New rules could be introduced to protect UK data centers from cyber attacks, physical threats, and extreme weather under proposals from the government.
The Department for Science, Innovation and Technology (DSIT) said it believes existing rules aimed at enforcing minimum safety practices don’t go far enough given their critical national importance.
While a voluntary review of data center standards acknowledged “generally high” levels of security and resilience, it also identified a number of inconsistencies, limitations, and gaps.
The government said it will now explore the possibility of new laws detailing minimum security and resilience requirements for the UK's 800-odd data centers.
Meanwhile, a new regulator would be established to ensure data center operators report incidents. These rules could specifically target those providing co-location and co-hosting services as a third-party provider.
The proposed regulator would also work with the sector to test risk mitigation against cyber threats and physical or environmental hazards.
"Protecting the security and resilience of data in the UK is of the utmost importance and protecting both the public and our national infrastructure from attack is crucial," said deputy prime minister Oliver Dowden.
"We need a whole-of-society approach, with the public and private sector working in tandem to strengthen our defenses."
With data centers playing a crucial role within the UK economy, the government said it will consider designating parts of the sector as critical national infrastructure.
According to the DSIT, around 28% of all UK businesses use services housed in data centers. Nearly two-thirds (62%) of large companies with at least 250 employees rely on data center infrastructure to support daily operations.
Discover a datacenter revitalization strategy that will help you dominate
DOWNLOAD NOW
Data center operators generated around £4.6 billion in revenue in 2021, while in 2022, they contributed 6.9% to Gross Domestic Product (GDP). Three-quarters of all UK service exports were reliant on data.
More widely, 85% of all businesses surveyed said they handle digital data and almost all businesses with 10 or more employees do so.
"Data is an increasingly important driver of our economic growth and plays a pivotal role across our public services," said Sir John Whittingdale, minister for data and digital infrastructure.
"So ensuring companies storing it have the right protections in place to limit risks from threats such as cyber attacks and extreme weather will help us reap the benefits and give businesses peace of mind."
Classifying data centers as critical national infrastructure alongside the existing 13 sectors would give the sector greater levels of support – and scrutiny - from their designated lead government department, along with other bodies such as the NCSC, NPSA and UKNACE.
Interdependencies and potential areas of cascading risk would be identified, and sector-specific security and resilience frameworks could be introduced where adequate provisions aren't already in place.
UK data center plans follow international examples
Doing this would follow the precedent set by several other countries, including Australia and Germany, who have already legislated on reporting obligations, security and resilience requirements, and government audits.
Both countries can impose a range of penalties for non-compliance.
The government-led consultation on the proposals is due to conclude in February 2024, officials said. The consultation is currently requesting industry views on the measures.
In particular, the government said It's looking for input from data center operators, data center land and facility owners, cloud platform providers, managed service providers, customers and suppliers of these providers, and independent or academic experts on data storage and processing.
"The government is serious about keeping data safe, which is why we are calling on these businesses to actively share their insights and expertise, whilst also making sure we have the right regulations in place," Whittingdale said.
