techUK response to the DSIT consultation "Protecting and enhancing the security and resilience of UK data infrastructure
We welcomed the Government’s recognition of the value and crucial role the data centre sector plays in the UK’s modern digital economy and note its intention to continue to build the right business environment that encourages investment in the sector allowing for its growth and continued innovation, and ensuring capacity can meet the UK’s ambitions for economic growth, scientific progress and safe development of artificial intelligence and other new technologies.
However, we noted that the scope of the consultation seems to not distinguish among responsibilities between data centre providers and application owners (service and platform providers).
In our response, we outlined how a full implementation of the proposals could have the following impact on the sector:
- Potential duplication of efforts and compliance to provide data and reporting across interdependent pieces of regulation;
- An unnecessary increase or duplication in regulatory and compliance costs, in particular in regards to UK NIS;
- Potential loss of market flexibility and innovation if the regulator were to impose a set of rules which diverged from international norms and established best practice;
- Potential commercial costs in complying with additional controls set by a regulator.
Some high-level points include:
- techUK and the majority of our members disagreed with the Government’s assessment that there is an unaddressed risk borne by the data centres within scope of this consultation;
- techUK and our members had concerns over the aims of this consultation and its proposed framework;
- techUK and our members agree there could be room for improvement in terms of information sharing with the UK Government and relevant regulators beyond already existing compliance and regulatory frameworks – mainly threat analysis and incident response.
Recommendations:
- Recommend that the Government reconsider carefully their risk assessment and thresholds. In particular, the Government should consider clearer proposals and re-engagement with key stakeholders on:
- what should be reported (as many reporting requirements are already covered under other compliance requirements or contracts);
- who should be reporting (whether the reporting responsibilities lie with the sector under scope of this consultation), and
- why some incidents should be reported (what the threshold for an incident to be reported should be, what the desired outcome is, and what the regulator will do with that data).
- Therefore, we would recommend that instead of attempting to carve out parts of data centre infrastructure (namely colocation and “co-hosting”), the Government should:
- Pause before considering further policy development and conduct a comprehensive review of how the various Government proposals relating to cybersecurity and resilience in digital markets fit together in both scope and legal frameworks. The interdependencies outlined in the section below, and the lack of clarity on most of them, makes it challenging to provide a constructive response and introduces the risk of overlapping requirements, duplication of reporting and compliance costs, and at worst, inconsistent regulations.
- Assess the merits of alignment with the EU’s ENISA NIS Directive (EU NIS2), and existing ENISA guidance (which includes cloud computing service providers and data centre service providers). Diverging from International and EU standards with our own UK scheme risks increasing compliance costs for businesses operating internationally and fragments further an already complex cybersecurity environment. The Government should consider whether the proposed new framework for data centres set out in this consultation is merited i.e. whether it adds anything additional that is not already catered for by the proposed updates to the NIS framework at EU and UK level.
Read our full response here.
For more information please contact:
Data Centres updates
Sign-up to get the latest updates and opportunities from our Data Centres programme.