New data center security and resiliency regulation is being proposed in the UK.

This week, the UK government launched a new consultationProtecting and enhancing the security and resilience of UK data infrastructure – to source views on proposed regulations to improve the security and resilience of data infrastructure, including data centers. A new regulator could be set up to oversee the industry.

Westminster UK government cloud
– Thinkstock / David Henderson

The government said a new set of laws would make minimum requirements mandatory to ensure data center operators are “taking appropriate steps” to boost their security and resilience.

“We propose to introduce a new, proportionate statutory framework, focused on data centers, to ensure all relevant operators in the UK are appropriately mitigating risks where they are relevant to the national interest, and national security in particular. This framework would be applicable in the future where other risks emerge, especially as a result of new threats, technological developments, and commercial models,” said John Whittingdale, minister for data and digital infrastructure.

The proposals focus on third-party data center services, which the government said face a number of risks, including physical and digital security threats; resiliency risks including extreme weather; and poor information-sharing and cooperation across industry, which hamper the government’s ability to identify and address risks.

The government said regulation may be necessary because existing sector-specific regulation doesn’t provide sufficient security and oversight of the data center sector given its “national importance.”

“The criticality of data centers to our economy means that the national harm resulting from significant security or resilience shocks could be far greater than commercial harm to any one operator, and thus commercial drivers are not sufficient to drive the level of security/resilience standards required in the national interest,” the consultation paper noted.

“This regulatory function would, at a minimum, have statutory regulatory oversight over organizations that operate data centers, in particular, those that provide colocation and cohosting data center services as a third-party provider. It would seek to establish a baseline level of mitigation against security and resilience risks by all UK third-party data center operators.”

The proposed framework would require operators to register with a regulator and report incidents, and likely have to adhere to “baseline” measures around risk & incident management and ensuring physical and cyber security of facilities.

The consultation is seeking feedback from data center owners and operators, cloud and service providers, customers, and experts in the sector.

The consultation closes on 22 February 2024.

The UK government put out a call for views around developing a data center risk management framework last year.

“We commend the UK government for recognizing the vital role of the data centers sector in underpinning our digital economy. It is encouraging that DSIT intends to consult and continue to collaborate with industry to enhance resilience across this critical sector,” said Julian David, CEO of industry lobby group techUK.

“As with all regulatory developments, techUK and its members look forward to engaging on the matter to ensure the scope and policy development are done in a way that is practical for industry, its customers, supply chain, and consumers, and cognizant of commercial environments.”