We shared some views back in December 2023 around the UK government’s consultation on proposed regulations to improve the security and resilience of UK data infrastructure, part of which involved consideration as to whether to designate elements of the data centre sector as Critical National Infrastructure ('CNI'). The UK hosts the largest number of data centres in Western Europe, generating an estimated £4.6 billion in annual revenue, and is a key hub for connectivity worldwide.
The UK government’s 12 September 2024 announcement, designating data centres as CNI therefore does not come as a surprise. Nonetheless, it reflects the data centre sector’s importance to modern life, establishing a pivotal milestone in the UK’s digital infrastructure strategy. Recognising their critical nature, the government now places data centres on an equivalent status with 13 other essential infrastructure sectors, including energy, water, transportation, health, financial services, telecommunications, and emergency services systems. With CNI designation, the government aims to strengthen the UK’s position as a global data centre hub, while safeguarding its critical digital assets. In this blog post, we delve into a bit of the announcement’s background and explain its implications—particularly for data centre companies and infrastructure investors—highlighting the key legal and operational considerations that result from the announcement.
UK Legislative Framework for CNI
The UK’s CNI upholds the backbone of the UK’s society and economy. As different infrastructure sectors remain highly interdependent, vulnerabilities in one CNI operator may lead to cascading effects on multiple other sectors. UK public bodies—such as the National Protective Security Authority (‘NPSA’) and the National Cyber Security Centre (‘NCSC’)—are responsible for identifying threats to, and safeguarding, CNI. Several legislative instruments underpin this CNI regime and, taken together, these instruments confer extensive powers on public bodies and security agencies to safeguard CNI.
The NPSA defines CNI as: ‘Those critical elements of infrastructure (namely assets, facilities, systems, networks or processes and the essential workers that operate and facilitate them), the loss or compromise of which could result in: (a) major detrimental impact on the availability, integrity or delivery of essential services—including those services whose integrity, if compromised, could result in significant loss of life or casualties—taking into account significant economic or social impacts; and/or (b) significant impact on national security, national defence, or the functioning of the state.’
Enhanced Security and Government Support
One of the government’s main objectives in designating data centres as CNI is to create a more secure and stable investment environment for data centre expansion in the UK. Forms of support may include prioritised access to assistance from security agencies—such as the NCSC—and coordinated support from emergency services in the event of a critical incident. This would translate into a more robust framework for data centre operators to mitigate risks from cyber attacks, outages, and environmental disasters.
Operators and investors might expect further potential policy support through regulatory streamlining for planning processes or land use regulations for data centres, which could facilitate more rapid and efficient project approvals. We may also observe the introduction of fiscal incentives—such as grants, tax relief, or direct investments in infrastructure, research and development—to encourage investment in data centre infrastructure. Data centre operations rely on adequate grid capacity and reliable power supplies. The government may invest in grid upgrades or expedite grid connections for data centres to support expanding demand. With additional government security and support, the perceived risk associated with data centre investments will likely decrease, leading to even further increased investment in the sector in the UK, and associated benefits such as fostering job creation and economic growth.
Regulatory Compliance and Legal Obligations
The flipside of this is, as a result of CNI designation, data centre companies will encounter heightened regulatory scrutiny. This might include monitoring of compliance with national security laws and regulations to protect critical infrastructure. More specifically, operators may need to comply with more stringent cybersecurity measures (by implementing, for example, state-of-the-art encryption and advanced physical security protocols, including intrusion detection systems, biometric access controls, and persistent surveillance systems), regular risk reporting requirements, and obligations to develop and maintain comprehensive contingency plans, similar to those imposed on other critical infrastructure sectors. Other obligations on data centre operators may include the need to conduct regular audits and vulnerability assessments to ensure compliance with national security standards, and mandatory incident reporting to government agencies. Data centre staff may require enhanced background checks or security clearances, as well as additional mandatory training on national security protocols. Moreover, operators and investors may expect closer collaboration with government agencies, which may involve sharing threat intelligence, participating in joint security exercises, observing NCSC alerts, and complying with advisories on cyber security matters.
CNI designation may also introduce higher potential risks of lawsuits, fines, and reputational damage for data centre operators, particularly in the event of cyber attacks or outages, especially if found to result from negligent security practices. These risks of heightened liabilities underscore the importance of comprehensive risk management and compliance strategies. While implementing these security measures and complying with regulatory standards could be initially costly and resource-intensive, the longer-term benefits of enhanced security and government support will likely outweigh these initial costs.
Conclusion
CNI designation casts a favourable light upon data centre assets, a beacon for investors seeking secure and stable ground. The government’s designation inevitably strengthens the UK’s collective technological capabilities. Yet, beneath this shining surface, potential challenges lurk, demanding a deep understanding of the UK regulatory landscape and the legal obligations placed on data centre operators. Investors must also ensure that their data centre assets comply with the elevated security and operational standards required for CNI. The CNI regime’s embrace may bring short-term trials, but ultimately long-term rewards.
With thanks to Jacob Griffin for his invaluable contributions to this article.