Tommy Lee Walker - stock.adobe.c
UK government adds datacentres to CNI regime: Why did it take so long?
After years of lobbying, the UK government has agreed to classify datacentres as critical national infrastructure, with the tech industry claiming the move is long overdue, but also recognition of the importance of server farms to the economy
The UK government’s decision to add datacentres to the list of infrastructure types considered critically important to how the nation operates is being welcomed by tech industry stakeholders, but questions remain about what the designation will mean in real-world terms for operators.
As reported by Computer Weekly on 12 September 2024, the UK government confirmed that datacentres would now be classified as critical national infrastructure (CNI) in recognition of the essential role they play in keeping the UK’s increasingly digital economy ticking over.
This means datacentre operators can now expect greater government support in the event of a cyber attack or critical incident. Many industry watchers are of the view that server farms should have been afforded this level of protection and recognition a long time ago.
“Datacentres have been a critical part of our national infrastructure for years,” said Mark Boost, CEO of UK-based cloud services provider Civo. “It’s great to see the government finally acknowledging this fact and adding their strong stamp of approval to the UK’s already flourishing datacentre industry.”
Emma Fryer, director of public policy at colocation giant CyrusOne, echoed this sentiment, before pointing out that some operators in the UK already have facilities that the government has classified as being CNI.
These classifications were issued on a case-by-case basis to datacentres that hosted data considered to be “important or sensitive enough” that national security could be compromised if something were to happen to it, Fryer told Computer Weekly.
The difference now is that the government appears to be taking more of a blanket approach to CNI classifications by determining that all facilities should now be classed as such.
On that point, Computer Weekly contacted the Department for Science, Innovation and Technology (DSIT) for clarification on whether there were any minimum qualifying criteria for a datacentre to be granted CNI status.
Mark Boost, Civo
This is because the term “datacentre” can be used for everything from hyperscale facilities to much smaller-scale comms room setups. At the time of writing, DSIT had offered no response.
What DSIT has said is that putting datacentres on an equal footing with the nation’s other forms of critical infrastructure, which includes power plants, the defence sector and the emergency services, will also bring economic benefits to the UK.
Speaking to Computer Weekly, Andrew Jay, head of datacentre solutions, advisory and transaction services for Europe, the Middle East and Africa (EMEA) at CBRE, said demand for datacentre capacity in the London region, specifically, is outstripping supply.
“We are having a lot of new demand for datacentres at the moment, which is a global trend, and it’s being driven principally two things: One is an increase in the use of cloud services, and the other – which is a newer driver of demand – is artificial intelligence [AI],” he said.
“If we talk about the UK, [this demand has been] very focused on the London area, and as more companies use cloud and AI services, more datacentre space is needed. That has caused some stress to the power infrastructure and there have been planning permission issues too.”
The cost to acquire land for datacentres has increased. And – as previously reported by Computer Weekly – operators are being asked to invest in supporting the expansion of the power infrastructure in the areas where they want to site their facilities to get sign-off from planning officials.
The sector is increasingly reliant on overseas investment to fund projects, and – according to Jay – adding datacentres to the UK’s CNI regime should give investors more confidence to pour funds into the UK market.
“CNI status will help, to some extent, allow us to build more datacentre capacity [in the UK], and that capacity will have to be funded, and that will draw in a significant amount of global capital into the UK to facilitate those builds,” he said.
The deciding factors of DSIT
In the official DSIT statement announcing the move, it appears that data sensitivity is less of a deciding factor these days in whether datacentres should be considered CNI.
For example, the statement lists smartphone pictures alongside NHS patient data and sensitive financial information as examples of the types of data that will be better protected by the change in regime.
Either way, Fryer said the government’s shift away from granting CNI status to datacentres on an almost bespoke basis is a “logical” move, and is indicative of a growing level of understanding within Whitehall about how the datacentre industry operates and the value it brings.
“It reflects the fact that most other critical infrastructure sectors – communications, finance, health, energy, water and transport, for example – rely heavily on datacentres,” she said.
“And those infrastructural interdependencies must be carefully managed because of the risk of cascade failure. So, from that perspective, this change is a logical policy development.”
And it is one that has been years in the making, said Fryer. “This is not a snap decision by government. It is a culmination of four years’ work by a specialist team within the Department for Science, Innovation and Technology that was established in early 2020.”
This team gave the datacentre sector government-level representation during the Covid-19 coronavirus pandemic, and ensured its views were factored into government decisions pertaining to lockdown exemptions, and other related policies.
Its creation also represented a huge shift in how the government at the time viewed the datacentre industry, because – prior to this team’s creation – there was no single sponsoring department in government tasked with ensuring the needs and wants of the sector were looked after.
Prior to joining CyrusOne in January 2024, Fryer was actively involved in working with the government to build its understanding of the importance of the datacentre industry through her work as associate director at tech trade body TechUK, until her departure in March 2022.
Her successor is Luisa Cardani, who was appointed head of the datacentres programme at TechUK in October 2022, and has continued to ensure the UK datacentre industry’s views are factored into the government’s decision-making processes.
Cardani said TechUK has been involved in a “long-running programme” of policymaker engagement, which has involved championing the role that datacentres play in the UK economy.
For that reason, the government’s decision to include datacentres in the CNI regime is very much appreciated by TechUK’s members.
“We welcome the recognition of the datacentre sector’s critical role finally exemplified by their new CNI designation by the UK government,” said Cardani.
“TechUK and our members have worked with both the previous and the current government, sharing insights from industry on the challenges they face, exchanging ideas on possible policy announcements and sharing case studies of the incredible innovations that are happening across the UK’s ecosystem.”
What will change?
Since coming to power in early July, the new government has made commitments to lower the planning barriers to getting new datacentres built. It launched a consultation – due to close on 24 September 2024 – about reclassifying datacentres as “nationally significant infrastructure projects” to fast-track the outcome of planning permission decisions for prospective projects,
Furthermore, the government has also placed at least two projects that were blocked by the previous government under review.
However, while it is a Labour government announcing that datacentres are now classified as CNI, the groundwork for this change was laid out by DSIT and the Conservative government in December 2023, with the publication of a series of proposals geared towards protecting the UK’s datacentres.
These proposals were consulted on until February 2024, with the supporting consultation document stating that the datacentre industry needs “greater intervention” due to the level of risk and potential impacts of it suffering a critical incident.
“Unlike many critical sectors, at present, there is an absence of oversight, assured testing, governance and statutory mechanisms to defend against such threats to evidence and secure security and resilience risks,” the document stated.
“The current regulatory landscape and market dynamics address some risk but do not provide the information, tools or levels required for the government to effectively manage risks presented to the national interest.”
It continued: “Given the scale of risk and potential impact, it is appropriate to establish proportionate oversight and assurance to protect the UK’s economic and national security, as well as its reputation for good governance and as a secure, stable and lawful place to innovate and do business.”
The end result of that consultation was DSIT’s announcement about datacentres being granted CNI status, but questions remain about whether this change will increase the administrative burden on operators and if it will require them to alter the way their sites operate.
The consultation document suggested sites could be subject to heightened regulatory oversight, but when Computer Weekly asked DSIT about the impact the changes would have on operators, in terms of additional reporting or site changes, no response was received.
With the dust now settling on the announcement and operators waiting to see what the changes mean for them and their facilities, CBRE’s Jay is of the view that the proposed planning reforms combined with the shift in stance on CNI status for datacentres is all good news.
“Traditionally, all of the individual datacentre companies have dealt with the power companies and planning authorities individually, and I think [these announcements show] the government has realised there needs to be a more joined-up approach to the development of datacentres – to make sure they are providing a service to everybody in the UK and beyond, and ensure we’ve got the right quantity of datacentres, providing the right services, where they needed to everybody in and around the UK, and they are protected,” said Jay.
Read more on Datacentre capacity planning
-
DC01UK: Everything you need to know about the UK government-backed Hertfordshire mega-datacentre
-
Datacentres granted critical national infrastructure status
-
Tech secretary pledges to ‘rewire Whitehall’ and plug the digital gap
-
Government needs to meet with the IT users, implementors and managers to deliver its policy aims