibre infrastructure will not only benefit data centre operators and their customers. It also enables national and regional providers of electronic communications networks to purchase access to expand and strengthen the redundancy of their own networks.
In addition to market-based development, the Government is contributing with publicly funded measures to make the fibre infrastructure less vulnerable in exposed areas. The authorities have contributed several hundred million kroner to measures to strengthen the fibre infrastructure between Svalbard and the mainland and in Finnmark, Troms, Nordland and Trøndelag counties. The measures have been implemented following thorough regional risk and vulnerability assessments. The Parliament (The Storting) has also decided to build a new fibre-optic connection to Svalbard. In line with the National Digitalisation Strategy, the Government will carry out risk and vulnerability analyses in all regions of the country.
4.2.2 Norwegian data centres contribute to strengthening national digital autonomy
Since 1 January 2025, the Government has been able to require data centres to have national autonomy, pursuant to the Regulations relating to data centres ( Forskrift om datasenter ).
National autonomy in the Regulations relating to data centres
Section 2-9. Authority to require data centres to have national autonomy
In a crisis or emergency situation, the Norwegian Communications Authority may oblige data centre operators to operate and maintain their services using personnel and technical solutions in Norway.
In force on 1 January 2025
The production of electronic communication services and other critical digital services is increasingly taking place on cloud-based platforms in data centres. Virtualisation and cloud technology enable, among other things, the seamless transfer of service processing between different physical data centre locations as needed. This can be achieved using everything from global cloud platforms such as Microsoft Azure, Amazon Web Services, and Google Cloud to purely national cloud platforms.
On one hand, developments are progressing towards more intricate international value and supply chains. On the other hand, cloud technology is scalable and geographically flexible. Norwegian data centres and a strong digital infrastructure thus facilitate the production of critical digital services in Norway rather than in data centres abroad. This will strengthen national control and autonomy.
Box 4.1 Telenor, Hafslund and Hitec Vision are investing billions (NOK) in new data centres in Oslo with an emphasis on national ownership, security and sustainability
Skygard focuses on establishing secure data centres with a high level of security, where critical business and societal security data can be stored and fulfil both sectoral and national requirements for data storage and processing. Skygard is designed for AI and to facilitate national cloud solutions that are owned and operated on Norwegian soil.
Skygard plans to establish three data centres in the Greater Oslo Region. The first is located at Hovin, where customers will begin moving in as early as 2025. The establishment will create jobs in connection with the construction, operation and maintenance of the centres
4.2.3 Norwegian data centres contribute to strengthening regional digital autonomy
Regional digital autonomy means that certain digital services shall be able to function in a region, for example, Northern Norway, in the event of a communications breakdown or other events that isolate the region from the rest of the country.
Norwegian regional data centres help to strengthen regional autonomy. A general trend is that digital content and digital services are being migrated to regional data centres closer to users to enhance performance and response times for the services. The more data and services that are produced in regional data centres, the greater the incentive for regional, national and international fibre operators to connect to the data centres and exchange traffic there. Overall, this will strengthen the regional digital infrastructure. Where direct fibre-optic connections to other countries are established from regional data centres, the region will also have direct access to internet and cloud services from other countries, even in the event that communication with the rest of the country is lost.
Stavanger has become the largest regional hub for digital infrastructure outside Oslo
GreenMountain’s SVG1 colocation data centre on Rennesøy island near Stavanger has become a digital hub in South-Western Norway.
The data centre connects to several national fibre operators. Altibox has also established a subsea fibre-optic connection directly from Rennesøy to England. This helps the region access internet and cloud services from abroad without having to route traffic through Oslo.
At the data centre, the national Internet exchange operator, Norwegian Internet eXchange (NIX), operates a regional Internet exchange point, which is the largest in terms of traffic outside Oslo.
The Government
- wants Norway to have robust data centres that provide both national and regional autonomy for data centre services
- will work to ensure that data centres and international transmission routes are established throughout the country to scale redundant solutions that are important for business and society, and to support fundamental national functions