UK Data Centres Classed as Critical National Infrastructure: The Latest Demonstration of Commitment to Digital Security

Technology Secretary Peter Kyle announced on Thursday 12^th September that data centres will be designated as “Critical National Infrastructure” (CNI), reflecting the UK’s commitment to increasing data privacy and security.

The announcement to give data centres CNI designation comes at the same time as the government welcomes a plan to develop what would be the largest data centre in Europe, with £3.75 billion of funding being committed to the project.

In this blog we look at what these recent announcements will mean for operators of data centres and how this might shape the future of data storage and security.

What impact will this have?

As a result of this announcement, data centres will now be put on an equal footing with vital services such as water and energy. This means that they will be given additional protections and priority in the case of power failures or cyber attacks.

Data centre operators will also have access to a CNI data infrastructure team of senior government officials tasked with monitoring and anticipating potential threats, providing prioritised access to security agencies such as the National Cyber Security Centre and coordinating support with the emergency services should this be required. It is hoped that the CNI status will act as both a deterrent to cyber criminals and an attractive prospect for investors.

With the data centre industry in the UK already worth £4.6 billion, and continuing to rise, these further protections should help to boost this growth even further, by reassuring investors that the government has steps in place to reduce and recover from critical data breaches.

What are the regulatory considerations?

The designation of data centres as CNI is arguably a reinforcement of existing obligations already in place. The Network and Information Systems (NIS) Regulations 2018 already require operators of essential services, including digital infrastructure, to:

• take measures to manage the risks to critical technologies;
• take measures to prevent incidents, and reduce the impact of incidents when they occur; and
• notify their Competent Authority if they identify incidents which have negative impacts on their ability to deliver their essential services.

The NIS Regulations are aimed at providing legal measures to boost the cyber and physical resilience of network and information systems, such as those already discussed. Nonetheless, CNI designation will undoubtedly increase the standards already in place, requiring operators to implement more rigorous security measures (including advance biometric systems, more extensive monitoring technology, and alarm systems), as well as reporting incidents with greater speed and detail, coupled with greater fines and punishments as a result of failing to do so.

The CNI designation will require data centres to work more closely with the National Cyber Security Centre (NCSC) to share threat intelligence and collaborate with them to improve existing security measures.

These CNI considerations are in addition to environmental and operational challenges that data centre operators also face. The environmental impact of data centres which power so much of the digital age (including AI models) is coming into sharper focus. Data centres are being encouraged to closely monitor their carbon footprints and adopt appropriate measures to reduce them, which can prove to be difficult and costly with data centres likely to increase in size and volume in future.

To privacy and beyond?

Looking forward, we’re likely to see many more data centre projects, with Amazon announcing that it will commit £8 billion over the next 5 years to build and operate data centres in the UK.

Ambitions, however, don’t appear to be restricted to Earth. At the recent Space-Comm Expo in Glasgow, the possibility of data centres in orbit was “floated”, with research suggesting that this is a much more energy efficient solution than data centres on terra firma – the naturally cold environment combined with unlimited solar power offering significant advantages.

How the UK (and others) would be able to ensure compliance with the requirements that CNI designation comes with – especially given the difficulty with jurisdiction and territorial concerns – remains to be seen. Maintenance and physical security concerns are also potential a stumbling block, with quick access to space-based data centres being difficult, with a reliance on remote vehicles for repairs.

While this is currently more of a pipe dream than a reality, the advances in both space exploration and data storage technologies could make this a reality sooner rather than later. Regardless, this once again highlights the intrinsic link between data storage and national security, which as we go boldly into the future will have evermore importance.

By Burness Paull LLP, Scotland, a Transatlantic Law International Affiliated Firm.  

For further information or for any assistance please contact ukscotland@transatlanticlaw.com

Disclaimer: Transatlantic Law International Limited is a UK registered limited liability company providing international business and legal solutions through its own resources and the expertise of over 105 affiliated independent law firms in over 95 countries worldwide. This article is for background information only and provided in the context of the applicable law when published and does not constitute legal advice and cannot be relied on as such for any matter. Legal advice may be provided subject to the retention of Transatlantic Law International Limited’s services and its governing terms and conditions of service. Transatlantic Law International Limited, based at 84 Brook Street, London W1K 5EH, United Kingdom, is registered with Companies House, Reg Nr. 361484, with its registered address at 83 Cambridge Street, London SW1V 4PS, United Kingdom.