Businesses investing in, financing or operating data centres face a complex matrix of laws and regulatory requirements. Ensuring compliance is important for lender and investor due diligence and is crucial to avoiding fines, penalties and contractual or regulatory breaches that can significantly impact the business and any investment in, or financing of, data centres. 

The first step to ensuring compliance is to be aware of the key legal and regulatory challenges. 

Energy use in data centres

The operation of data centres requires substantial power supply that needs to be provided at a constant and reliable level. This makes it difficult– physically – to achieve 100% renewable energy operations, since the energy generation from renewables is volatile. Battery-based energy storage (BESS) and a smart load management might be able to increase the consumption of renewable energy, but for now, data centres still heavily rely on power supply from the grid system.

Obtaining access to the grid can be a challenge and is quite often the cause for project delays, mainly due to capacity bottlenecks in the grid system and supply chain constraints. In the UK: 

  • Ofgem has recently published a package of decisions that will reform the grid connection process (known as the TMO4+ reform). One of the stated aims of the reform is to enable new generation and demand projects to connect to the electricity networks in a cost-effective and timely manner by allowing projects that are “ready” and “needed” to be prioritised in the connection queue. 
  • The TM04+ reform should accelerate connections for data centres and AI industries connecting to the transmission system (distribution-connecting projects are out of scope), but there is a catch: while all demand projects will be deemed “needed”, some projects may find it difficult to satisfy the “readiness” criteria that requires holding certain land rights and planning status. This is of relevance to data centres, as they will typically acquire land rights later in the development process. 
  • Ofgem is therefore exploring whether further changes may be required to better facilitate demand, including those of strategic importance, which should capture data infrastructure following its designation as Critical National Infrastructure, putting it in the same category as other essential services (such as energy and water) critical to the UK economy. (For more information about the TMO4+ reform and how it impacts data centres, please see our recent publication.)  

Developers and operators must also consider the developments in the various energy efficiency schemes and regulations which apply to the developer, operator and jurisdiction of the datacentre.  For example: 

  • In the EU, the Energy Efficiency Directive (2023/1791/EU) currently imposes disclosure obligations on data centres. However, stronger climate-focussed measures are anticipated, with the European Commission expected to publish proposals for more specific measures in May 2025. Germany is leading the way, having already implemented measures that go beyond EU requirements, requiring data centres to make energy efficiency a priority and source 50% of their electricity from renewable sources by 1 January 2024 and 100% by 1 January 2027. It is expected that other EU countries will soon follow suit. 
  • In the UK, data centres are subject to the Climate Change Levy (CCL) (an environmental tax charged on the energy that businesses use), although energy-intensive businesses (such as data centres) can enter into a Climate Change Agreement (CCA) with the Environment Agency to meet energy efficiency targets in return for a reduction in the CCL. However, the industry is pushing for a reform of the CCA scheme that would change its focus from energy efficiency to enabling other decarbonisation measures (such as Corporate Power Purchase Agreements (CPPAs) with new renewable projects) to be used towards meeting CCA targets. The UK’s Streamlined Energy and Carbon Reporting (SECR) policy also imposes energy use and carbon emissions reporting requirements on certain large organisations, which could capture those data centres that satisfy the SECR conditions. 

Data sovereignty

The changes to data localisation and sovereignty rules are likely to impact decisions by users on where to buy capacity. Rules designed to require personal data to be provided to law enforcement offices of foreign governments deter users from using data centres if their data will be transferred outside of its country of origin. There seems to be a growing trend globally for regulators to require certain / sensitive data to be hosted locally in-country – for example, China, India, and Saudi Arabia have all enacted some form of data sovereignty laws.

Under the EU’s General Data Protection Regulation (GDPR), the EU-US Data Privacy Framework currently ensures data can be transferred from the EU to the US with minimal compliance burden. However, there are concerns surrounding its future following recent developments in agencies involved in its administration, such as the Privacy and Civil Liberties Oversight Board. A trend towards building more small-scale data centres to meet the needs in each country and away from centralisation is anticipated, as businesses react to expected requirements for data to be held locally. 

Tariffs

The current tariff environment has undoubtedly had an impact on data centre supply chains, as well as those of customers. High tariffs and uncertainty will create challenges for data centre operators and increased costs for development and operation. A key question will be whether such costs will be passed through to customers through increased rent and service fees, and whether construction will be held or delayed, pending more certainty on costs and switching of suppliers. 

The impact of tariffs on energy pricing will also result in substantially increased costs for operators, which would typically be passed through to customers.  

Operators will need to be able to assess and evaluate their exposure to tariffs through detailed due diligence of supply chain and contractual arrangements with suppliers, focussing on whether tariff costs in the supply chain can be passed through to the operator. 

Merger control, foreign direct investment, foreign subsidies and anti-trust

Merger control, foreign direct investment and foreign subsidies remain key considerations for those in the industry, particularly as data centres are often considered “critical infrastructure” for the purposes of national security regulations. 

Failure to notify a transaction under any of these processes carries severe consequences. Stakeholders need to consider all applicable regulations from the outset of any investment planning. The supply shortage for talent in the sector also necessitates vigilance against anti-competitive agreements in the labour market, such as wage-fixing and non-poach agreements. 

Securitisation and regulation

The data centre industry has grown immensely in terms of valuation, funding and capacity in the past decade, with interest only increasing as AI technology advances. While financing arrangements have evolved to fund this growth, there are challenges in implementing pan-European asset-based securitisation structures as seen in the US market, given the different tax obligations and subsidiary disclosing regimes across jurisdictions in the European market. 

Some final observations

As the demand for data centre investment continues to grow, the market will also need to evolve in response to incoming laws and regulation, requiring ongoing consideration of their likely impact.  This will require industry players to develop and observe policies that uphold rigorous standards in relation to data privacy, energy efficiency and anti-competitive practices, while at the same time delivering on their commercial imperatives.

Want more information about data centre regulation?

For more information about data centres and regulation, see:



Contacts

Jessica Melville
Jessica Melville
Partner
Email
jessica.melville@nortonrosefulbright.com
T: +44 (20) 74443915
Mark Maurice
Mark Maurice
Partner
Email
mark.maurice@nortonrosefulbright.com
T: +44 (20) 74442339
Oliver Stacey
Oliver Stacey
Partner
Email
oliver.stacey@nortonrosefulbright.com
T: +44 (20) 74445038
Kirsty Harrower
Kirsty Harrower
Partner
Email
kirsty.harrower@nortonrosefulbright.com
T: +44 (20) 74443007
Suncica Miletic
Suncica Miletic
Counsel
Email
suncica.miletic@nortonrosefulbright.com
T: +44 20 7444 2088
Valerian von Richthofen
Valerian von Richthofen
Partner
Email
valerian.vonrichthofen@nortonrosefulbright.com
T: +49 (211) 97559772
Mai Muto
Mai Muto
Counsel
Email
mai.muto@nortonrosefulbright.com
T: +32 (2) 2376140
Daniel Metcalfe
Daniel Metcalfe
Partner
Email
daniel.metcalfe@nortonrosefulbright.com
T: +44 (20) 74442551
Christian Lambie
Christian Lambie
Partner
Email
christian.lambie@nortonrosefulbright.com
T: +44 (20) 74445139
Marcus Evans
Marcus Evans
Head of Information Governance, Privacy and Cybersecurity, EMEA
Email
marcus.evans@nortonrosefulbright.com
T: +44 (20) 74443959

Practice area:

Industry:

Recent publications

data center interior

Publication

Navigating regulatory challenges in data centres

Businesses investing in, financing or operating data centres face a complex matrix of laws and regulatory requirements.

Global | May 01, 2025

Tech sector
green-energy-concept

Publication

TMO4+ connection reform proposals receive stamp of approval

On 15 April 2025, Ofgem approved the National Energy System Operator’s (NESO) Target Model Option 4 (TMO4+) package of reforms.

Global | April 25, 2025

Energy, infrastructure and resources

Publication

Distress signals: Cooperation agreements or mergers to the rescue in times of crisis?

The current volatile and unpredictable economic climate creates challenges for businesses.

Global | April 23, 2025

Merger control
Site search

Subscribe and stay up to date with the latest legal news, information and events . . .

Register now