The Compliance Gap
Why UL 2755 Listing Does Not Substitute for NFPA Compliance in Modular AI Data Center Deployments
Abstract
This paper examines the proposition, frequently advanced in modular AI data center procurement discussions, that a UL 2755 listing for the manufactured enclosure substitutes for compliance with the National Fire Protection Association codes, the International Code Council family of building and fire codes, and the property-insurer engineering data sheets that govern the campus, the occupancy, and the life-safety envelope. The paper rejects the substitution proposition on the basis of the documentary record, the regulatory architecture, the AHJ practice, and the insurance underwriting record, and develops a four-layer compliance-stack framework that the operator must satisfy in parallel: the product listing layer governed by UL, the site compliance layer governed by NFPA and the ICC family, the management-system layer governed by the International Organization for Standardization, and the insurance underwriting layer governed by FM Global, the Industrial Risk Insurers schedule, and the Lloyd’s of London data center underwriting guidelines.
The scope of the paper is the United States and Canada with reference to the harmonized international standards published by the International Electrotechnical Commission and the International Organization for Standardization. The temporal scope is the 2024-through-2026 code cycles, which include the 2024 IBC and IFC, the 2025 NFPA 75 and NFPA 13, the 2026 NEC, and the 2022 ISO 27001 revision. The analytical posture is descriptive and prescriptive: the paper documents the present state of the regulatory and insurance landscape, names the misconceptions that produce the substitution argument, and prescribes an operating doctrine for the compliance program that elevates the operator from a reactive submittal posture to a Level 4 or higher compliance maturity over a 90-180-365 day implementation horizon.
The paper’s principal findings are three. First, UL 2755 governs the listed product and not the installation; the authority having jurisdiction retains undiminished authority over the campus, the occupancy, and the life-safety envelope, including water supply, smoke control, egress, separation distances, and structural fire protection of the bounding construction. Second, FM Global Property Loss Prevention Data Sheets, including FM 5-32 for data centers and related facilities, FM 1-56 for cleanroom and semiconductor facilities, and FM 7-110 for industrial battery systems, routinely exceed NFPA minimums for insured facilities and are silent on UL 2755 substitution; the substitution argument therefore fails at the loss-payout level even where AHJ acceptance has been granted. Third, the ISO management-system standards (ISO 27001 for information security, ISO 22301 for business continuity, ISO 14001 for environmental management, and ISO 45001 for occupational health and safety) impose management-system obligations on the operator that no product listing of any kind can satisfy on the operator’s behalf.
The paper’s principal recommendations are three. First, treat the UL 2755 listing as the listing record for the module and assemble the full NFPA, ICC, ISO, and FM Global compliance package against the campus as a co-equal deliverable in every AHJ submittal, with a written compliance crosswalk that names the standard, the responsible party, and the evidence artifact. Second, require operator-side governance to maintain three independent compliance records (the product listing record, the campus installation record, and the insurance underwriting record) and reconcile them at design freeze, at commissioning, and annually thereafter under a documented operating procedure. Third, adopt the compliance-stack framework presented in this paper as the doctrine for owner submittals, AHJ acceptance, FM Global underwriting walkthroughs, and operator-of-record handoff, with the explicit assumption that the burden of proof for each layer falls on the operator and not on the module manufacturer. The forecast scenario presented in the paper anticipates that the substitution argument will produce its first significant loss-payout dispute within the next twenty-four to forty-eight months unless the industry adopts the compliance-stack discipline at the design-freeze stage of project execution.
Executive Summary
The thesis of this paper is direct. A UL 2755 listing is a product listing for the manufactured enclosure and the components within it; it is not a substitute for the operator’s compliance with the NFPA codes that govern the room and the building, the ICC building and fire codes that govern the campus, the ISO management-system standards that govern the operator’s information security, business continuity, environmental management, and occupational health and safety functions, or the FM Global and equivalent property-insurer engineering data sheets that govern the loss-prevention engineering posture of the insured asset. The substitution argument is technically incorrect, regulatorily indefensible, insurably unrecoverable, and operationally inappropriate for a deployment that is intended to run for fifteen to twenty years and against which the operator will commit hundreds of millions to billions of dollars of capital, customer commitments, and brand exposure.
This paper develops the substitution argument in detail, documents the four-layer compliance stack that the operator must satisfy, names the responsibilities of each party in the deployment chain, and prescribes an operating doctrine and a 90-180-365 day implementation roadmap for an operator that wishes to elevate the compliance posture from the typical Level 2 (listing-as-defense) maturity to Level 4 (proactive walkthroughs at 80 percent design completion) or higher.
Finding 1. UL 2755 governs the listed product, not the installation. The authority having jurisdiction (AHJ) over the campus retains the full and undiminished authority granted to it by the adopted edition of the IBC, the IFC, the IECC, the IEBC, the IMC, the IPC, NFPA 13, NFPA 70, NFPA 72, NFPA 75, NFPA 92, NFPA 101, NFPA 855, NFPA 2001, NFPA 5000, ASHRAE 90.4, IEEE 1100, and any local amendments to these codes. The AHJ confirms acceptance of the installation, not the product. The listing is a precondition for some AHJs and a positive indicator for most; it is never a substitute for the operator’s submittal of the campus, the occupancy, the egress paths, the water supply, the smoke control system, the separation distances, the structural fire protection of bounding construction, the available fault current at the service entrance, the grounding electrode system, the available arc flash energy, the emergency lighting design, the fire alarm performance specification, the sprinkler hydraulic calculation, the smoke management system, the hazardous materials inventory, and every other element of the campus deployment that the manufactured module enters and depends upon.
Finding 2. FM Global Property Loss Prevention Data Sheets, including FM 5-32 (data centers and related facilities), FM 1-56 (cleanrooms and semiconductor facilities), FM 7-110 (industrial battery systems), FM 5-31 (cables and bus bars), FM 2-0 (sprinkler installation guidelines), FM 1-20 (protection against exterior fire), and FM 1-2 (earthquake protection), routinely exceed NFPA minimums for insured facilities and are silent on UL 2755 substitution. In a representative scenario indexed to NFPA = 100, FM Global typical requirements run approximately 130 for sprinkler design density, 115 for smoke detector spacing, 120 for cable temperature rating, 145 for battery system setback, 125 for smoke control performance, 115 for bus duct separation, and 130 for hot work permit requirements. An operator that has accepted the UL-only argument and skipped the FM data-sheet engineering is uninsured against the delta on every line. The first material loss event will reveal this uninsured exposure at exactly the moment when the operator has the least bandwidth to absorb a coverage dispute.
Finding 3. The ISO management-system standards impose obligations on the operator that the module listing cannot discharge. ISO/IEC 27001:2022 imposes ninety-three Annex A controls organized into four themes (organizational, people, physical, and technological); the module listing addresses none of them on the operator’s behalf. ISO 22301:2019 imposes business continuity management obligations including recovery time and point objectives, exercise programs, and supplier risk assessments. ISO 14001:2015 imposes environmental management obligations including water use, refrigerant management, waste, and emissions. ISO 45001:2018 imposes occupational health and safety obligations including hazard identification, incident reporting, and return-to-work programs. ISO 9001:2015 imposes quality management obligations. ISO 50001:2018 imposes energy management obligations. Each is held by the operator, audited annually, and is a precondition for many hyperscale, federal, and regulated-industry tenancies. None is displaced or even partially satisfied by a UL 2755 listing.
Recommendation 1. Treat the UL 2755 listing as the listing record for the module and assemble the full NFPA, ICC, ISO, and FM Global compliance package against the campus as a co-equal deliverable in every AHJ submittal. The submittal package should be structured as seven sections: A (product listings), B (site plans), C (fire protection), D (electrical), E (operations and life safety), F (insurance crosswalk), and G (compliance crosswalk matrix). The crosswalk matrix is the load-bearing artifact of the submittal and is the section most often missing from listing-only submittals.
Recommendation 2. Require operator-side governance to maintain three independent compliance records (the product listing record, the campus installation record, and the insurance underwriting record) and reconcile them at design freeze, at commissioning, and annually thereafter under a documented operating procedure. The three records have different revision cycles, different audit cadences, and different evidence retention requirements. An operator that merges them into a single document has lost the audit trail that makes each record defensible.
Recommendation 3. Adopt the compliance-stack framework presented in this paper as the doctrine for owner submittals, AHJ acceptance, FM Global underwriting walkthroughs, and operator-of-record handoff, with the explicit assumption that the burden of proof for each layer falls on the operator and not on the module manufacturer. The four layers (product listing, site compliance, management systems, insurance underwriting) operate as a system; the operator owns all four. The implementation roadmap presented in the paper moves the operator from the typical Level 2 maturity to Level 4 within twelve months and to Level 5 (compliance as operating system) within eighteen to twenty-four months.
Forecast. The paper anticipates that the substitution argument will produce its first significant loss-payout dispute within the next twenty-four to forty-eight months. The dispute scenario is straightforward: a modular deployment suffers a fire or water incident that triggers a property and business interruption claim; the FM Global underwriter conducts the post-loss engineering review; the review identifies that the design relied on the UL 2755 listing and did not engineer to FM 5-32 baseline; the loss payment is reduced by the delta between the UL-only design and the FM 5-32 engineered design, with additional offset for any management-system non-conformities discovered in the loss investigation. The operator absorbs the delta on top of the deductible, the time-loss, and the reputational impact of a publicly visible incident. The framework presented in this paper is the prevention.
Full white paper below
