About the author(s)
Louise is a Knowledge Lawyer in the Commercial Litigation Group.
Jocelyn is a technology and data lawyer, interested in anything connected to those two topics in non-contentious matters. Her areas of expertise cover IT agreements, data protection, data centres and telecommunications.
Amber has experience of advising corporate and private clients at all stages of a commercial dispute from pre-action through to trial and subsequent costs disputes. She understands that in order to consider the merits of a case and the best course of action to take to resolve the issues, clients want to think about minimising costs incurred and reputational damage caused by the those actions.
On 12 September 2024 the UK government announced that data centres will be added to the Critical National Infrastructure (CNI) regime. This means that data centres are now grouped with energy, water, finance and healthcare systems, all of which are already classed as CNI.
This new designation, the first in 10 years, marks political recognition of the growing importance of data infrastructure for the UK, as the backbone of the economy, health services, financial services, public services and more. CNI designation will bring government support for UK data centres in the event of critical incidents, including cyber attacks, with the aim of minimising impact on society and the economy.
Being designated as CNI means data centre operators must adhere to stricter security and resilience standards to protect against digital threats and ensure operational continuity. Data centres should expect and prepare for increased regulatory oversight and collaboration with government organisations.
UK Cyber Resilience – Cyber Security and Resilience Bill
National cyber resilience is also in line for change: On 17 July 2024 the Cyber Security and Resilience Bill was announced by the Department for Science, Innovation and Technology (DSIT), in the King’s Speech. A further update from DSIT last week confirmed that the bill will be introduced to Parliament in 2025.
Cyber resilience is the ability for entities to prepare for, respond to and recover from cyber attacks and security breaches. It is crucial for operational resilience and business continuity. The current UK regulations governing cyber security and resilience (NIS Regulations 2018) safeguard critical national infrastructure by placing duties on entities involved in the delivery of essential services, such as requiring implementation of measures to manage risks to network and information systems; reporting of significant incidents promptly; and undergoing audits by competent authorities.
The NIS Regulations 2018 emanated from the EU’s original NIS1 Directive which has been in force since 2016 (but will be repealed from 18 October 2024). The regulations are now outdated and need reframing to address evolving cyber threats and to align with modern security requirements, particularly given increasingly interconnected, global supply chains.
At present, data centres are not within scope of the UK cybersecurity regulations. However the aim of the Cyber Security and Resilience Bill is to strengthen the country’s cyber defences and ensure more digital services and supply chains are protected. The remit of existing UK legislation will therefore be expanded. New law will span a greater number of sectors than the current 5 key sectors covered by the NIS Regulations and will make crucial updates to the legacy regulatory framework by:
- putting regulators on a strong footing to ensure essential cyber safety measures are being implemented. Regulators will have cost recovery mechanisms and stronger investigatory powers in relation to potential vulnerabilities.
- increasing incident reporting to give government better data on cyber attacks, including reporting ransom payments. The type and nature of incidents to be reported will be expanded.
It remains to be seen which regulator will oversee the new UK cyber resilience regime; how the rules will be implemented; and what sanctions there will be (and whether there will be personal liability) if organisations do not use adequate security.
The UK’s Cyber Security and Resilience Bill is intended to keep pace with the EU’s NIS2 Directive.
EU Cyber Resilience – NIS2 Directive
The NIS2 Directive is an EU-wide cybersecurity law aimed at bolstering the security of network and information systems in the EU. It must be transposed into EU member states’ national law by 17 October 2024.
It expands the original NIS directive by covering more sectors and imposing stricter requirements. It applies to public and private sector entities (and their supply chains) providing certain critical services or critical infrastructure, and qualifying as medium-sized or large-sized enterprises (so smaller entities will be out of scope).
Data centre providers are expected to be classed as “essential services” in scope of NIS2 Directive.
NIS2 applies to organisations outside the EU if they offer services or undertake activities in the EU (known as “extraterritorial effect”). As far as UK data centre operators are therefore concerned, where they operate within the EU market (think supply chains), they will need to adhere to NIS2 cybersecurity standards.
Failure to comply with NIS2 obligations risks financial penalties for organisations, and personal liability for management individuals. Further detail on this – and on how to determine in-scope entities – will become more available once EU member states implement the NIS2 Directive into their national laws.
NIS2 Requirements
In-scope organisations must have in place:
- Risk management – measures to minimise security risks, including incident management, stronger supply chain security, enhanced network security, better access control and encryption.
- Corporate accountability – management must oversee, approve and be trained on its cybersecurity measures to address cyber risks.
- Reporting obligations – processes must be in place for prompt reporting of security incidents with significant impact on service provision or recipients. There will be specific notification deadlines required, such as a 24 hour “early warning” report.
- Business continuity – organisations must plan for how they intend to ensure business continuity in the case of major cyber incidents. This plan should include considerations about system recovery, emergency procedures, and setting up a crisis response team.
Data Centres
In light of (i) imminent enhanced UK cyber resilience law, (ii) imminent transposition of the NIS2 Directive in EU member states, and (iii) data centres having been designated as UK critical infrastructure, data centre service providers / operators must understand and prepare for NIS2 and upcoming UK change to the cyber resilience legal framework.
Risks for data centre infrastructure include third-party vendor low security; IoT low security (where IoT devices may be used for infrastructure monitoring and management, such as sensors to track temperature, humidity, energy consumption or security controls); interference with power supplies; and lack of physical security.
Controls required will be focused not only on IT security but also on operational security. Key areas for focus are cybersecurity governance, risk management measures and preparation for reporting obligations.
Data centre operators must now determine whether any of their entities fall within scope of NIS2 and then, depending on the data centre model:
- Ascertain current cyber security and information security control frameworks in place and assess against expected NIS2 requirements;
- Consider internationally recognised standards and frameworks to prepare for necessary compliance requirements;
- Bolster security risk management measures, incident response and recovery planning and reporting procedures; and
- Review supply chain security and maintain supply chain security assessment as data centre design continues.