The UK government is consulting on proposed regulations to improve the security and resilience of UK data infrastructure, including data centres. The consultation, which will close on 22 February 2024, follows the Department for Digital, Culture, Media & Sport’s “call for views” on the current security and resilience of data centre infrastructure and cloud platform infrastructure in summer 2022.
The proposals note the critical role that data infrastructure plays in the UK’s economy, as well as the government’s aim “for the UK to be the global gold standard for data centre security and resilience”. The proposed regulations would apply to organisations that operate data centres in the UK, with a particular focus on data centres that provide colocation and/or co-hosting services.
The government has identified two main categories of vulnerability currently faced by data centres:
- security risks, including from cyber and physical attacks or infiltration; and
- resilience risks, including from natural hazards (such as extreme weather events or conditions) and wider supply chain, geographical and economic disruptions.
The government notes that many of these risks are likely to increase over time, as means of attack become more sophisticated and the threat of natural hazards intensifies. The government’s proposals aim to address these issues and to improve coordination and communication between itself and data centre providers.
The proposals include:
- the establishment of a new regulatory function to “implement, manage and enforce” the new framework;
- mandatory registration and information sharing by relevant data centre providers on an ongoing basis, both on registration and on an ongoing basis thereafter; and
- appropriate and proportionate mitigation of security and resilience-related risks by relevant data centre providers – the government suggests that “baseline measures” may cover:
- risk management;
- physical and cyber security of facilities, networks and systems;
- incident management and reporting (potentially in respect of environmental, network, cyber, human and power-related incidents);
- resilience and service continuity;
- monitoring, detection, auditing and testing;
- governance and personnel; and
- supply chain management.
Given the rapidly-evolving risk landscape, the government intends that (subject to due parliamentary process) it will be able to adjust the scope of the statutory framework to address newly-identified or emerging risks to in-scope infrastructure.
Key points still under consideration include whether to establish a new regulatory body or expand the remit, powers and capability of an existing body and whether to designate elements of the data centre sector as Critical National Infrastructure (although some data infrastructure is already designated as such).
Notably, the proposals do not specifically address (though stakeholders may wish to provide views on):
- the extent to which data centre providers should be able to leverage artificial intelligence (including generative artificial intelligence) in their key operations;
- whether the “baseline measures” will require providers to meet any specific environmental standards and/or will entail any flexibility for providers to prioritise environmental considerations (the proposals do note the importance of providers balancing minimal environmental impact and costs with reliable service and operations, but do not suggest an appropriate framework for doing so);
- the potential impact of the new regulations on investments and other corporate transactions in the sector, including whether a proposed acquisition of within-scope assets will be subject to the relevant regulator’s approval and, if so, the interaction of any such requirements with other applicable laws and regulations such as the National Security and Investment Act 2021 (the government notes that it is considering requiring “that updates are provided on any changes in ownership that meet the criteria of a trigger event, as set out in the National Security and Investment Act” but does not indicate whether the regulator’s remit would include intervention capabilities); and
- more broadly, the appropriate balance to be struck between safeguarding critical infrastructure and designing a regulatory landscape which attracts investment into the UK’s data centre sector, particularly given rapidly-rising investment in the sector across Asia-Pacific and parts of Latin America.
The government is seeking views from any interested party, including (in particular) data centre operators, cloud providers, and sector experts. We would be very keen to chat and compare notes with anyone in the sector who may be thinking of responding. The views and evidence the government receives will inform its response and any further proposals.
Slaughter and May’s Tech, Digital and Data practice advises the full spectrum of digital infrastructure companies. For more information, please see our website and/or contact James Cook, co-head of our cross-practice Technology Group.