On 12 September 2024, the Technology Secretary, Peter Kyle, announced the UK government decision to class UK Data Centres as 'Critical National Infrastructure' ("CNI"). The decision represents the first CNI designation since the Space and Defence sector infrastructure gained such classification in 2015. As at March 2024, the UK was home to over 500 data centres. Comparable numbers exist in Germany whilst France and the Netherlands also have a significant market share and this is an area where data centre providers' competitive edge (in raising capital and winning client) rests at least partly on security and resilience of their service. The overall objective is to allow the government to prevent issues from arising and support the sector in the event of critical incidents; minimising the impact such accidents would have on the economy whilst also giving potential investors reassurance that the UK is a safe location for further data centre expansion.
Increased Protection
Following the designation, data centres can expect increased government support in preventing and recovering from critical incidents. For this purpose, a dedicated CNI data infrastructure, made up of senior government officials, will be set up to "monitor and anticipate potential threats, provide prioritised access to security agencies including the National Cyber Security Centre, and coordinate access to emergency services should an incident occur".
Data stored and processed in data centres located in the UK will benefit from greater protection in case of outages, cyber attacks and adverse weather conditions.
CNI status is also aimed at deterring cyber criminals from attacking data centres that are indicated as storing vital health and financial data, which would diminish the potential disruption to people's lives, the NHS and the economy. In case of an attack on centres housing NHS patients' data, contingencies will be set up to minimise the impact on essential services, such as patients' appointments or operations. This measure is aimed at preventing incidents such as the Crowd Strike one this summer, which affected 60% of GP practices with disruption to software holding patients’ appointment details, prescriptions, and health records.
The aim is to attract and ease the worries of businesses considering setting up data centres in the UK and bolster economic growth. We may also see measures in planning law and tax incentives designed to further promote this sector.
Scope and additional obligations
Notes to the UK government's announcement clarifies that CNI will cover both physical data centres and the cloud operators that use them to supply ordinary services. This is somewhat similar to the treatment of these businesses under the EU's "NIS 2" Directive, which is currently in the process of being transposed by Member States ahead of the 17 October 2024 deadline. It remains to be seen to what extent the UK government also uses this CNI designation to impose cybersecurity obligations (and thereby encourage good practice) on such businesses under the forthcoming Cybersecurity and Resilience Bill.
A Push for Innovation
The decision comes as part of the Prime Minister designation of data centres as of fundamental importance to the government and his commitment for the UK data industry to remain secure and stable. It furthers his overall plan to boost business confidence and increase investing in the area – noting that it already generates estimate of £4.6 million per year.
The designation follows a proposed £3.75 billion investment in Europe’s largest data centre for construction in Hertfordshire by data company DC01UK and Amazon Web Services pledging to spend 8 billion pounds in Britain over the next five years on data centres.
The current push to increase the security and confidence in the sector is aimed to bring the UK to the global highest band for data security, aiding the government's objective of attaining sustained economic growth.
For further detail on the Cyber Security and Resilience Bill please refer to our longer article "UK to bolster cyber defences with new Cyber Security and Resilience Bill".
With thanks to Tommaso Bacchelli for his contribution.
Key contacts
Disclaimer
The articles published on this website, current at the dates of publication set out above, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action.