The UK Government’s recent designation of data centres as Critical National Infrastructure (CNI) underscores a significant shift in the nation’s approach to cybersecurity and resilience in the digital age. This move has received varied responses from industry experts, who have emphasised that while the recognition of data centres is a step forward, it must be part of a more comprehensive strategy.
Dr Aleksandr Yampolskiy, CEO of SecurityScorecard, welcomed the increased protections but urged for further measures. “We welcome data centres being given greater protections from cyber attacks and IT outages, but more must be done to identify and address single points of failure across the UK critical infrastructure network,” he said. Yampolskiy highlighted the fragility of the current infrastructure, noting that a recent report by SecurityScorecard and McKinsey revealed that 62% of the global external attack surface is concentrated in the products and services of just 15 companies.
Yampolskiy pointed out the need for proactive and standardised cyber risk measurements, contrasting the UK’s efforts with the European Union’s NIS2 and CRA directives. “The absence of standardised cyber risk measurements has perpetuated a security trust deficit, with regulations and standards varying significantly across different sectors and nations. This inconsistency has led to a patchwork of security measures, leaving critical infrastructures exposed to cyber threats,” he explained.
Ian Jeffs, General Manager of Lenovo’s Infrastructure and Solutions Group (ISG), echoed similar sentiments while adding a perspective on the intersection of cybersecurity and sustainability. “The fact that it has been over a decade since the last Critical National Infrastructure (CNI) designation underscores the importance of cyber protection for data centres,” Jeffs commented. He pointed to the increasing demand for data centres driven by advancements in technologies such as quantum computing and AI-based services, stressing the importance of global security standards to ensure their reliability.
Jeffs linked cybersecurity improvements with sustainability efforts, suggesting that enhancing energy efficiency and adopting circular economy practices could enable companies to reinvest saved resources into bolstering their cybersecurity defences. “Security is crucial for business transformation and growth, and as data centres become more essential, their protection becomes more critical than ever,” he urged companies to stay proactive to ensure compliance and safeguard operations.
Meanwhile, Dr Thomas King, CTO of DE-CIX, called for a broader scope of protection that includes data centres and the wider connectivity infrastructure. “Protecting data centres alone is not enough,” King asserted. He emphasised the essential role of robust networks and interconnection platforms in enabling the data and applications housed in data centres to create value for society and business.
King pointed to the global recognition of secure interconnection, citing the United States’ recent “Roadmap to Enhancing Internet Routing Security” as evidence of the importance of this issue. He highlighted how the US is moving towards the European model of neutral interconnection, which enhances resilience and reduces vendor lock-in by adopting carrier and data-centre-neutral Internet Exchanges. “In an interconnected world, where global communication and commerce depend on the seamless exchange of data, securing these data centres and all digital infrastructure is a critical step to maintaining not just national security but also economic stability,” King concluded.
The UK Government’s decision to classify data centres as CNI is important in recognising their vital role in today’s digitally dependent society. However, industry experts agree that a more holistic approach—encompassing data centres and the broader digital infrastructure—is essential to safeguard the nation’s security and economic well-being.