NORWAY Law and Practice Contributed by: Kari Gimmingsrud, Stian Hultin Oddbjørnsen and Andreas Bernt, Haavind
es and wallet providers must register with the FSA and adhere to strict reporting regimes. The Norwegian government continues to assess the need for further regulation to address emerg - ing challenges and opportunities presented by these technologies. Ongoing developments in technology and international regulatory trends will likely influence future legal frameworks with - in this field in Norway. The Regulation on Markets in Crypto Assets (MiCA) contains common European rules on crypto-assets. MiCA is expected to be imple - mented in Norwegian law without significant delays in relation to the EU. 2. Cloud and Edge Computing 2.1 Highly Regulated Industries and Data Protection Norway does not have any general legislation governing cloud and edge computing, but the following new legislation relevant to cloud com - puting has recently been adopted. • As of 1 January 2025, data centre operators are now regulated by the Electronic Commu - nications Act with regulations. • The Digital Security Act was adopted on 12 December 2023 and implements the EU Directive on the security of network and information systems (NIS1). The Act has not yet entered into force, but this is expected in 2025. The Act also facilitates the implementa - tion of the Cybersecurity Regulation. The Digital Security Act applies to providers of essential digital services, which must fulfil minimum cybersecurity requirements, such as regularly conducting IT risk assessments and
notifying public authorities of events that could have a significant impact on service delivery. As of January 2025, EU Directive 2022/2555 (NIS2) has not yet been incorporated in Norway. Specific regulations regarding the processing of personal data, bookkeeping data and archive data in the public sector will influence cloud and edge computing requirements. In addition, sec - tor-specific legislation (relating to the financial, petroleum, energy and health sectors, for exam - ple) imposes requirements and some restrictions on cloud and edge computing. The Norwegian Security Act may also impose further require - ments or restrictions based on national security considerations. Data Centre Regulations Data centre operators in Norway have a duty to register their business, which is done with the Norwegian Communications Authority (Nkom); see 6. Telecommunications for more informa- tion. Data centres in Norway are now subject to a number of security and emergency prepared - ness obligations. The overarching requirement is proper security and emergency preparedness in the delivery of data centre services in peace, crisis and war. The more detailed requirements include:
• security management and auditing; • risk and vulnerability assessment; • basic security; • security plans; and • emergency planning and exercises.
In addition, the data centre operator has a duty to notify the Norwegian Communications Authority of incidents that have resulted in sig - nificant breaches of the availability, authenticity, integrity or confidentiality of the data centre or
343 CHAMBERS.COM
Powered by FlippingBook