Data centres

Question 1

What are we going to do?

Accepted Answer

Data centres will be designated as essential services, with data infrastructure recognised as a sector under the Network and Information Systems (NIS) Regulations 2018. Data centres meeting the thresholds will be required to have appropriate and proportionate measures in place to manage risks. The Department for Science, Innovation and Technology (DSIT) and Ofcom will act as joint regulators, with Ofcom serving as the operational regulator.

Question 2

Why are we going to do it?

Accepted Answer

Data centres host and support the digital infrastructure that underpins modern life – from patient records and emails to product data and financial systems. They are critical to nearly all economic activity and public services, and were designated as critical national infrastructure in 2024, putting data centres on an equal footing as water, energy and emergency services systems. Despite this, there are currently no minimum requirements for cyber security or operational resilience. This regulatory gap leaves data infrastructure exposed to disruption or compromise, with potentially serious consequences for the public, businesses and national security.

Case study

The UK data economy is a cornerstone of national productivity and global competitiveness, representing 6.9% of GDP in 2022, with 76% of UK service exports being data-enabled. Yet, this critical infrastructure is highly concentrated: 80% of revenue is generated by just ten operators, who also control two-thirds of live capacity. This concentration amplifies the impact of outages, which we estimate cost the industry low single-digit billions annually, with £0.7 billion in lost productivity for customers in 2019 alone.

The vulnerability of this infrastructure was starkly illustrated in July 2022, when 2 separate data centres serving an NHS trust failed during a heatwave. The incident took down most clinical IT systems at three hospitals, as well as related community services. The disruption to patient care was massive and widespread, forcing the trust to spend £1.4 million in unplanned technology costs to respond.

This is not an isolated case. With 28% of UK businesses – and 62% of large businesses – relying on data centre services, the ripple effects of outages extend far beyond the tech sector. The current regulatory landscape does not adequately reflect the systemic importance of data infrastructure. As the digital economy grows, so too does the need for robust, forward-looking regulation that ensures resilience, transparency and accountability across the sector.

How are we going to do it?

The Cyber Security and Resilience (Network and Information Systems) Bill will amend the NIS Regulations and bring data centres into scope by classifying data infrastructure as a relevant sector and data centres as an essential service. This will introduce regulatory duties for operators of UK data centres above defined capacity thresholds, requiring them to notify Ofcom and satisfy structured information requirements, implement proportionate security and resilience measures, and report significant incidents. The framework will provide government and the regulator with the necessary levers to oversee and support the sector, ensuring consistent protection and enabling secure growth.

Thresholds

The thresholds for which data centres are in scope are primarily defined by rated IT load (RITL), which measures the power supply to installed IT equipment during normal operation. Data centres with a RITL of ≥1 megawatt (MW) are considered in scope for regulation. Enterprise data centres, (those operated solely for the IT needs of the person who owns the data centre), are in scope if their RITL is ≥10 MW. The scope will be adjustable over time to reflect changes in technology, market dynamics and risk.

Definition

A data centre service involves providing a physical structure that includes: a data hall for housing, connecting, and operating IT equipment. Supporting infrastructure, which includes: electricity supply systems; environmental control (for example, heating, cooling, ventilation and air conditioning (HVAC), dust, humidity, and flame control); security systems; and resilience systems.

Crown application and exemptions

The regulatory framework will apply to data centre services operated by or for the Crown, ensuring consistent oversight across public and private sectors. However, exemptions will apply where national security is involved. Specifically, services provided by the Security Service, the Secret Intelligence Service or the Government Communications Headquarters (GCHQ), or those handling classified “secret” or “top secret” data on behalf of government, will be excluded from regulatory duties.

Security duties

By introducing data centres to the essential service category, operators who meet the thresholds and are deemed designated as operators of essential services (OES) will be required to:

Take appropriate and proportionate technical and organisational measures to manage risks posed to the security of the network and information systems on which their essential service relies.
Take appropriate and proportionate measures to prevent and minimise the impact of incidents affecting the security of the network and information systems used for the provision of their essential service, with a view to ensuring the continuity of those services.
Notify the regulator in writing about any incident which has a significant impact on the continuity of the essential service they provide.

Incident reporting

The bill introduces mandatory incident reporting duties for all regulated entities, designed to be proportionate and effective. This will enable regulators to better support affected organisations with rapid responses, identify systemic vulnerabilities, and implement targeted interventions to strengthen the resilience of the relevant sector. The framework also recognises the importance of notifying customers when incidents occur. Timely disclosure increases transparency and enables those customers to take their own actions to mitigate potential harms, which will strengthen accountability and improve market confidence (see incident reporting factsheet).

The government proposes clear, bespoke thresholds and conditions for reporting within the data centre sector:

Incidents that could have had, have had, are having or are likely to have a significant impact on the operation or security of the network and information systems relied on to provide that data centre service, or,
Incidents that could have had, have had, are having or are likely to have a significant impact on the continuity of the service in the UK, or,
Any other incidents that could have had, have had, are having or are likely to have a significant impact in the UK.

Including significant service continuity and near-miss incidents in the bill for data centres specifically ensures that disruptions are captured even when network systems aren’t directly affected. This strengthens oversight, supports early risk detection, and aligns with international standards, while the “significant” threshold ensures reporting remains proportionate. Factors to determine whether significant impact has occurred will be detailed in secondary legislation.

Notification and information requirements

The bill introduces structured notification and information duties for data centre operators. These will require all operators of data centres within scope to notify the designated regulator within 3 months of being designated as an OES if they meet the threshold criteria, for the purpose of enabling the regulator to maintain the list mentioned under Regulation 8(8). This information will include the regulated entity’s name, address, contact information, nominated representatives and other information required for the service of documents. Additional categories may be added via secondary legislation in due course. Operators will also be required to notify the Ofcom of any significant changes to information provided. Regulated entities will also be required to respond to information notices from Ofcom to ensure compliance with obligations.

Failure to comply will constitute a breach of duty, subject to enforcement measures including financial penalties. These duties are designed to ensure Ofcom have the data and communication channel needed to assess risk, allocate resources proportionately, and maintain oversight of the sector’s resilience.

Implementation 

This measure will be brought into force through secondary legislation following Royal Assent.

To safeguard the UK’s critical digital infrastructure, the bill establishes DSIT and Ofcom as joint competent authorities (regulators) for the regulation of data centres. DSIT will set the overarching framework – designating OES and defining duties around security and resilience – while Ofcom will oversee the day-to-day enforcement, including compliance monitoring, incident reporting, and penalties. As mentioned above, operators must inform Ofcom that they are in scope – and satisfy the basic information requirements – within three months of being designated as an OES.

Ofcom will be granted robust powers to assess whether operators are meeting their statutory obligations. These include the ability to request information, conduct inspections, interview staff, and enter premises to examine infrastructure. Compliance assessments will be guided by a statutory Code of Practice issued by DSIT, ensuring consistency and clarity in interpretation. 

The bill also empowers the government to introduce secondary legislation that sets out detailed duties for regulated entities. These may include requirements to identify and manage risks, strengthen physical and cyber resilience, and maintain robust incident response protocols.

For data centres specifically, targeted information requirements and criteria for reportable incidents may be developed through consultation. 

In cases of non-compliance, Ofcom may issue formal notifications, direct interim security measures, and impose financial penalties, including daily fines for ongoing breaches. Crucially, the regime is designed to be adaptive, allowing duties to evolve in response to emerging threats and technological change. DSIT and Ofcom will work collaboratively with industry stakeholders to shape the technical detail of regulations and guidance, ensuring that the framework remains proportionate, effective, and future proof.

Question 3

Case study

Accepted Answer

The UK data economy is a cornerstone of national productivity and global competitiveness, representing 6.9% of GDP in 2022, with 76% of UK service exports being data-enabled. Yet, this critical infrastructure is highly concentrated: 80% of revenue is generated by just ten operators, who also control two-thirds of live capacity. This concentration amplifies the impact of outages, which we estimate cost the industry low single-digit billions annually, with £0.7 billion in lost productivity for customers in 2019 alone.

The vulnerability of this infrastructure was starkly illustrated in July 2022, when 2 separate data centres serving an NHS trust failed during a heatwave. The incident took down most clinical IT systems at three hospitals, as well as related community services. The disruption to patient care was massive and widespread, forcing the trust to spend £1.4 million in unplanned technology costs to respond.

This is not an isolated case. With 28% of UK businesses – and 62% of large businesses – relying on data centre services, the ripple effects of outages extend far beyond the tech sector. The current regulatory landscape does not adequately reflect the systemic importance of data infrastructure. As the digital economy grows, so too does the need for robust, forward-looking regulation that ensures resilience, transparency and accountability across the sector.

Question 4

How are we going to do it?

Accepted Answer

The Cyber Security and Resilience (Network and Information Systems) Bill will amend the NIS Regulations and bring data centres into scope by classifying data infrastructure as a relevant sector and data centres as an essential service. This will introduce regulatory duties for operators of UK data centres above defined capacity thresholds, requiring them to notify Ofcom and satisfy structured information requirements, implement proportionate security and resilience measures, and report significant incidents. The framework will provide government and the regulator with the necessary levers to oversee and support the sector, ensuring consistent protection and enabling secure growth.

Thresholds

The thresholds for which data centres are in scope are primarily defined by rated IT load (RITL), which measures the power supply to installed IT equipment during normal operation. Data centres with a RITL of ≥1 megawatt (MW) are considered in scope for regulation. Enterprise data centres, (those operated solely for the IT needs of the person who owns the data centre), are in scope if their RITL is ≥10 MW. The scope will be adjustable over time to reflect changes in technology, market dynamics and risk.

Definition

A data centre service involves providing a physical structure that includes: a data hall for housing, connecting, and operating IT equipment. Supporting infrastructure, which includes: electricity supply systems; environmental control (for example, heating, cooling, ventilation and air conditioning (HVAC), dust, humidity, and flame control); security systems; and resilience systems.

Crown application and exemptions

The regulatory framework will apply to data centre services operated by or for the Crown, ensuring consistent oversight across public and private sectors. However, exemptions will apply where national security is involved. Specifically, services provided by the Security Service, the Secret Intelligence Service or the Government Communications Headquarters (GCHQ), or those handling classified “secret” or “top secret” data on behalf of government, will be excluded from regulatory duties.

Security duties

By introducing data centres to the essential service category, operators who meet the thresholds and are deemed designated as operators of essential services (OES) will be required to:

Take appropriate and proportionate technical and organisational measures to manage risks posed to the security of the network and information systems on which their essential service relies.
Take appropriate and proportionate measures to prevent and minimise the impact of incidents affecting the security of the network and information systems used for the provision of their essential service, with a view to ensuring the continuity of those services.
Notify the regulator in writing about any incident which has a significant impact on the continuity of the essential service they provide.

Incident reporting

The bill introduces mandatory incident reporting duties for all regulated entities, designed to be proportionate and effective. This will enable regulators to better support affected organisations with rapid responses, identify systemic vulnerabilities, and implement targeted interventions to strengthen the resilience of the relevant sector. The framework also recognises the importance of notifying customers when incidents occur. Timely disclosure increases transparency and enables those customers to take their own actions to mitigate potential harms, which will strengthen accountability and improve market confidence (see incident reporting factsheet).

The government proposes clear, bespoke thresholds and conditions for reporting within the data centre sector:

Incidents that could have had, have had, are having or are likely to have a significant impact on the operation or security of the network and information systems relied on to provide that data centre service, or,
Incidents that could have had, have had, are having or are likely to have a significant impact on the continuity of the service in the UK, or,
Any other incidents that could have had, have had, are having or are likely to have a significant impact in the UK.

Including significant service continuity and near-miss incidents in the bill for data centres specifically ensures that disruptions are captured even when network systems aren’t directly affected. This strengthens oversight, supports early risk detection, and aligns with international standards, while the “significant” threshold ensures reporting remains proportionate. Factors to determine whether significant impact has occurred will be detailed in secondary legislation.

Notification and information requirements

The bill introduces structured notification and information duties for data centre operators. These will require all operators of data centres within scope to notify the designated regulator within 3 months of being designated as an OES if they meet the threshold criteria, for the purpose of enabling the regulator to maintain the list mentioned under Regulation 8(8). This information will include the regulated entity’s name, address, contact information, nominated representatives and other information required for the service of documents. Additional categories may be added via secondary legislation in due course. Operators will also be required to notify the Ofcom of any significant changes to information provided. Regulated entities will also be required to respond to information notices from Ofcom to ensure compliance with obligations.

Failure to comply will constitute a breach of duty, subject to enforcement measures including financial penalties. These duties are designed to ensure Ofcom have the data and communication channel needed to assess risk, allocate resources proportionately, and maintain oversight of the sector’s resilience.

Question 5

Implementation

Accepted Answer

This measure will be brought into force through secondary legislation following Royal Assent.

To safeguard the UK’s critical digital infrastructure, the bill establishes DSIT and Ofcom as joint competent authorities (regulators) for the regulation of data centres. DSIT will set the overarching framework – designating OES and defining duties around security and resilience – while Ofcom will oversee the day-to-day enforcement, including compliance monitoring, incident reporting, and penalties. As mentioned above, operators must inform Ofcom that they are in scope – and satisfy the basic information requirements – within three months of being designated as an OES.

Ofcom will be granted robust powers to assess whether operators are meeting their statutory obligations. These include the ability to request information, conduct inspections, interview staff, and enter premises to examine infrastructure. Compliance assessments will be guided by a statutory Code of Practice issued by DSIT, ensuring consistency and clarity in interpretation. 

The bill also empowers the government to introduce secondary legislation that sets out detailed duties for regulated entities. These may include requirements to identify and manage risks, strengthen physical and cyber resilience, and maintain robust incident response protocols.

For data centres specifically, targeted information requirements and criteria for reportable incidents may be developed through consultation. 

In cases of non-compliance, Ofcom may issue formal notifications, direct interim security measures, and impose financial penalties, including daily fines for ongoing breaches. Crucially, the regime is designed to be adaptive, allowing duties to evolve in response to emerging threats and technological change. DSIT and Ofcom will work collaboratively with industry stakeholders to shape the technical detail of regulations and guidance, ensuring that the framework remains proportionate, effective, and future proof.

Data centres

What are we going to do?

Why are we going to do it?

Case study

How are we going to do it?

Thresholds

Definition

Crown application and exemptions

Security duties

Incident reporting

Notification and information requirements

Implementation

Is this page useful?

Help us improve GOV.UK

Help us improve GOV.UK

Cookies on GOV.UK

What are we going to do?

Why are we going to do it?

Case study

How are we going to do it?

Thresholds

Definition

Crown application and exemptions

Security duties

Incident reporting

Notification and information requirements

Implementation

Is this page useful?

Help us improve GOV.UK

Help us improve GOV.UK

Implementation 