UK data centres are now national security targets

The UK government’s introduction of the Cyber Security & Resilience (Network and Information Systems) Bill was presented to parliament last week and was met with a mixed reception.

Once lightly regulated, the UK’s digital infrastructure has slowly moved up the totem pole to become part of national critical infrastructure.

Cyber-attacks are costing UK organisations billions each year, and the digital landscape has changed dramatically since the original NIS regulation was introduced. Hyperscale facilities anchor the cloud economy, managed service providers sit deep within enterprise networks, and supply chain vulnerabilities have become as significant as direct attacks.

Last month we reported the UK is now facing an unprecedented level of cyber threat, with four “nationally significant” attacks taking place every week, according to the National Cyber Security Centre’s (NCSC) latest annual review. The NCSC handled 204 nationally significant cyber incidents in the 12 months to August 2025, up sharply from 89 the previous year. Within that, 18 cases were deemed “highly significant”, meaning they posed risks to critical national services, government or major economic activity.

Data centres move into regulatory focus

One of the biggest changes is the formal inclusion of data centres within the Bill. Facilities above 1MW of capacity per site, or 10MW across multiple locations, will now be treated as strategically important digital infrastructure.

Traditionally, data centres were viewed as the physical shell for digital operations, neutral in function and insulated from direct regulatory intervention. The new legislation recasts them as critical assets whose compromise would carry societal and economic consequences.

Under the Bill, operators will be required to align with the National Cyber Security Centre’s Cyber Assessment Framework, a comprehensive standard that demands evidence of robust security controls, operational resilience, and organisational governance. This is paired with stringent incident-reporting expectations: providers will have to notify regulators within 24 hours of identifying a significant cyber event, followed by a detailed assessment within 72 hours. Crucially, the Bill also obliges data centres to inform their customers of incidents that may affect hosted systems, shifting the sector toward greater transparency.

For a market regularly considered to be shrouded in secrecy providers will need to adjust to a more open, cooperative model of incident handling.

MSPs and supply chains under scrutiny

Managed service providers are another major part of the Bill’s expanded scope. In recent years, attackers have repeatedly targeted MSPs precisely because of the privileged access they hold across multiple client environments. This systemic exposure has made them one of the highest-value vectors in modern cybercrime.

The legislation treats MSPs not simply as vendors but as key components of national digital resilience. Under the new legislation they will be required to adopt improved governance frameworks, undergo more rigorous oversight, and secure their own supply chains, which frequently serve as unseen entry points for attackers. The government’s creation of a new category of “critical suppliers” also sweeps the smaller firms whose software or services into the regulatory fold.

Regulatory powers strengthened

The Bill equips regulators with significantly expanded authority. They will be able to conduct proactive reviews, assess internal systems, and intervene in operational practices when necessary. It also includes provisions for cost recovery, meaning operators will bear more of the financial responsibility for the oversight required to secure national infrastructure.

While major global operators may already exceed many of the Bill’s expectations, the regulatory shift will have real implications for mid-market data centres and MSPs. For some, the additional costs of compliance, reporting systems, audits, and governance processes may be substantial.

While for others, the legislation presents an opportunity to differentiate based on resilience as a service quality, particularly in an environment where customer trust is increasingly tied to cybersecurity posture.

Ransomware: The catalyst behind the policy

Over the last few few years cyber attacks have become a regular feature in the news headlines. And whilst Joe Public is faminiar with the aftermath of these a ttacks, compromised bank details, a loss in services, emails going down, we hear less about the reason and the attempted resolutions.

In 2024 the attack on Change Healthcare in the US, resulted in a US$22 million ransom payment and widespread disruption across the healthcare system. Attackers target organisations that sit at the crossroads of data, connectivity, and operational continuity—the very spaces data centres and MSPs occupy.

And so data centres have increasingly found themselves in the crosshairs of highly organised cybercriminal groups.

In 2020, Equinix experienced a high-profile intrusion by the Netwalker ransomware gang, which demanded roughly US$4.5 million in exchange for data decryption and the prevention of leaks. Although the company stated the attack affected internal systems rather than customer operations.

CyrusOne faced a similar situation when the REvil group compromised parts of its environment. Reports suggested some customer operations were disrupted and a ransom was issued.

Building a coordinated national response

A successful attack on a major data centre or MSP has the potential to cascade far beyond the immediate victim, disrupting cloud platforms, financial services, healthcare systems, and telecommunications all at once. The Bill recognises that the resilience of digital infrastructure is not merely a commercial concern but a national imperative.

Yet implementation will not be without challenges. Operators will need clarity on what constitutes a “significant” incident, and the sector will have to adapt to new expectations around transparency—expectations that may, at times, be at odds with customer confidentiality agreements or internal crisis-management instincts.

International operators must also navigate increasing regulatory divergence as the EU, US, and Asia-Pacific regions advance their own cyber legislation. Maintaining compliance across multiple jurisdictions without fracturing operational consistency will require careful planning and cross-border coordination.

Philippe Millet from the i3forum, a global industry association for the wholesale telecommunications carrier community, that works to combat various forms of fraud in the industry, commented “The UK is definitely leading the charge in the fight against cybercrime, fraud, and scams. Many countries, including across Europe, would do well to follow suit and up their game. The ‘no negotiation’ policy reflects the standard approach in the Western world for handling ransom demands, as seen in the agreement signed by G8 leaders in 2013 against paying ransoms to terrorists. While a ‘no negotiation’ policy may not be a complete solution, making it more difficult for criminals to extract ransoms is certainly a step in the right direction,”

Despite its complexities and somewhat lukewarm reception by the industry, the Cyber Security & Resilience Bill marks a new era in protecting the UK’s digital backbone. For data centres, MSPs, and critical suppliers, cyber resilience is no longer just a technical requirement – it has become a defining measure of market credibility and a recognition of their role as critical national infrastructure.

UK faces four major cyber-attacks a week as threat landscape intensifies