Data centres in the UK are to designated as Critical National Infrastructure (CNI), alongside energy and water systems
The Government has designated data centres in the UK as critical national infrastructure (CNI), highlighting the importance of these facilities amid ongoing cyber threats from hackers, criminals and hostile nation states.
The announcement of the enhanced government cybersecurity support that comes with such a designated status, aims to give these vital facilities greater protection. It is the first Critical National Infrastructure (CNI) designation in almost a decade, since the Space and Defence sectors gained the same status in 2015.
The government said that a Critical National Infrastructure designation will allow it to support the sector in the event of critical incidents, minimising impacts on the economy.
Critical National Infrastructure
The government claimed the designation “means the data housed and processed in UK data centres – from photos taken on smartphones to patients’ NHS records and sensitive financial investment information – is less likely to be compromised during outages, cyber attacks, and adverse weather events.”
The CNI designation does put data centres on an equal footing as water, energy and emergency services systems, and will allow the data centre sector to expect greater government support in recovering from and anticipating critical incidents.
CNI designation will, for example, see the setting up of a dedicated CNI data infrastructure team of senior government officials who will monitor and anticipate potential threats, provide prioritised access to security agencies including the National Cyber Security Centre, and co-ordinate access to emergency services should an incident occur.
The government also said it welcomed a proposed £3.75 billion investment in Europe’s largest data centre, after plans were submitted to Hertsmere Borough Council for construction in Hertfordshire by data company DC01UK which will directly create over 700 local jobs and support 13,740 data and tech jobs across the country.
The government also believes that the CNI status will also deter cyber criminals from targeting data centres that may house vital health and financial data, minimising disruption to people’s lives, the NHS and the economy.
The new protections will also boost business confidence in investing in data centres in the country, an industry which already generates an estimated £4.6 billion in revenues a year.
“Data centres are the engines of modern life, they power the digital economy and keep our most personal information safe,” said Technology Secretary Peter Kyle. “Bringing data centres into the Critical National Infrastructure regime will allow better coordination and cooperation with the government against cyber criminals and unexpected events.”
“The huge £3.75 billion private investment announced today in Hertfordshire is a vote of confidence in those plans and a clear example of my determination to ensure technological advancements are helping to grow our economy and create wealth across the country,” said Kyle.
Cyber threats
The cyber threat to critical infrastructure is very real. A ransomware attack in June this year on a private company called Synnovis, that analyses blood tests for certain London hospitals led to cancel operations and blood transfusions.
Indeed, the NHS had to call for donations of O-type blood after the ransomware attack affected hospitals’ ability to match blood.
And the Crowd Strike incident in July, affecting 60 percent of GP practices with disruption to software holding patients’ appointment details, prescriptions, and health records is another example of the catastrophic impact of IT and cyber threats on people’s lives.
The UK is currently home to the highest number of data centres in Western Europe.
Industry reaction
The government’s designation has prompted responses from the data centre industry.
“We welcome today’s announcement by the government which recognises the critical nature of data centres and digital infrastructure to the economy and society,” said Bruce Owen, UK MD of digital infrastructure provider Equinix.
“The internet, and the digital infrastructure that underpins it, has rapidly grown to be as fundamental to each one of our daily lives as water, gas, and electricity, and is now a service that people and the UK economy can no longer live without,” said Owen.
“techUK welcomes the government’s pivotal decision to designate the data centres sector as Critical National Infrastructure and the recognition of the critical role they play in the UK’s modern economy,” said Matthew Evans, Director of Markets and Chief Operating Officer at techUK.
Multiple countries
“As we bring data centres into the spotlight, we need to remember that modern data storage isn’t limited to one country,” added Toby Lewis, Global Head of Threat Analysis at global cybersecurity firm Darktrace.
“Any new rules will need to work across borders” said Lewis. “Many data centres serve multiple customers at once meaning new restrictions could affect all users of a data centre, even those not considered part of critical infrastructure. This could slow down innovation or make things more expensive for some businesses.”
“To avoid these issues, data centres might need to set up separate areas just for critical infrastructure,” aid Lewis. “However, this could make it harder for important services to use cloud technology efficiently, potentially leading to higher costs. Organisations need to balance the benefits of security with added cost.”
“This is another strong and timely step from the government in improving resilience across critical national infrastructure, supply chains, the public sector, and strategically important businesses,” Lewis concluded. “By addressing these interconnected elements of our digital landscape, we can significantly reduce weak links and create a more robust cyber defence posture for the UK.”
Data concern
“Vast amounts of information are stored and managed in data centres, so it’s about time the UK government declared them a critical national infrastructure,” said Camellia Chan, CEO and co-founder of Flexxon.
“This is especially important since the presence of such huge amounts of data – which is increasing with the rise in data-hungry applications like AI – is a massive motive for cybercriminals,” said Chan. “The effects on business operations and continuity, as well as the financial losses of a cyber attack can be devastating – in 2023, the average cost of a data breach was $4.45 million.”