- The bill will bring data centres above a capacity threshold under new reporting and risk‑management obligations.
- Failure to comply could result in heavy fines and stricter oversight by regulators.
What happened: The UK has made large data centres subject to new cyber‑security rules
The UK government has unveiled its Cyber Security and Resilience Bill, which will expand regulatory oversight to include data centres, managed service providers, and key supply chains. According to detailed proposals, data centres with a capacity of 1 MW or more — or 10 MW or more in the case of enterprise-only sites — will fall under the new rules. These facilities will be required to notify regulators about their operations, implement “appropriate and proportionate” risk‑management steps, and report significant cyber‑security incidents. The government’s policy statement also envisions a more coherent regulatory regime, with the Department for Science, Innovation and Technology and Ofcom sharing oversight. In parallel, companies will be required to report cyber‑security incidents to the National Cyber Security Centre (NCSC) within 24 hours of detection, and provide a fuller report within 72 hours.
Also Read: UK speeds up planning and power access for new AI zone
Also Read: UK broadband users urged to claim outage compensation
Why it’s important
The inclusion of data centres in this legislation reflects how central these facilities have become to the UK’s national infrastructure. The government argues that data centres enable everything from financial services to artificial intelligence and are therefore critical to economic stability and national security. By enforcing mandatory cyber‑resilience standards and incident reporting, the bill aims to reduce the risk of significant cyber disruptions that could cripple essential services. Moreover, the move signals a shift: data centre operators are now being equated with traditional critical infrastructure like utilities, raising the stakes for their security.
However, the new rules could prove costly or operationally challenging for operators given reporting burdens and the need to implement more rigorous risk‑management systems. For the broader sector, this could accelerate investment in security, but also reshape how data centres are built and run — perhaps pushing firms to prioritise resilience and compliance as much as capacity and efficiency.
