It follows a call for views on the data centre sector in 2022 and sits within the context of a number of government strategies emphasising the need for action, including the National Data Strategy and National Cyber Strategy.
The proposed new statutory framework and regulatory function are intended to apply to organisations that operate data centres, in particular, those that provide colocation and co-hosting services as a third-party provider, and could require these providers to register and comply with a regulator, implement a number of baseline technical and organisational measures to manage security and resilience risks, and report significant incidents to the regulator as well as, in some cases, to their customers or other affected parties.
What are the risks facing data infrastructure and why has the UK Government decided to intervene?
The Government has examined the data centre sector and identified significant and evolving risks and threats from various actors and events, including cyber attacks, physical threats, insider misuse, equipment failures, supply chain vulnerabilities, hostile ownership, natural hazards, service disruptions, and market concentration of infrastructure and operators.
Whilst the Government acknowledges that data centre operators have commercial incentives to maintain high standards, it considers that these are not always aligned with or sufficient for the national interest, and that there are inconsistencies and gaps across the sector. It also highlights that there is limited formal information-sharing and oversight between the industry and government.
The Government has also compared its approach to that of other countries which have legislated for data centre security and resilience, and claims that its proposed framework would be proportionate and beneficial for the UK sector, its reputation and attractiveness.
What are the UK Government's proposals to address these risks?
The proposed framework includes the following elements:
- Scope: it aims to cover organisations that operate data centres, particularly those that provide colocation and co-hosting services as a third-party provider. The Consultation suggests that cloud services would be out of scope of the proposals on the basis that cloud service providers are regulated through the NIS Regulations (2018). Managed services would be out of scope too should they become regulated by the same (see here for further details on this). Importantly, this does not mean that all data centres would be out of scope where cloud or managed services are provided through them; only those that are solely owned and operated by a cloud service provider or managed service provider to provide a cloud or managed service (and are therefore already required, or expected to need, to meet security and resilience requirements under the NIS Regulations (2018)). The proposed framework would retain flexibility to adapt to changing technologies and risks, allowing the Government to consult and seek parliamentary approval for any significant changes in scope. Potential areas for future scope expansion could include quantum computing and AI-related aspects of data centre services, which the Consultation does not explicitly address but may pose security and resilience risks in the future. The regulator would also have the power to designate a specific organisation or service as within scope, subject to appropriate engagement and appeal mechanisms.
- Registration: relevant data centre providers would be required to register with the regulator and provide information regarding their UK operations, such as location, ownership, customer types and information on risks, impacts and existing mitigations or controls (both on registration and on an ongoing basis). The Government is also considering requiring that updates are provided on any changes in ownership that meet the criteria of a trigger event, as set out in the National Security and Investment Act (2021).
- Security and resilience measures: relevant data centre providers would have a duty to take appropriate technical and organisational measures to manage security and resilience risks. These could cover areas such as risk management, physical and cyber security, incident management, service continuity, monitoring, detection and auditing, governance and personnel, and supply chain management. Furthermore, the Government is considering introducing baseline measures based on existing standards and good practice, and would have the power to impose additional or more specific measures where necessary and justified by the level of risk.
- Standards, assurance and testing: the regulator would have the power to mandate the use standards, assessment frameworks and other tools to improve and assure security and resilience mitigations, such as requiring certification, accreditation, auditing, inspection or testing by independent or government bodies.
- Incident reporting: relevant data centre providers would be required to report significant incidents to the regulator, and in some cases disclose incidents to customers or other affected parties. The proposed framework outlines minimum thresholds for reportable incidents, such as those that significantly impact the continuity of service or the security of facilities, systems, or services. Ransomware payments would also have to be reported. It is suggested that data centre providers should include incident notification and vulnerability disclosure provisions in their service level agreements with their suppliers and customers. The proposed framework also considers the possibility of public disclosure of incidents by the regulator in limited circumstances, and the need for cross-sector incident management and information sharing among regulators, agencies, and the Government.
- Regulatory function: a regulatory function would be established to implement, manage and enforce the proposed framework. It would have the power to issue information notices requiring additional information from operators, as well as compliance or enforcement notices, inspection notices and stop notices in the event of noncompliance. It would also have the power to issue fines (calculated on the basis of a metric such as annual turnover). The Government has not yet identified the regulator and will wait to do so until views on the Consultation have been received.
The proposed framework would be complemented by voluntary measures and industry support structures, such as information-sharing, collaboration, best practice, and critical national infrastructure designation for critical systems or data infrastructure.
So what is next?
The Consultation runs until 22 February and the Government is particularly interested in hearing from data centre operators, data centre land and facility owners, cloud platform providers, managed services providers, customers and suppliers of the abovementioned parties as well as independent or academic experts on data storage and processing.
Stakeholders such as these should monitor and engage with the Consultation and the Government’s response, and consider the potentially wide-ranging changes and requirements that may result from the proposed framework. Other interested parties, such as investors in data centres, should also stay abreast of these developments as they could bring significant changes to this digital infrastructure asset class in the UK.