With great power comes great responsibility: consultation on regulation of data centres
The consultation is seeking further views on its proposals for increased regulation of third-party data centres. The deadline for responses is 22 February 2024.
The consultation follows a call for views undertaken in 2022 on the data centre sector specifically, as well as the National Data Strategy (2020) which sets out the Government’s broader ambitions for the use of data in the UK.
The consultation seeks views on a series of proposals intended to enhance the security and resilience of third-party data centres and provide a framework for oversight of existing and emerging data storage and processing. DSIT recognises that many data centre operators maintain high security and resilience standards due to commercial drivers, but is concerned that risks may remain, for example:
- where commercial interests may not align with national interests;
- where standards are applied inconsistently; and
- where risks affecting the wider industry arise, due to a current lack of governmental oversight and information sharing.
As well as being a topic of interest for the Government, data centres have become an attractive sector for investors. ULI Europe recently identified data centres as the second ranked sector of interest to investors for 2024. Investors and potential investors would be well advised to monitor the outcome of the consultation (and indeed to make submissions) as the proposed reforms could be wide-ranging. We have highlighted five key areas covered by the consultation below.
DSIT is focused on organisations that operate date centres, in particular, those that provide colocation and co-hosting data centre services as a third-party provider. However, the consultation also calls for views on whether the proposed regulations should apply to a broader suite of persons that operate within the sector – such as cloud service providers – and how that would interact with existing regulations. The scope of any future data centre regulation therefore has the potential to be extensive, and DSIT envisages that the extent of the regulations might be adjusted in future to bring additional services and infrastructure into scope.
It is also worth noting that under the recently launched consultation on amendments to the National Security and Investment Act the Government is adopting a similar position, proposing changes to expand the application of the mandatory notification system to suppliers of colocation data centres.
All participants in the sector should take note of the Government’s intentions as they take shape.
In addition to considering the services and infrastructure that are within scope, the consultation considers whether landowners should be within the regulatory framework, even where a separate operator provides data centre services from their land. This may just be an obligation to appoint a regulated operator, but DSIT goes as far as suggesting that landowners might be subject to a duty to ensure that the relevant operators meet their own duties. The imposition by statute on landowners of, essentially, a performance guarantee of those operating data centres from their land would be a significant shift in the risk allocation between landowner and operator.
DSIT proposes that data centre providers would be subject to a registration regime with the relevant regulator. The scope of information to be provided on registration is subject to further consideration, but DSIT posits that as well as basic entity details, this might include information on the relevant operational sites, current customer types and the provider’s ultimate beneficial ownership. Subject to understanding the proposed obligations to update this information, this could impose a significant administrative burden on data centre providers.
At the heart of the proposed regulations would be a duty on data centre providers to take “appropriate and proportionate technical and organisational measures to protect and enhance the security and resilience of their services”, subject to supervision by a regulator. The consultation sets out indicative baseline security and resilience measures, intended to reflect an outcome-based approach. As we anticipate that the vast majority of established data centre providers will already have in place stringent measures, the key question will be whether the Government’s baseline requirements will simply codify existing good practice, or go further, such that even prudent operators will have to scale up their security and resilience management.
A key departure from the status quo, DSIT proposes the introduction of a mandatory incident reporting regime. This would require data centre providers to notify the regulator of any security incidents and of any impact on the continuity of service. While a significance threshold is proposed for continuity of service issues, DSIT expressly considers that even security issues thought to be minor should be reportable to guard against the risk that those issues are really pre-positioning for a larger attack.
DSIT also suggests that, where appropriate, providers would be obliged to inform customers and other affected parties (such as suppliers) of incidents. In certain scenarios, significant incidents may also be subject to public disclosure.
Those within the scope of the incident reporting requirements will need to consider their obligations carefully, both to minimise the likelihood of any reportable incidents and to ensure that reporting lines are clear if an incident does arise.
With the backdrop of the ongoing consultation on amendments to the National Security and Investment Act, the UK appears to be in the process of a holistic review of its infrastructure regulatory framework with a clear focus on data centres, setting investment in UK infrastructure (and especially data centres) as both an engaging and evolving landscape, particularly for inbound investors.