Out-Law News 4 min. read
16 Sep 2024, 10:08 am
The importance of data centres to the UK economy has been recognised by the new UK government in recent actions relevant to operational resilience and the planning regime, experts have said.
Stuart Davey, Michael Pocock and Robbie Owen of Pinsent Masons were commenting after the UK government announced that it has designated data centres as ‘critical national infrastructure’ (CNI) in the UK. Data centres is the fourteenth sector to obtain a CNI designation in the UK – energy, health, transport, and water are among the other sectors designated. The designation covers both physical data centres and those operated virtually by cloud computing providers.
The move means owners and operators of data centres “can now expect greater government support in recovering from and anticipating critical incidents”, according to the government, which is already in the process of updating planning rules in England to support data centre development.
Davey, a cyber risk expert, said that the designation means data centre operators can expect government support in the case of critical incidents arising from everything from extreme weather to cyber attacks and IT outages, such as the CrowdStrike incident that grounded flights and impacted other important services – including NHS services in the UK – globally.
While there is already UK government guidance on security available to owners and operators of UK data centres, including through the UK government’s National Protective Security Authority, Davey highlighted how the government has now indicated that there will be a dedicated CNI data infrastructure team of senior government officials set up to monitor and anticipate potential threats and how owners and operators of data centres can expect to obtain priority access to security agencies, including the National Cyber Security Centre.
Davey said: “This designation is not entirely surprising. Last December, the previous Sunak government launched a consultation seeking views and evidence to inform development of proposals to improve and assure the security and resilience of UK data infrastructure. It seems likely that the new government’s decision to designate data centres as CNI built upon some of the responses to that consultation.”
“Whilst it does not appear that this designation will subject UK data centres to any new regulation, such regulation may be on the horizon. The new government has already signalled its intention to introduce a new Cyber Security and Resilience Bill, to, among other things, ‘protect more digital services and supply chains’ and impose additional incident reporting obligations – including in relation to ransomware attacks,” he said, adding that, in the EU, data centre service providers are designated as ‘critical entities’ and subject to new regulation under the second Network and Information Security (NIS2) Directive, which is due to be transposed into the national law of member states by 17 October 2024.
According to the government, the data centres industry in the UK already generates an estimated £4.6 billion in revenues a year. It recent outlined plans to update the National Planning Policy Framework (NPPF) in England to support further development amidst growing demand and is also considering a change to planning law to enable more decisions about consents for data centre development to be taken by the planning secretary rather than local planning authorities.
In its latest announcement, the government welcomed plans for the development of Europe’s largest data centre in Hertfordshire that have been submitted to Hertsmere Borough Council by data DC01UK. It is envisaged that the project will cost £3.75 billion, create more than 700 jobs in the area, and support a further 13,740 data and tech jobs across the UK.
Planning law expert Michael Pocock of Pinsent Masons said: “The government has demonstrated clear intent that it wants to secure the growth of data centres in the UK through its proposed changes to the NPPF. In a key change to existing planning policy, the proposals require local plans to identify suitable sites for the locations for data centres.”
“In a further nod of support, the proposed changes would require planning authorities to recognise that data centres are a form of infrastructure with specific locational requirements needed to support the modern digital economy,” he said.
“Taken together, the proposed changes to the NPPF represent long overdue recognition for a critical sector which has had to take its chances with a planning system which lacked explicit support for the industry and created uncertainty in the planning process. The industry can therefore proceed with a degree of confidence that the planning system should no longer act as a barrier to data centre growth and in fact should positively support it,” Pocock added.
National infrastructure expert Robbie Owen said: “As part of the NPPF consultation, the government has also asked whether data centres should be prescribed as a type of commercial development which would be capable of being directed into – and so consented by – the nationally significant infrastructure projects (NSIP) planning regime rather than by local authorities.”
“Although technically this has been possible since 2013 and so the question government has asked is rather curious, it is clearly recognition of the considerable potential of the NSIP regime. It has been hugely effective for other large scale infrastructure schemes and so given the recognition of the critical importance of data centres as part of our national infrastructure, it makes sense that they should be able to be considered as NSIPs. This would not apply to all data centre development but there will be times when strategic data centre development is better suited to a regime which is determined directly by a government minister, particularly where the project is complex and local decision-making would be challenging,” he said.
Merger control expert Paul Williams of Pinsent Masons said the designation of data centres as CNI in the UK does not create any immediate additional requirements for corporate transactions relating to data centre assets to be subject to national security screening by the UK government, but pointed to potential changes that could come in future.
Williams said: “The National Security and Investment (NSI) Act provides a framework for the UK government to screen certain transactions in 17 sensitive areas of the economy – including ‘data infrastructure’, a term that is defined in a way that captures certain data centre transactions.”
“While the CNI designation announced today does not change how the NSI Act regime currently operates, it is possible we will see changes to the regime be introduced and impact data centres in the months ahead. This is because the government is expected to consult on updating the sectors currently within scope of the NSI regime, including existing sector definitions, later this year – given the direction of travel, this could result in the screening of more data centre transactions,” he said.