Data Centres: Strengthening Security and Resilience
03 July 2024
The rising number of cyber security attacks, the increasing usage of data centres and the value of data generally has brought into sharp focus the security risks and vulnerabilities facing the data centre sector.
Both the EU and the UK are working to improve the security and resilience of data centres by strengthening the cybersecurity obligations of data centre operators.
Below we explore some of the key elements of the EU's Network and Information Security Directive (NIS 2) and potential data centre cyber security developments in the UK.
All data centre stakeholders, including operators, owners and investors, will need to be proactive in considering cyber security obligations and the very real risks associated with the security and resilience of data centres – or face regulatory enforcement action, significant operational challenges, loss of investment and potential reputational damage as a result.
NIS 2 repeals and replaces the NIS 1 Directive which was the first set of EU rules that sought to broadly legislate for cyber security. NIS 2 aims to promote a more consistent approach to cybersecurity across the EU and address the shortcomings in the implementation of NIS 1. EU Member States must transpose NIS 2 into national law by 17 October 2024.
Subject to certain limited exceptions, NIS 2 applies to all entities which: (i) provide their services or carry out their activities in the EU; (ii) meet or exceed the thresholds to qualify as medium-sized enterprises; and (iii) operate in one of the sectors listed in the Directive.
NIS 2 does have extraterritorial reach. Entities which are established outside of the EU and who offer their services in the EU will need to comply with NIS 2, and designate a representative in a member state where the services are offered (and consequently fall under the jurisdiction of that state).
One of the key expansions under NIS 2 is the scope of the sectors required to comply. Critically, NIS 2 now classifies "data centre service providers" as "essential entities".
Key obligations for data centre service providers (as "essential entities") under NIS 2 will include:
Entities may also be required to notify affected users without undue delay, where appropriate.
Such measures may include, for example, policies on risk analysis and information system security, incident handling, policies on encryption and the use of multi-factor authentication.
Although the UK implemented NIS 1, it will not implement NIS 2. It is working on its own proposals to amend the NIS regime in the UK but this would not include expanding the scope of NIS to specifically include data centres.
Instead the UK government launched a consultation ("Protecting and enhancing the security and resilience of UK data infrastructure") around plans to strengthen security measures for data centres.
The UK government has proposed a new statutory framework for third party data centre providers and in particular those that provide co-location or co-hosting services. The consultation suggests that data centres that are solely owned and operated by cloud service providers or managed service providers, to provide cloud or managed services, would be out of scope on the basis that they are regulated through NIS 1.
The proposed framework under consultation contains the following key proposals in relation to in-scope data centres:
The consultation has now closed and we await the analysis of the feedback provided, together with any further proposals. However, given the increased focus on cybersecurity, data centre operators need to be aware of and ready to comply with new obligations.
For further reading, please see our associated articles in the Data Centres Article Series, as well as our Data Bytes series for UK and European updates on data protection and cyber security.
Authors: Rebecca Clarke, Counsel; William Barrow, Senior Associate
Visit our Data Centres hub for a list of all articles in this series
The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
Readers should take legal advice before applying it to specific issues or transactions.