Legal development

Data Centres: Strengthening Security and Resilience

computer servers background

    The rising number of cyber security attacks, the increasing usage of data centres and the value of data generally has brought into sharp focus the security risks and vulnerabilities facing the data centre sector.

    Both the EU and the UK are working to improve the security and resilience of data centres by strengthening the cybersecurity obligations of data centre operators.

    Below we explore some of the key elements of the EU's Network and Information Security Directive (NIS 2) and potential data centre cyber security developments in the UK.

    All data centre stakeholders, including operators, owners and investors, will need to be proactive in considering cyber security obligations and the very real risks associated with the security and resilience of data centres – or face regulatory enforcement action, significant operational challenges, loss of investment and potential reputational damage as a result.

    EU: NIS 2

    NIS 2 repeals and replaces the NIS 1 Directive which was the first set of EU rules that sought to broadly legislate for cyber security. NIS 2 aims to promote a more consistent approach to cybersecurity across the EU and address the shortcomings in the implementation of NIS 1. EU Member States must transpose NIS 2 into national law by 17 October 2024.

    Subject to certain limited exceptions, NIS 2 applies to all entities which: (i) provide their services or carry out their activities in the EU; (ii) meet or exceed the thresholds to qualify as medium-sized enterprises; and (iii) operate in one of the sectors listed in the Directive.

    NIS 2 does have extraterritorial reach. Entities which are established outside of the EU and who offer their services in the EU will need to comply with NIS 2, and designate a representative in a member state where the services are offered (and consequently fall under the jurisdiction of that state).

    One of the key expansions under NIS 2 is the scope of the sectors required to comply. Critically, NIS 2 now classifies "data centre service providers" as "essential entities".

    Key obligations for data centre service providers (as "essential entities") under NIS 2 will include:

    • Registration: entities will be required to register with the European Union Agency for Cyber Security (ENISA).
    • Incident Reporting: entities will need to report security incidents that have a "significant impact" on the provision of their services to the relevant competent authority, including:
    • an initial report or “early warning” within 24 hours of awareness;
    • a second updated incident notification within 72 hours of awareness; and
    • a final report within a month of the second notification.

    Entities may also be required to notify affected users without undue delay, where appropriate.

    • Risk Management Measures: entities must take appropriate and proportionate technical, operational and organisational measures to manage the security risks and prevent or minimise the impact of incidents on recipients of their services and on other services. Entities will be required to undertake a risk assessment to determine what measures are appropriate.

    Such measures may include, for example, policies on risk analysis and information system security, incident handling, policies on encryption and the use of multi-factor authentication.

    • Supply Chain: NIS 2 introduces stronger supply chain security requirements. Entities must take their supply chain into account in their security measures including the vulnerabilities specific to each direct supplier and service provider, as well as the overall quality of their products and cybersecurity practices.
    • Management Responsibility: NIS 2 imposes new obligations on “management bodies”. Management bodies will be required to approve and oversee the implementation of cybersecurity risk management measures and can be held liable if the entity fails to comply with its obligations. Management bodies will also be required to have regular cyber security training to ensure that they have the knowledge and skills to identify and assess cybersecurity risks.
    • Supervision and Enforcement: NIS 2 contains both supervisory and enforcement measures. However, the level of supervision and enforcement will depend upon whether the entity is an essential entity or an important entity. In respect of essential entities, competent authorities have a list of core supervisory powers, including on-site inspections, regular and ad hoc audits, and security scans as well as powers to request information and evidence of compliance. Competent authorities can also issue essential entities with warnings, binding instructions, order the cessation of infringing conduct, temporarily suspend authorisations and impose fines.
    • Fines: The maximum fine for essential entities is the greater of EUR 10 million or 2% of annual worldwide turnover, whilst for important entities it is the greater of EUR 7 million or 1.4% of annual worldwide turnover.

    The UK

    Although the UK implemented NIS 1, it will not implement NIS 2. It is working on its own proposals to amend the NIS regime in the UK but this would not include expanding the scope of NIS to specifically include data centres.

    Instead the UK government launched a consultation ("Protecting and enhancing the security and resilience of UK data infrastructure") around plans to strengthen security measures for data centres.

    The UK government has proposed a new statutory framework for third party data centre providers and in particular those that provide co-location or co-hosting services. The consultation suggests that data centres that are solely owned and operated by cloud service providers or managed service providers, to provide cloud or managed services, would be out of scope on the basis that they are regulated through NIS 1.

    The proposed framework under consultation contains the following key proposals in relation to in-scope data centres:

    • Regulatory Function: a regulatory function would be established with the remit and powers to implement, manage and enforce the new framework. The proposal at this stage does not identify an existing, or propose a new, regulatory body.
    • Registration: there will be a requirement for third party data centre operators to register and provide details of their UK operations.
    • Security and Resilience Measures: there will be a duty to take appropriate technical and organisational measures and the consultation sets out indicative baseline security and resilience measures.
    • Standards, assurance and testing: the proposed regulatory body would have the power to mandate standards, assessment frameworks and other tools to improve and assure security and resilience mitigations.
    • Incident Reporting: the requirement to report significant incidents to the regulator and in some instances disclose incidents to customers or other affected parties.

    The consultation has now closed and we await the analysis of the feedback provided, together with any further proposals. However, given the increased focus on cybersecurity, data centre operators need to be aware of and ready to comply with new obligations.

    For further reading, please see our associated articles in the Data Centres Article Series, as well as our Data Bytes series for UK and European updates on data protection and cyber security.

    Authors: Rebecca Clarke, Counsel; William Barrow, Senior Associate


    Visit our Data Centres hub for a list of all articles in this series

    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.