Ducks overlooking outside scenery on bridge.

Department for Science, Innovation and Technology consults on proposed data infrastructure statutory framework

Published on 17 April 2024

The question

What statutory obligations could the Department for Science, Innovation and Technology’s (DSIT) proposed statutory framework impose on UK data centre providers?

The key takeaway

Under the proposals put forward in the DSIT’s public consultation on “Protecting and enhancing the security and resilience of UK data infrastructure” (available here), relevant data centre providers may:

  • be required to implement baseline technical and organisational measures to manage the risks to the security and resilience of their services;
  • have to register with, and provide relevant information to, a regulator designated by the UK Government; and
  • be subject to enforcement actions for non-compliance as well as a mandatory incident notification regime.

The background

On 14 December 2023, the DSIT published its public consultation on “Protecting and enhancing the security and resilience of UK data infrastructure”. The DSIT’s public consultation aimed to gather feedback and insights from all UK stakeholders in this sector, including data centre operators, managed service providers, suppliers and customers.

The DSIT’s consultation follows the UK Government’s 2020 “National Data Strategy” in which it set out five missions which were central to its vision of creating the optimal environment for data to drive growth and productivity. One such mission being to ensure “the security and resilience of the infrastructure on which data relies”. This was followed, in 2022, by the National Cyber Strategy in which the Government outlined the improvements it intended to implement to strengthen the UK’s cyber resilience and critical national infrastructure.

The development

The DSIT’s public consultation puts forward its proposals for a new statutory framework to improve the security and resilience of the UK’s data infrastructure. The proposals are aimed at regulating relevant data centre providers, namely:

  • providers that rent space and building infrastructure to customers and in which that customer, or multiple customers, can locate their own networks, servers, and storage equipment (colocation data centres); andproviders that rent out the space and provide the servers, networks, storage equipment and the support infrastructure of the building, as a service (co-hosting data centres).

Security and resilience measures

Under the proposed framework, relevant data centre providers would have a duty to implement “appropriate and proportionate technical and organisational measures” to ensure the security of their services and infrastructure. This would be intended to set a baseline for the security and resilience risk mitigation measures all relevant data centre providers would be required to have in place. Such measures could include:

  • establishing and maintaining appropriate policies and processes to maintain accessibility to, and traceability of, critical supplies within the supply chain;
  • implementing physical security measures such as access controls, “zero trust” principles, and background checks on personnel to mitigate the risk of insider threats;
  • establishing and testing service resilience, business continuity plans and recovery capabilities;
  • establishing an effective incident detection, management and response programme; and
  • implementing appropriate and effective auditing, monitoring and testing policies and processes.

In addition to the above, the consultation sought feedback on whether the same baseline security and resilience measures should be applied to data centre owners where they are a separate entity to the relevant data centre provider which they retain responsibility for.

Regulatory function

It is also proposed that the framework introduces a new regulatory function to oversee and enforce compliance with the above obligations. The regulators’ responsibilities would include:

  • issuing and maintaining advisory guidance related to security and resilience measures, incident reporting thresholds, testing and compliance;
  • maintaining a register of relevant data centre providers; and
  • taking prompt, effective and proportionate enforcement action against non-compliance (eg issuing civil fines linked to the annual turnover of the relevant data centre provider).

It should be noted that the consultation did not yet set out a decision as to whether an existing regulator would be designated as the appropriate regulating body, or if the UK Government would establish a new one.

Incident notification

Lastly, it was proposed that a mandatory notification regime based on certain minimum thresholds also be implemented under the framework.

A relevant data centre provider would be required to report “incidents that significantly impact the continuity of service” and any “unwanted security impacts on facilities, systems, or services”. Relevant data centre providers would also be obliged to report “pre-positioning” incidents in which threat actors gain unauthorised access to a physical space, network, or service, without causing disruption, to cause disruption or harm later on.

This would require supply chain cooperation as relevant data centre providers would also be required to notify customers, or other affected parties, of such incidents.

Why is this important?

Cyber security and data infrastructure are global topics of concern and the UK Government seems to have cyber resilience at the top of its agenda. In the European Union, the NIS2 Directive has come into force and by 17 October 2024, all Member States will be required to transpose it into their national law. As such, it seems that the DSIT’s consultation is a demonstration by the UK Government of its continued commitment to ensuring the UK remains a safe space for data services and infrastructure.

Any practical tips?

While the consultation closed on 22 February 2024, relevant data centre providers should familiarise themselves with the consultation to get an insight into how the UK Government is thinking about future regulatory requirements. Additionally, it would not be bad idea for relevant data centre providers to begin to review their supply chains to ensure they can identify critical suppliers, that they have appropriate business continuity plans in place, and have conducted sufficient due diligence to ensure their data infrastructure is secure. This is particularly the case if long-term colocation or co-hosting data agreements are being considered.


Spring 2024