Technology Secretary Peter Kyle announced on Thursday 12th September that data centres will be designated as “Critical National Infrastructure” (CNI), reflecting the UK’s commitment to increasing data privacy and security.

The announcement to give data centres CNI designation comes at the same time as the government welcomes a plan to develop what would be the largest data centre in Europe, with £3.75 billion of funding being committed to the project.


In this blog we look at what these recent announcements will mean for operators of data centres and how this might shape the future of data storage and security.

What impact will this have?

As a result of this announcement, data centres will now be put on an equal footing with vital services such as water and energy. This means that they will be given additional protections and priority in the case of power failures or cyber attacks.

Data centre operators will also have access to a CNI data infrastructure team of senior government officials tasked with monitoring and anticipating potential threats, providing prioritised access to security agencies such as the National Cyber Security Centre and coordinating support with the emergency services should this be required. It is hoped that the CNI status will act as both a deterrent to cyber criminals and an attractive prospect for investors.

With the data centre industry in the UK already worth £4.6 billion, and continuing to rise, these further protections should help to boost this growth even further, by reassuring investors that the government has steps in place to reduce and recover from critical data breaches.

What are the regulatory considerations?

The designation of data centres as CNI is arguably a reinforcement of existing obligations already in place. The Network and Information Systems (NIS) Regulations 2018 already require operators of essential services, including digital infrastructure, to:

  • take measures to manage the risks to critical technologies;
  • take measures to prevent incidents, and reduce the impact of incidents when they occur; and
  • notify their Competent Authority if they identify incidents which have negative impacts on their ability to deliver their essential services.

The NIS Regulations are aimed at providing legal measures to boost the cyber and physical resilience of network and information systems, such as those already discussed. Nonetheless, CNI designation will undoubtedly increase the standards already in place, requiring operators to implement more rigorous security measures (including advance biometric systems, more extensive monitoring technology, and alarm systems), as well as reporting incidents with greater speed and detail, coupled with greater fines and punishments as a result of failing to do so.

The CNI designation will require data centres to work more closely with the National Cyber Security Centre (NCSC) to share threat intelligence and collaborate with them to improve existing security measures.

These CNI considerations are in addition to environmental and operational challenges that data centre operators also face. The environmental impact of data centres which power so much of the digital age (including AI models) is coming into sharper focus. Data centres are being encouraged to closely monitor their carbon footprints and adopt appropriate measures to reduce them, which can prove to be difficult and costly with data centres likely to increase in size and volume in future.

To privacy and beyond?

Looking forward, we’re likely to see many more data centre projects, with Amazon announcing that it will commit £8 billion over the next 5 years to build and operate data centres in the UK.

Ambitions, however, don’t appear to be restricted to Earth. At the recent Space-Comm Expo in Glasgow, the possibility of data centres in orbit was “floated”, with research suggesting that this is a much more energy efficient solution than data centres on terra firma - the naturally cold environment combined with unlimited solar power offering significant advantages.

How the UK (and others) would be able to ensure compliance with the requirements that CNI designation comes with – especially given the difficulty with jurisdiction and territorial concerns – remains to be seen. Maintenance and physical security concerns are also potential a stumbling block, with quick access to space-based data centres being difficult, with a reliance on remote vehicles for repairs.

While this is currently more of a pipe dream than a reality, the advances in both space exploration and data storage technologies could make this a reality sooner rather than later. Regardless, this once again highlights the intrinsic link between data storage and national security, which as we go boldly into the future will have evermore importance.

Written by

Murray Cree

Murray Cree

Partner

Commercial Contracts

murray.cree@burnesspaull.com +44 (0)131 473 6102

Get in touch

Related News, Insights & Events

Burness Paull Default Card Image

Cloud computing and "as a service" offering

Cloud computing services have become a mission critical component for almost all companies.

Read more
UK Autumn Budget 2024 Opportunities And Oversights For The Tech Industry

UK Autumn Budget 2024: Opportunities and oversights for the tech industry

What impact will the Autumn 2024 budget have on the tech industry?

Read more
Data-law-reform-is-your-business-ready-for-a-new-data-landscape.jpg

Data law reform: is your business ready for a new data landscape?

The Data (Use and Access) Bill (the “DUA Bill”) was introduced on 23 October 2024.

Read more

Want to hear more from us?

Subscribe here