Press release

Security measures strengthened to bolster UK data storage protections

Tougher security and resilience measures for data centres operating in the UK to protect against potential disruption.

This was published under the 2022 to 2024 Sunak Conservative government

Stronger security measures to bolster data storage in the UK

  • New proposals outlined to better protect data storage facilities from cyber-attacks, physical threats and extreme weather.
  • minimum security and resilience requirements will be introduced with a regulator ensuring compliance within the sector
  • changes will help safeguard UK national security, making it more attractive to potential tech investors

Data centres operating in the UK will be required to have tougher security and resilience measures to protect against potential disruption - including cyber-attacks and extreme weather events - under new plans drawn up by the UK government. 

A new set of laws to better protect the nation’s data would make minimum requirements mandatory to ensure data centre operators are taking appropriate steps to boost their security and resilience. It will also help protect businesses and services that rely on data centres against disruption, reducing the risk of significant incidents that would interrupt or compromise access to data they rely on.

A new regulatory function is also being considered, to make sure operators of data centre services report incidents and work with the sector to assure and test risk mitigation against threats and hazards. The move is intended to encourage better transparency of information and cooperation across industry and the government so risks to the UK can be appropriately identified and addressed. 

As data centres play a crucial role in the UK economy, a significant security issue could impact the entire country, not just individual businesses, so today’s plans would make sure these businesses are operating in line with the greater national interest. As such, the government is also considering designating parts of the data centre sector as critical national infrastructure.

Minister for Data and Digital Infrastructure Sir John Whittingdale said: 

Data is an increasingly important driver of our economic growth and plays a pivotal role across our public services. So ensuring companies storing it have the right protections in place to limit risks from threats such as cyber-attacks and extreme weather, will help us reap the benefits and give businesses peace of mind. 

The government is serious about keeping data safe, which is why we are calling on these businesses to actively share their insights and expertise, whilst also making sure we have the right regulations in place. By making security a top priority in how we handle data, we’re not only tackling new challenges but also making the UK a global leader in promoting safe and responsible technology.

Rt Hon Oliver Dowden CBE MP, Deputy Prime Minister and Chancellor of the Duchy of Lancaster said: 

Protecting the security and resilience of data in the UK is of the utmost importance and protecting both the public and our national infrastructure from attack is crucial. We need a whole of society approach, with the public and private sector working in tandem to strengthen our defences.

Alongside today’s important announcement we are implementing the game-changing Government Cyber Security Strategy as well as working through the National Cyber Security Centre to detect and prevent threats.”     

Data centres are facilities designed to store, manage, and process large amounts of digital information such as business databases, customer records, website content, and other critical information which is essential to how modern businesses and online services operate. The proposals come as more people use connected devices and engage in digital activities such as shopping online and social media, meaning the amount of data stored in the UK alone has risen by a significant margin - highlighting the growing demand for data storage and processing capabilities, as well as the need to protect it. The data centre sector is now of great importance to economic activity, delivery of private and public services, and the everyday lives of millions of people in the UK. As data becomes more valuable, things like data centres are more at risk from incidents such as cyber threats and extreme weather with extreme and prolonged weather interrupting our access to important data.

Around 28% of all UK businesses use services housed in data centres. Large companies, specifically those with at least 250 employees, are even more likely to use them, with 62% doing so. Data centre operators generated around £4.6 billion in revenue in 2021. In 2022, data played a significant role in the UK’s economy, contributing 6.9% to Gross Domestic Product (GDP), and 76% of all UK service exports were reliant on data. More widely, 85% of all businesses surveyed said they handle digital data and almost all businesses with 10 or more employees do so. With data centre outages costing the industry billions a year it is hoped these changes will protect against potential risks and in turn keep more money in the bank for companies while giving the public peace of mind. 

Julian David, CEO of techUK said:   

We commend the UK government for recognising the vital role of the data centres sector in underpinning our digital economy. It is encouraging that DSIT intent to consult and continue to collaborate with industry to enhance resilience across this critical sector.

As with all regulatory developments, techUK and its members look forward to engaging on the matter to ensure the scope and policy development are done in a way that is practical for industry, its customers, supply chain and consumers, and cognizant of commercial environments.

Building on last year’s Call For Views and close work with the sector this year, the UK government has published a consultation asking for views on the proposed measures. The government is inviting input from various stakeholders, including data centre operators, cloud providers, and experts in the field with feedback gathered informing decisions on these measures.

This collaborative effort aims to ensure the security of the UK’s data infrastructure, combining regulations with industry insights for a strong and safe digital environment. The new framework is also expected to help fuel economic growth by making the UK a more attractive place to invest in these services as it shores up its data centre resilience.

The Data Protection and Digital Information Bill will build on this further, with the legislation improving data security, bolstering national security, and delivering new post-Brexit economic opportunities to the tune of at least £4 billion. 

This is part of wider ongoing work to better protect businesses and individuals online. Other measures include a new regime setting the minimum security standards for all consumer products with internet connectivity, which will come into effect by April 2024 – making the UK the first country in the world to introduce these protections.

Notes to editors

The consultation will run until 22 February 2024.

Updates to this page

Published 14 December 2023