Global Data Center Projects Face Expanding US National Security Scrutiny

As global investment in data center infrastructure accelerates, US national security laws are increasingly shaping how projects are financed, constructed, supplied, and operated. Although the United States does not yet have a single comprehensive regulatory framework governing data centers, a growing collection of investment security, data protection, export control, and supply chain measures is creating a complex compliance environment for operators, investors, and technology providers.

These overlapping regimes are particularly relevant for projects involving advanced computing, artificial intelligence (AI) infrastructure, cross-border data flows, or foreign investment. For companies developing or supporting global data center projects, national security compliance is becoming a core strategic consideration rather than a downstream legal issue.

INVESTMENT AND DATA SECURITY RISKS CONTINUE TO EXPAND

US national security review processes increasingly intersect with data center development and operations. Both inbound and outbound investment regimes can affect transactions involving data center infrastructure, particularly where advanced technologies, sensitive data, or foreign ownership is involved.

Inbound investment reviews by the Committee on Foreign Investment in the United States (CFIUS) may apply to transactions involving foreign investment in US data center businesses, especially where projects involve advanced computing technologies or large volumes of sensitive data. At the same time, outbound investment restrictions are beginning to affect certain investments involving semiconductors, AI, and related technologies tied to overseas operations.

Data security rules are also becoming more expansive. Recent US Department of Justice regulations aimed at restricting access by “countries of concern” to bulk sensitive personal data and US government-related data create potential implications for data center financing arrangements, vendor relationships, and cloud-based services.

These rules reflect growing government concern about how foreign entities may gain access to sensitive information through ownership interests, operational relationships, or infrastructure dependencies.

Supply chain security presents another evolving area of focus. Existing authorities allow the US Department of Commerce (Commerce) to regulate information and communications technology and services (ICTS) supply chains involving countries of concern. While Commerce previously indicated it was developing further data center-specific ICTS rules, draft regulations have not yet been issued. It is unclear whether the government intends to proceed with that rulemaking or just rely on the underlying ICTS regulations as needed to cover data center supply chain security.

For project developers and operators, these developments reinforce the importance of assessing national security issues early in the transaction lifecycle. Delays in identifying potential concerns can affect deal timing, financing structures, vendor selection, and operational planning.

EXPORT CONTROLS AND ADVANCED COMPUTING INFRASTRUCTURE

Since October 2022, export controls have been one of the most consequential regulatory issues affecting modern data center operators, customers, and suppliers, particularly those supporting the development of AI models and advanced computing workloads.

Many of the technologies necessary to operate sophisticated data centers are already subject to US export controls, including:

• Advanced computing integrated circuits and graphics processing units (GPUs)
• High-performance servers and supercomputing systems
• Certain AI model training technologies and related components

While much attention focuses on item-based controls tied to technical specifications, companies must also account for broader catch-all restrictions that apply based on the end use or end user, many of which turn on “knowledge,” broadly defined to include not only actual knowledge but also “reason to know” or “an awareness of a high probability,” standards that are relatively untested in US export controls enforcement although they have long enforcement histories in the adjacent areas of US economic sanctions and the US Foreign Corrupt Practices Act (FCPA), respectively.

These standards can affect a broad range of participants in the data center ecosystem, including operators, financiers, vendors, and service providers.

This means that compliance obligations and enforcement risks increasingly extend beyond simply identifying whether hardware exceeds a particular threshold. Regulators are placing greater emphasis on how technologies will be used and whether companies are aware of risks associated with customers, counterparties, or downstream activities.

Companies may therefore need to find new, risk-based, and defensible ways to evaluate:

• Customer relationships and end-user profiles
• Data center business models and compute allocation practices
• Routing, financing, and intermediary arrangements
• Red flags suggesting possible diversion or misuse

Companies can no longer rely solely on technical classifications or customer certifications where surrounding circumstances raise potential red flags indicating a high probability of diversion where such certifications are unlikely to be considered by US enforcement authorities to be sufficient.

RECENT ENFORCEMENT TRENDS

Recent enforcement activity illustrates the above concepts in that there is:

• An increased focus on “high probability” awareness standards
• Greater attention to due diligence failures and ignored warning signs
• Expanding expectations for documentation and risk assessments
• Higher financial penalties and more aggressive enforcement postures

Proposed legislation pending in the US Congress would further increase enforcement risks by:

• Raising civil penalties to four times the value of a transaction or $1.2 million per violation (up from just under $375,000), whichever is greater
• Extending the statute of limitations for export control violations from five to ten years
• Creating a new, standalone export control whistleblower reward program
• Expanding US regulators’ authority to regulate remote access to controlled technologies, which would significantly impact software as a service (SaaS) and infrastructure as a service (IaaS) businesses

This last development is an important risk area for data center operators. Policymakers are increasingly examining whether remote access to advanced computing resources should trigger export control restrictions, even where physical hardware does not cross borders.

In practice, this means that data center compliance programs will need to evolve beyond traditional export-screening models. Companies should consider whether existing processes adequately address evolving regulatory expectations tied to advanced computing, AI infrastructure, and global customer access.

Practical compliance measures may include:

• Integrating export control considerations into commercial agreements
• Monitoring customer activity and infrastructure use over time
• Implementing enhanced diligence protocols for higher-risk transactions
• Developing escalation procedures for potential “high probability” concerns

The emphasis on risk-based decision-making also means that regulators increasingly expect companies to be able to explain and defend how compliance judgments were reached, particularly in situations involving imperfect or incomplete information.

LOOKING AHEAD

US national security regulation of data centers is likely to continue expanding, even if it remains fragmented across multiple legal regimes.

At the same time, geopolitical developments and evolving US-China policy may continue to reshape compliance expectations and enforcement priorities. Companies operating globally may also face competing legal obligations from other jurisdictions, further complicating risk management efforts.

For data center developers, operators, and investors, national security compliance should no longer be treated as a narrow export control issue but rather an expansive issue affecting transaction structuring, vendor selection, customer onboarding, operational oversight, and long-term business strategy.

Organizations that proactively incorporate national security considerations into project planning and compliance governance will be better positioned to navigate this evolving regulatory landscape while continuing to pursue growth opportunities in the global data center market.