What data centre resilience means under the cyber bill

What data centre resilience means under the cyber bill

The cyber bill reaches deep into physical operations. Data centre resilience will be judged through power, cooling, controls, suppliers, incident evidence, and customer continuity.

What data centre resilience means under the cyber bill
Summary
  • The Cyber Security and Resilience Bill will bring qualifying UK data centres into the NIS regulatory framework.
  • The government’s definition of data centre service includes electricity supply, HVAC, environmental control, security systems, and resilience systems.
  • Compliance will depend on evidence across facility operations, OT security, supplier access, incident reporting, and continuity planning.

The UK Cyber Security and Resilience Bill is written as cyber legislation, but its data centre provisions reach deep into physical operations. Qualifying operators will not only need to show that network security, identity controls, and incident processes are mature. They will need to evidence how the facility systems that support continuity are governed, protected, monitored, and recovered.

The Bill is progressing through Parliament, with report stage and third reading scheduled in the House of Commons on 16 June 2026. It amends the Network and Information Systems Regulations 2018 and brings data centres into scope by classifying data infrastructure as a relevant sector and data centres as an essential service, according to the UK Parliament bills tracker.

The government’s data centre factsheet gives the policy basis. Data centres were designated as critical national infrastructure in 2024, placing them alongside sectors such as energy, water, and emergency services, yet ministers say there are currently no minimum requirements for cyber security or operational resilience. Ofcom will act as operational regulator for qualifying data centres.

Scope is based mainly on rated IT load. Data centres with rated IT load of at least 1MW are expected to fall within the regime, while enterprise data centres operated solely for the IT needs of their owner are in scope at 10MW or above. The government says the thresholds can be amended over time to reflect changes in technology, market dynamics, and risk.

The definition of a data centre service draws the plant room into the regulatory perimeter. The government describes a data centre service as a physical structure with a data hall for housing, connecting, and operating IT equipment, together with supporting infrastructure including electricity supply systems, environmental control such as HVAC, dust, humidity, and flame control, security systems, and resilience systems.

That language gives the Bill a facilities dimension. Building management systems, DCIM platforms, UPS monitoring, switchgear controls, generator interfaces, chiller sequencing, access control, CCTV, fire detection, supplier portals, remote maintenance links, and customer notification processes all sit close to continuity. Some may not be exposed to the public internet. Some may be owned or maintained by specialist vendors. Several may be managed outside the corporate IT security function. They still affect whether the essential service can continue.

The government’s chosen example is physical rather than abstract. During the July 2022 heatwave, two data centres serving an NHS trust failed, taking down most clinical IT systems at three hospitals and related community services. The trust incurred £1.4m in unplanned technology costs to respond.

Heat, cooling, power, controls, and incident management do not fit a narrow view of cyber security. Under the Bill, that separation becomes harder to sustain. Regulated operators will need appropriate and proportionate technical and organisational measures to manage risks to the network and information systems on which their essential service relies, prevent and minimise incident impact, and notify the regulator in writing about incidents with a significant impact on continuity.

The proposed reporting thresholds also cover near misses. The government says relevant incidents include those that could have had, have had, are having, or are likely to have a significant impact on the operation or security of systems relied on to provide the service, or on continuity of the service in the UK. That wording captures events where disruption is avoided but the pathway to disruption is visible.

A credible resilience file will have to connect cyber, OT, facilities, suppliers, and governance. A corporate cyber policy will not by itself show whether a generator control interface is segmented, whether a vendor’s remote maintenance route is time-bound and logged, or whether operators can run critical plant manually during degraded digital operation. An annual penetration test will not show whether chiller sequencing records, alarm histories, access logs, and escalation procedures are fit for a continuity investigation.

Building management and DCIM platforms are central to that evidence. They give operators visibility of temperature, humidity, power, cooling, alarms, energy use, and plant condition. They can also become maps of the facility’s operational state. Asset registers, privilege management, network segmentation, logging, patch records, backup arrangements, and alarm histories become resilience evidence rather than administrative detail.

Power systems bring a different set of questions. UPS, switchgear, generator control, fuel management, and load-shedding procedures must be usable when communications or automated monitoring are impaired. Test records need to show more than mechanical availability. They need to show who can operate systems, which suppliers can intervene, what manual procedures exist, and how evidence is captured during abnormal events.

Cooling controls carry similar risk. Modern facilities rely on automation for efficiency, stability, and rapid response, particularly as rack densities rise and thermal margins narrow. Where automated sequencing, remote monitoring, or control interfaces degrade, operators need fail-safe modes, manual procedures, escalation paths, and tested assumptions about how long conditions remain tolerable. Cooling incidents can become continuity incidents quickly, especially where customers are running dense compute loads.

Physical access also sits within resilience. Access control, CCTV, visitor management, contractor supervision, and break-glass procedures must work during system outages, cyber incidents, or degraded network operation. A digital access system that cannot be administered during a control-plane failure can create operational delay just when engineers need access to plant rooms, roof areas, or carrier rooms.

Supplier access may become one of the most difficult areas to evidence. Data centres depend on controls vendors, generator specialists, chiller engineers, fire-system providers, security integrators, connectivity partners, software providers, and managed service teams. Remote support is often necessary, particularly across multi-site estates, but standing access into critical systems creates a different risk from approved, time-limited, monitored sessions. Operators will need to know who can reach what, under whose authority, through which method, and with what audit trail.

Manual operation remains essential, though it needs to be real rather than assumed. A runbook is only useful if it reflects the installed plant, can be found during degraded operation, and has been practised by the people expected to use it. Generator starts, fuel logistics, chiller sequencing, fire response, access control, customer communications, and regulator notification all need to function when dashboards, remote access, or supplier systems are unavailable.

Incident reporting will test operational discipline. Data centre incidents often move across systems before the cause is clear: a cooling alarm, a control fault, a power quality issue, a supplier intervention, a tenant impact, and a communications problem can overlap within the same event. Operators will need a practical way to identify when a continuity event or near miss is significant enough to notify, even while investigation continues.

Customer notification adds another layer. A multi-tenant colocation facility may need to assess which customers are affected, whether redundancy has been compromised, which dependencies remain uncertain, and what information can be shared without creating security risk or giving false reassurance. Where customers support healthcare, finance, public services, telecoms, or other critical activities, slow or vague communication can deepen operational damage.

The proportionality test will shape how these duties work in practice. A 1MW colocation site, a 10MW enterprise facility, and a hyperscale campus do not carry the same customer base, system complexity, supplier network, or concentration risk. They will not need identical controls. They will need a clear link between risk, system design, operating procedures, supplier governance, and evidence.

Bringing data centres into essential-service regulation does not turn every plant fault into a cyber incident. It does mean that the systems powering, cooling, monitoring, securing, and recovering the data hall form part of the continuity case. Under a regulated regime, resilience will be judged through records, tests, controls, supplier governance, incident evidence, and the operator’s ability to keep the service running when normal digital and physical assumptions break down.


Stay updated with the latest insights and trends in the data centre industry by subscribing to our newsletter.

← Back

Thank you for your response. ✨