Technology | New Electronic Communications Act – rules for data centers and changes to electronic communications
The new act has been in development for several years. Much of the legislation was first put forth for a public consultation in 2021. An additional public consultation was held in 2022, focusing on rules for data centers. The act which has now been adopted incorporates proposals from both consultations, as well as adjustments proposed by the Government.
A significant part of the act concerns implementing new directives and regulations from the EU in the field of electronic communications.
Data centers and security requirements
Data centers have become increasingly important for digital infrastructure in recent years. At the same time, the public has grown increasingly aware of matters of public security.
A chief measure in the new legislation is a registration obligation for data center operators. This is meant to aid in keeping track of data centers and who is responsible for the data centers’ activities, the level of this type of digital infrastructure, monitor compliance with new security requirements and uncover risks to critical public services. In its proposal to the Parliament, the Government explicitly stated that the registration obligation is a first step. It is signaled that concerns regarding identifying stakeholders behind data centers may compel further legislative proposals. Also, the Government stated that in future legislation, the obligations of the Electronic Communications Act significant to national security and crime fighting may be imposed on providers of storing and hosting services.
Back in 2013, the Government tightened the obligations for security for electronic communication providers from “necessary security” to “adequate security” (Nw: forsvarlig sikkerhet). In the new act, the Government will further tighten the requirement on preparedness from “necessary preparedness” to “adequate preparedness”. An important part of the new legislation is imposing a corresponding requirement for adequate security and a requirement for adequate preparedness on data center operators.
The new act makes it clear that for security and preparedness to be “adequate”, these systems must be built to be able to sustain times of peace, crisis, and war. Indeed, a primary concern in the assessment of what constitutes adequate security or preparedness, is the ability of the security measures to resist events which threaten the availability, authenticity, integrity, or confidentiality of data center services. In determining the appropriate level of security, data center operators should also take into account the state of the art, widely accepted industry standards, the cost of the measures and their efficacy, and the significance of the data center.
The new act will empower the Government to issue decisions regarding measures which go beyond the requirements in the act itself, to ensure the satisfaction of national needs for security, preparedness, and functionality in data centers.
The requirement for adequate security will be further clarified in regulations issued by the Ministry and in dialogue with the sector.
Other adopted changes
Besides regulating data centers, the new act also introduces a number of changes to requirements relevant for businesses operating within electronic communications, such as
- increased statutory penalty from a maximum of six months to twelve months’ imprisonment;
- end user rights, including right to information prior to entering into agreements, maximum duration for commitment periods (Nw: bindingstid), right to terminate in case of changes, number portability, etc.;
- ensuring users with disabilities equal access to communication services;
- allowing broadband delivery obligations for operators to be imposed, the purpose of which is to ensure that everyone has an offer of a functional internet;
- changes to rules regarding cookies, confidentiality and deletion obligations (most notably clarifying that the rules on consent to cookies correspond to the consent rules in the GDPR);
- further expanding and empowering the Norwegian Communications Authority ability to impose duties on providers with a strong market position; and
- establishing a new board of appeal to decide on appeals over decisions issued by the Norwegian Communications Authority.
When does the act enter into force?
The Government previously signaled that it intended for the new act to enter into force as soon as it is adopted by the Parliament, with some minor exceptions to certain sections. We therefore expect swift entry into force.