As data centres become a critical part of our infrastructure, Peter Dalton, Adil Tirmizi and Sophia Wah review the current risks and regulations around them.
Demand for data centres continues to grow globally, driven by increased computing requirements for AI and continued demand for data and connectivity, the trend towards cloud computing and IOT capability.
Current data centre usage shows how deeply modern society relies on digital infrastructure. There are now more than 6,000 data centres worldwide[1] supporting everything from banking to healthcare systems to cloud storage, streaming and AI. In the US, data centres already account for 4.4% of total electricity consumption,[2] and that share is predicted to rise to nearly 12% by 2030 as global demand for data centre capacity is predicted to triple by 2030.[3]
Their growing importance has prompted tighter cybersecurity and governance regulations across the UK and EU, elevating them to the same status as sectors like energy and water. Yet, as dependence on a small number of hyperscale datacentre providers grows, so do cyber risks, prompting governments to look at the need to strengthen the resilience of this critical digital backbone.
Concentration risk
Data centres come in multiple forms. Some service only one business (private or enterprise data centres), but more often provide services to many different organisations (for example managed services, cloud or colocation data centres), which can lead to a potentially systemic concentration risk. A successful breach or outage impacting a data centre provider could affect a multitude of organisations simultaneously, with cascading effects across sectors. The recent AWS outage in October 2025 illustrated this vulnerability in practice. A range of different industries such as banking, government websites, social media and messaging platforms and games companies were disrupted, highlighting how reliance on a limited number of cloud providers can amplify the impact of a single incident. Further, the fact that they can handle sensitive data makes data centres attractive targets for espionage at the geopolitical and state level. Their scale and centrality, and the risks posed as a result, underscore the need for robust defences and contingency planning.
This risk is further compounded by the rapid deployment of AI across essential services such as healthcare, transport, education and defence, and the increasing demand for power and infrastructure that it brings with it. Therefore, as systems become more embedded into public infrastructure, they increase reliance on data centres, not just for storage, but for real-time processing and decision-making.
In this context, the security and availability of data centres are no longer just operational concerns. Governments are increasingly seeing data centres as central to safeguarding the integrity of digital public services, making cybersecurity a matter of national and organisational resilience. As the Ministry of Defence’s Global Strategic Trends 2050 report notes:
‘In the future, the ability of governments and businesses to make decisions will depend even more fundamentally on their access to data, and the quality of their decisions will be determined by their ability to make sense of the information they access. The physical and digital protection of data centres will consequently become more critical.’ [4]
Addressing these issues requires more than technical safeguards; legal, structural, and governance measures can also be required to address the risks.
Critical national infrastructure
In response to these risks, jurisdictions such as the UK and EU have turned their regulatory focus to data centres as critical infrastructure in their own right, placing them alongside sectors like energy, water and telecommunications. As a result, operators are now subject to enhanced cybersecurity and governance requirements.
The EU’s NIS 2 Directive[5], for example, introduces mandatory risk assessments, incident reporting and executive accountability for in-scope entities, with penalties for non-compliance reaching €10 million or 2% of global turnover, whichever is higher.
Similarly, the UK’s draft Cyber Security and Resilience Bill (“Draft Bill“) is also set to bring data centres within scope of the UK’s NIS regulations[6], designating them under the higher category of regulated entity as Operators of Essential Services, underscoring the increasingly vital role they play in supporting digital infrastructure and economic resilience.
Under the Draft Bill, data centres would be required to have appropriate technical and organisational measures in place to manage risks, minimise the impacts of cyber incidents and be required to notify the regulator (Ofcom) of incidents which have had, or are likely to have, a significant impact on operations (a 24-hour initial notification, followed by a 72-hour full notification).[7] The new powers would also allow regulators to scrutinise the supply chain by designating critical suppliers to NIS-regulated entities, making them subject to additional regulatory requirements.
Further, the Draft Bill gives the Secretary of State powers to direct regulators and the organisations they oversee (including data centre operators) to take specific steps to prevent cyber incidents. It also introduces a new Code of Practice and a Statement of Strategic Priorities, enabling the government to update obligations on data centres and other regulated entities without passing new primary legislation. Regulators must take these objectives into account when enforcing compliance. Importantly, the Draft Bill significantly raises penalties for serious breaches, with maximum fines set at the greater of £17 million or 4% of global turnover. These developments reflect a growing recognition of the strategic importance of data centres, with regulatory scrutiny increasingly focused on how they are operated, secured and governed.
Ransom payment bans and controls
Ransomware continues to rank among the most disruptive cyber threats globally, and while many governments discourage ransom payments, recent studies have suggested that 49% of companies that had data encrypted in a ransom attack paid a ransom to get their data back.[8]
Governments worldwide have taken varying stances on ransomware payments. For example, the states of North Carolina and Florida have banned state agencies from paying ransoms since 2022, with North Carolina going a step further and prohibiting even communicating with a threat actor. In the UK, the government has proposed measures to implement a ban on public bodies and critical national infrastructure operators making ransom payments, which could include data centres (if the definition of critical national infrastructure under such proposals when published matches the scope of the NIS regulations). Internationally, 48 countries consisting of EU member states, the UK and the US have pledged not to pay ransomware demands under the Counter Ransomware Initiative, though have stopped short of making it a legal requirement.
The rationale of such approaches is to reduce the financial incentive for attackers by removing the prospect of a payout. However, the difficulty lies in balancing this objective against the risk of a catastrophic ransomware attack in a critical sector. Other approaches include mandatory incident reporting or requiring regulatory approval before any payment can be made, which may make payment less palatable without an outright ban, and allow governments a greater degree of understanding of the scale of the problem. Such options also form part of the UK’s proposals for other parts of the economy not subject to the proposed ban. Taken together, measures such as these may reflect a broader global shift toward more interventionist policies aimed at disrupting the ransomware economy and protecting essential digital infrastructure.
Conclusion
Data centres are rapidly becoming the backbone of the digital economy, powering everything from AI-driven innovation to other critical national infrastructure. Their growing strategic importance makes them both indispensable and increasingly vulnerable to cyber-attacks. As reliance on data centres deepens, the risks of concentration, ransomware and geopolitical concerns will increase. Regulatory frameworks such as NIS 2 and the UK’s Cyber Security and Resilience Bill seek to address these with heightened obligations for security, governance and resilience. Building robust defences and recovery plans will be essential for safeguarding data and the businesses that rely on it.
[1] https://www.statista.com/statistics/1228433/data-centers-worldwide-by-country/?srsltid=AfmBOora8-9rXuS3lL-MEq1DZFK5rsvA4ohgf2Pr6VwlTSXbXz2fGAOX
[2] https://eta-publications.lbl.gov/sites/default/files/2024-12/lbnl-2024-united-states-data-center-energy-usage-report_1.pdf, page 52
[3] https://www.mckinsey.com/industries/public-sector/our-insights/the-data-center-balance-how-us-states-can-navigate-the-opportunities-and-challenges
[4]https://assets.publishing.service.gov.uk/media/68dba439dadf7616351e4bf8/GST_7_Final_post_pic_change_WEB.pdf, page 301
[5] Network & Information Security Directive (EU) 2022/2555 (“NIS 2“)
[6] Network & Information Security Directive (EU) 2016/1148 (“NIS“)
[7] https://www.gov.uk/government/publications/cyber-security-and-resilience-network-and-information-systems-bill-factsheets/incident-reporting
[8] https://assets.sophos.com/X24WTUEQ/at/9brgj5n44hqvgsp5f5bqcps/sophos-state-of-ransomware-2025.pdf, pages 2 and 8
Peter Dalton is a partner in the HSF Kramer cyber and data security team where he advises clients in respect of cyber breach response, investigations, in the defence of regulatory enforcement actions, and litigation arising from cyber disputes.
Adil Tirmizi is an associate in the HSF Kramer cyber and data security team advising on all aspects of cybersecurity, from preparing for and responding to regulatory investigations to guiding clients through the full incident lifecycle.
Sophia Wah is a paralegal in the HSF Kramer cyber and intellectual property practices, with experience across both contentious and non-contentious matters
