sdecoret - stock.adobe.com

Government plans to regulate to tackle datacentre threats

DSIT outlines a range of proposals designed to protect data storage facilities from cyber attacks, as well as physical threats and the effects of climate breakdown

The Department for Science, Innovation and Technology (DSIT) has outlined plans to better protect the UK’s key data storage facilities, or datacentres, from a range of threats including cyber attacks, physical threats and the impact of climate breakdown.

The government says its plans will help protect the vast number of organisations that now rely on such facilities as a critical part of their IT estates, safeguard the country’s national security and make the UK a more attractive destination for inward tech investment.

It will see datacentre operators made to comply with much tougher security and resilience measures, overseen by a newly established regulatory body that will be tasked with ensuring operators are able to report incidents, and work with them to assure and test risk mitigation. The government is also considering designating some parts of the datacentre sector as critical national infrastructure (CNI).

“Data is an increasingly important driver of our economic growth and plays a pivotal role across our public services,” said data and digital infrastructure minister John Whittingdale. “Ensuring companies storing it have the right protections in place to limit risks from threats such as cyber attacks and extreme weather will help us reap the benefits and give businesses peace of mind.

“The government is serious about keeping data safe, which is why we are calling on these businesses to actively share their insights and expertise, whilst also making sure we have the right regulations in place,” he said. “By making security a top priority in how we handle data, we’re not only tackling new challenges, but also making the UK a global leader in promoting safe and responsible technology.”

Julian David, CEO of techUK, added: “We commend the UK government for recognising the vital role of the datacentres sector in underpinning our digital economy. It is encouraging that DSIT intend to consult and continue to collaborate with industry to enhance resilience across this critical sector.  

“As with all regulatory developments, techUK and its members look forward to engaging on the matter to ensure the scope and policy development are done in a way that is practical for industry, its customers, supply chain and consumers, and cognizant of commercial environments,” he said.

Services housed in datacentres

The government estimates that approximately 28% of UK businesses use services housed in datacentres, rising to 62% when only those employing over 250 people are counted. Datacentre operators contributed about £4.6bn to the UK economy as of 2021, and data-enabled services more generally contributed about 7% to the UK’s gross domestic product (GDP) and support 76% of all services exports.

Moreover, outages, whether arising from cyber attacks or other factors, including downtime caused by issues such as power outages and even fires, continue to rise in their length, cost and severity, damaging the country’s economy as they do so.

Research conducted by the Uptime Institute in 2022 found that over 30% of datacentre outages now last longer than 24 hours, with costs to service operators alone topping $100,000 (£78,700) in 60% of instances.

DSIT has today opened a fresh consultation on the issue and is inviting stakeholders and other interested parties to participate in helping it draw up firmer guidelines, considering questions such as what constitutes a datacentre to begin with, what functions a regulator might be appropriately tasked with, and what resilience measures should be imposed.

It is particularly keen to hear from datacentre operators, land and facility owners, cloud platform providers, managed service providers (MSPs) and their customers and suppliers, as well as independent or academic experts on data storage and processing. The full consultation documents can be found here.

Read more about datacentre management and security

Adrian Bradley, head of cloud at KPMG UK, said: “The proposals will do much to improve coordination across the datacentre sector. But threats to the technology underpinning our daily digital lives are not confined to datacentres, which are only one layer of an organisation’s technology estate. As these proposals are developed, it’s important they take a broader perspective.

“Specifically, older technology being used by organisations is easier to be exploited and is less resistant to other threats, while well-managed, modern cloud-based environments are harder to penetrate and recover more quickly from attacks,” he said. “The key to developing a resilient technology infrastructure across the UK is to modernise IT.

“In tandem to today’s announcement, I hope to see the regulatory interventions acting to encourage and enable IT modernisation and for reporting obligations to go beyond just the datacentres, so we can best manage all the threats to the UK’s technology resilience,” said Bradley. “We also need greater investment in cyber security and cloud talent to meet the demands of enterprises.”

Read more on Regulatory compliance and standard requirements