(3) Sanctions and import/export controls compliance

Sanctions and import/export controls compliance is of the essence because data centers operate at the intersection of global technology supply chains, cross-border data flows and sensitive end users – all areas heavily scrutinized by sanctions authorities. Servers, power modules and even software updates can be “dual-use,” triggering export-license requirements and re-export liabilities for operators and contractors. Many countries regulate the import of encryption items, often requiring licenses or permits, which can create a complex web of requirements that have a material impact on deployment schedules. Hardware, software and support services may originate from or be destined for jurisdictions subject to comprehensive or sectoral sanctions, such as Russia, Iran or North Korea, or involve sanctioned suppliers, including certain Chinese entities. Even indirect involvement – such as using a subcontractor that sources from a sanctioned supplier – can trigger liability and lead to significant operational disruptions. Moreover, U.S. sanctions often apply extraterritorially, meaning that non-U.S. entities may still face enforcement if they transact in U.S.-origin goods, engage in U.S. dollar-denominated transactions or serve restricted end users.

There are relevant precedents underscoring the risk. For example, a major Chinese telecommunications firm faced a multi-billion-dollar U.S. enforcement action for violating export controls and sanctions related to Iran and North Korea, including through indirect supply chain routes. Similarly, a European multinational settled with U.S. authorities in 2021 for exporting software and cloud services to Iranian users through third parties, despite being headquartered in Europe. These cases demonstrate that even inadvertent or indirect breaches – especially in the digital services and IT infrastructure context – can lead to severe penalties. Sanctions and import/export controls compliance is not a theoretical risk, but a concrete legal exposure that requires active oversight, supply chain transparency and strong internal controls.

(4) Customs complexity surrounding maintenance and repairs

Spare parts routinely cross international borders to support hot-swap maintenance and rapid repairs, ensuring minimal downtime for critical data center operations. Given the high value and specialized nature of this equipment, companies must carefully manage customs compliance not only at initial import but throughout the entire asset lifecycle. Tariff suspension and drawback programs offer valuable opportunities to recover import duties on equipment that is subsequently re-exported – such as leased hardware returned at the end of a contract – but these benefits are contingent on maintaining comprehensive, accurate and auditable documentation. This includes detailed records of import declarations, inventory movements, maintenance activities and export shipments, all of which must withstand scrutiny from customs authorities to avoid denial of duty recovery and potential penalties. Effective lifecycle management is therefore essential to maximize cost efficiency while ensuring regulatory compliance in complex, multi-jurisdictional data center environments.

(5) Tariff tensions

Data centers are impacted by ongoing trade wars, which introduce heightened tariffs and increased regulatory scrutiny on key technologies and components. Tariff escalations increase costs and create uncertainty in procurement. These disruptions can lead to delayed deployments, higher operational expenses and challenges in maintaining service-level commitments. Companies may need to reevaluate supplier relationships or underlying contracts, invest in alternative sourcing strategies or adapt infrastructure designs to mitigate risk. Legal teams must keep a close eye on shifting regulations and develop agile frameworks to respond quickly to changes, ensuring continuity and competitive advantage in an increasingly fragmented global trade environment.