From Server Farms to Security Concerns, Government Oversight Is Redefining Data Center Development

Data centers have become a central focus of national security oversight. Their role in storing sensitive information and providing critical computing capacity places them squarely within regulatory frameworks governing foreign investment, cybersecurity, and critical infrastructure.

On

With approximately $1 trillion in projected cumulative US data center investment over the next five years, the sector is drawing unprecedented scrutiny from federal and state authorities alike.

At the federal level, executive orders and agency mandates have designated data centers as critical defense facilities. At the state level, more than 300 data center-related bills have been introduced in 30 states in the first weeks of 2026 alone, marking a decisive pivot from incentive-focused policies toward regulatory oversight. This alert analyzes the federal and state frameworks reshaping data center development and provides practical guidance for developers, operators, and investors navigating this increasingly complex landscape.

Federal Framework: National Security, Cybersecurity, and CFIUS

CFIUS Considerations for Data Centers

The Committee on Foreign Investment in the United States (CFIUS) jurisdiction extends beyond traditional foreign “control” to also include certain covered real estate transactions and covered investment transactions involving “Technology, Infrastructure and Data” (TID) US businesses and real estate near certain sensitive facilities. Specifically, transactions and investments involving data centers can come within the jurisdiction of CFIUS as covered investment critical infrastructure (1) if they are co-located at a submarine cable landing point, landing station, or termination station; (2) as critical technology if they produce or develop critical technologies such as export-controlled computing hardware or artificial intelligence (AI) systems; or (3) if they maintain or collect sensitive personal data of US citizens, such that it would be considered a TID US business. In addition, the purchase or lease of data center facilities located near designated military installations can fall under CFIUS’s real estate jurisdiction under 31 C.F.R. Part 802. 

For data center developers, this carries immediate and practical consequences. Any transaction involving foreign capital — whether a direct acquisition, a joint venture, or even a minority investment from a foreign-affiliated fund — should be assessed as to whether it triggers mandatory filing requirements or the need for voluntary CFIUS review, with attendant delays, filing costs, and the risk of mitigation conditions or even prohibition. At a minimum, developers seeking foreign-sourced capital or partnering with foreign-affiliated entities should build CFIUS diligence into their earliest project planning stages, structure ownership interests with filing thresholds in mind, and anticipate that transaction timelines may extend by several months to accommodate the CFIUS review process.

Data Centers as Critical Infrastructure for National Security

Recent actions by the Trump Administration have further elevated data centers’ national security profile. In May 2025, Executive Order 14299 directed that AI data centers sited at US Department of Energy (DOE) facilities be designated as “critical defense facilities.” Two months later, Executive Order 14318 created a “Qualifying Projects” category for data centers with either $500 million or more in capital expenditures or a demonstrated national security nexus, streamlining permitting and federal support for qualifying facilities (for an analysis of federal permitting and energy policy developments, see our previous alert). 

Most recently, in May, the Data Infrastructure Risk Reduction Act (H.R. 8711) was introduced. If enacted, the bill would require the Cybersecurity and Infrastructure Security Agency (CISA) to formally identify data centers that should be treated as critical infrastructure and to develop a comprehensive strategy for their defense against external threats.

The compliance landscape for data center transactions now spans multiple federal agencies. CFIUS filing is mandatory for transactions in which a foreign government acquires a substantial interest in a TID US business or that involves a TID US business that produces, designs, tests, manufactures, fabricates, or develops one or more critical technologies. Civil penalties for failure to file can reach $5,000,000 or value of the transaction, whichever amount is higher. Critically, CFIUS retains authority to review and unwind transactions post-closing where no safe harbor has been obtained through voluntary filing. Parties who forgo a filing bear ongoing risk even years after a deal closes.

Beyond CFIUS, additional federal compliance mandates apply independently. The US Department of Justice (DOJ) has imposed through its Bulk Data Rule data transfer restrictions requiring that facilities handling US government or US sensitive personal data comply with restrictions and prohibitions on transfers to countries of concern or involving covered persons. This rule would cover transfers of both ownership of data center facilities and of the company or entity that owns the facility. Meanwhile, the US Department of Commerce (DOC) has issued a proposed rule that would require Infrastructure-as-a-Service (IaaS) providers to verify foreign customers and monitor malicious cyber activity. The AI Export Executive Order issued in July 2025 requires that proposals for industry-led consortia for inclusion in the Americal AI Exports Program must comply with export controls, outbound investment regulations, and end-user policies.

Federal Enforcement Trends

Recent enforcement activity confirms that the federal government is reviewing closely and is prepared to act against transactions involving data center-adjacent technologies such as chips. On January 2, citing national security concerns, President Trump issued an executive order blocking HieFo Corporation’s $2.9 million acquisition of EMCORE Corporation’s digital chips and indium phosphide wafer fabrication business, technology used in data center connectivity and AI networking. 

The broader policy environment reinforces this enforcement posture. The “America First Investment Policy” signaled that the Administration would take an aggressive approach against investments by adversaries such as China, and the US Treasury’s Request for Information on the Known Investor Program issued in February suggests the government is seeking to facilitate investment from allied investors while maintaining rigorous scrutiny of transactions involving countries of concern. 

State-Level Foreign Ownership Restrictions

While federal oversight has intensified, state legislatures are simultaneously constructing their own frameworks restricting foreign interests in data center operations. Three recent state actions illustrate the trend.

Florida

On May 8, Governor Ron DeSantis signed SB 484 into law, establishing a regulatory framework that directly intersects national security and real estate concerns. The law prohibits public electric utilities from knowingly providing service to large-load facilities owned or controlled by “foreign entities of concern,” defined as entities owned or controlled by the government of a foreign country of concern or organized under the laws of or having a principal place of business in such a country. A person or entity holding 25% or more of voting interests or profit entitlement is presumed to exercise control. Large-scale data centers, with a peak load of 50 megawatts or more, must bear their full cost of service, and local governments are expressly empowered to reject data center development within their jurisdictions. The law took effect on July 1.

The constitutionality of state-level foreign ownership restrictions received significant judicial support in Shen v. Commissioner, where a 2-1 panel upheld SB 264’s registration and affidavit requirements for foreign nationals acquiring real property. The court found that Florida’s restrictions do not conflict with the federal CFIUS/Foreign Investment Risk Review Modernization Act (FIRRMA) framework and that any effect on foreign affairs is “minor or incidental.” This decision validates states’ authority to impose ownership restrictions on top of federal CFIUS review without triggering preemption, a critical holding for the growing number of states pursuing similar legislation.

Arkansas

Similarly, Arkansas has adopted its own framework restricting foreign interests in data center operations. SB 79 bars any “prohibited foreign party” from holding any ownership interest in crypto mining businesses and separately prohibits foreign party control of data centers. No court challenge to the data center provision has been filed to date. These restrictions are part of a broader Arkansas legislative framework that includes agricultural land restrictions (Act 636), bans on state contracts with PRC-owned companies (Act 758), and foreign drone restrictions.

Texas

Texas is considering legislation that would represent the most ambitious state-level effort to replicate the federal foreign investment review apparatus. SB 2117 would create the “Texas Committee on Foreign Investment,” the first state-level body modeled directly on federal CFIUS. The proposed committee would review transactions in which foreign actors from countries without US trade agreements seek control of Texas-based businesses, real estate, or critical infrastructure, including energy, telecommunications, agriculture, transportation, and defense sectors. Civil penalties would apply for noncompliance. If enacted, SB 2117 would add a full state-level investment review process operating in parallel to CFIUS, creating an additional layer of diligence for any transaction touching Texas assets.

Importantly, in GH American Energy, LLC v. Vegas (W.D. Tex.), a federal court held that Texas’s critical infrastructure law is not preempted by federal CFIUS authority, reasoning that CFIUS “does not have jurisdiction over intrastate activities.” This ruling provides further legal support for the proposition that states may regulate foreign ownership of critical infrastructure independently of the federal framework.

At least 28 states have now adopted some form of foreign ownership restriction on real property or critical infrastructure. Appellate rulings in ShenGH American Energy, and related cases will determine how far states can extend these restrictions. Data center investors and developers must monitor this evolving patchwork carefully, as each state adopts its own definitions of “foreign entity,” “control,” and “covered assets.”

Practical Takeaways for Data Center Developers and Investors

In light of these developments, data center developers, operators, investors, and their counsel could consider the following steps.

  • Map CFIUS Exposure Early. Assess whether a data center business qualifies as a TID US business and whether mandatory or voluntary filing may be warranted. Proximity to military installations or other covered real estate in Part 802 triggers CFIUS jurisdiction over real estate transactions. This can be a highly technical process, so key internal stakeholders should be identified and convened early on to organize a thorough assessment. 

  • Incorporate CFIUS Into Transaction Agreements. Parties should consider strategies for preemptively addressing CFIUS concerns in the deal documents, such as restrictions on access to non-public technical information by foreign persons, appointment of security officers, and requirements for the development and implementation of rigorous data security policies. Parties should also consider pursuing a proactive filing to obtain a safe harbor rather than bearing the ongoing risk of a CFIUS-initiated review post-closing.

  • Assess State Foreign Ownership Laws State-by-State. Florida’s SB 484, Arkansas’s data center restrictions, and Texas’s SB 2117 impose distinct definitions of “foreign entity,” “control,” and “covered facilities.” Jurisdictional analysis is increasingly critical as state legislatures continue to expand their regulatory reach in this area.

  • Integrate Federal Cybersecurity and Export Compliance. DOJ data transfer rules and export control regulations apply independently of CFIUS and state law. Developers and investors should build compliance programs addressing all relevant regulatory layers and ensure that operational protocols account for export control and cybersecurity obligations from the outset.

If you have any questions, please reach out to your ArentFox Schiff contact or an author of this alert. For more insights, visit our Data Center Legal Solutions webpage and ArentFox Schiff’s CFIUS team webpage.

Additional research and writing from Jake Haldeman, a 2026 summer associate in ArentFox Schiff’s Washington, DC office.

Contacts

Continue Reading