With the deadline for the implementation of the European Union's new cybersecurity regime under the Network and Information Systems, or NIS2, Directive [1] fast approaching in October, member states are starting to introduce national implementing legislation.
It is now time for data center owners and operators — buildings that house IT and network equipment that provides data storage, processing and transport services — to complete their scoping assessment and think about necessary compliance steps, given the new strengthened cybersecurity obligations.
Data centers are directly in scope of the new regime, and it is essential that operators are prepared to meet the new requirements. Not only the national regulators but also their tenants, some of whom will also be subject to the regime, e.g., communications providers or cloud service providers, will subject them to compliance checks and other contractual obligations.
In this article, we discuss the practical considerations that data center operators may need to consider in relation to NIS2 compliance in the EU, as well as the U.K.'s cybersecurity regime.
Details on the current EU implementation status for transposition of the NIS2 directive into national laws can be found in the NIS2 Directive Implementation Tracker.[2]
Data center operators will need to comply with the following core obligations.
To facilitate compliance and in line with the requirements of the directive, the European Commission published a draft implementing regulation in June.[3] This sets out draft proposals to further specify the compliance steps for data centers and other digital infrastructure and service providers.
The draft implementing regulation describes in detail the technical and methodological requirements of cybersecurity risk-management measures, including security policies; management responsibility; risk management frameworks; compliance monitoring; incident handling; response; monitoring and reporting; business continuity and disaster recovery; supply chain security and contractual requirements; security in acquisition of ICT services or products; product life cycle; cyber hygiene practices; cryptography; human resource security and background checks; access controls and management; asset management; and environmental and physical security.
While it is early days, the additional level of detail is helpful to provide industry with guidance on likely compliance steps. However, much will still be left to the discretion of member states.
In addition, the draft implementing regulation provides guidance on the interpretation of a significant incident that would result in a reporting obligation to competent authorities.
The current thresholds foreseen by the draft to determine a significant incident are very strict — in practice, this may result in a significant compliance burden. Below are some examples of thresholds foreseen for data centers:
Steps to Consider Data center operators should consider the following steps in advance of the regime coming into force:
When dealing with customers operating in a financial sector, there may be additional requirements to consider, e.g., the application of the Digital Operational Resilience Act,[4] which addresses cybersecurity risks in the financial sector and affects ICT third-party suppliers.
Given Brexit, the U.K. is not required to implement the new NIS2 directive and instead the old NIS regime as currently implemented in the U.K. under the Network and Information Systems Regulations 2018[5] remains in place.
In reality, while there is a degree of divergence, companies will need to consider both regimes in parallel if providing services in the EU.
This applies to:
Notwithstanding this, the previous Conservative government proposed to expand the scope of the cybersecurity regime to cover managed service providers, noting that telecoms services will remain subject to the separate telecoms security regime in the U.K., unlike the EU where telecoms security now falls under the NIS2 regime.
The new U.K. government has indicated that it may adopt similar measures, although the scope of this remains to be seen. The recent King's Speech for 2024 announced a Cyber Security and Resilience Bill that could potentially expand the U.K. NIS regime:
The Bill will strengthen our defenses and ensure that more essential digital services than ever before are protected, for example by expanding the remit of the existing regulation, putting regulators on a stronger footing, and increasing reporting requirements to build a better picture in government of cyber threats.[6]
The bill is expected to also include increased incident reporting to give government better data on cyberattacks.
The new government has also announced a strategic defense review into the current state of the U.K.'s defense capabilities and potential threats. A report is expected to be delivered in the first half of 2025 that may consider relevant cybersecurity issues.[7]
To the extent that data center operators are providing services that are captured by the NIS regime, noting that cloud hosting services may be of particular relevance to data center operators, it may be necessary to consider these cybersecurity requirements in the U.K. and future developments as the new Labour government's proposals progress.
The U.K. is also proposing regulation to improve the security and resilience of data infrastructure, including data centers,[8] with a focus on the following:
However, Labour has not confirmed whether its priorities and policies might change in this regard.
Finally, as noted, telecoms services in the U.K. will remain subject to separate telecoms security requirements. The U.K. has recently implemented a new strengthened telecoms security framework that may be either directly relevant to data center service operators if they also provide telecoms services or indirectly relevant where managed services are being provided to telecoms providers operating in the U.K.
That is, these providers may expect their data center providers to have relevant safeguards, measures, procedures and processes in place to mitigate security compromises. Providers may also expect their data center providers to seek to flow down obligations into relevant contracts to mitigate security risks, as well as require them to complete supplier risk assessments.
The European Commission and EU member states, as well as the U.K., have recognized that data centers are a critical part of the telecoms and digital ecosystem. In an effort to strengthen resilience and minimize vulnerabilities, data centers must take necessary steps to manage their cybersecurity risks.
This article was first published in Law360: Implications Of EU Network Directive For Data Center Owners - Law360 UK
[1] Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS2 Directive), available at: https://eur-lex.europa.eu/eli/dir/2022/2555.
[2] Available at: https://www.twobirds.com/en/trending-topics/cybersecurity/nisd-tracker.
[4] Available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554.
[5] Available at: https://www.legislation.gov.uk/uksi/2018/506/contents.
[6] See page 94 of the background briefing notes of the King's Speech 2024, available at: https://assets.publishing.service.gov.uk/media/6697f5c10808eaf43b50d18e/The_King_s_Speech_2024_background_briefing_notes.pdf.
[7] Further information available at: https://www.gov.uk/government/news/government-launches-root-and-branch-review-of-uk-armed-forces.
[8] Available at: https://www.gov.uk/government/consultations/protecting-and-enhancing-the-security-and-resilience-of-uk-data-infrastructure.