What CNI classification means for UK data centre providers

What CNI classification means for UK data centre providers

The UK government has officially recognised data centres as part of the Critical National Infrastructure, marking a significant milestone in the country’s Digital Transformation efforts.

This decision underscores the vital role data centres play in maintaining the backbone of the UK’s economy and national security. In parallel, the government has announced plans to introduce a new Cybersecurity and Resilience Bill, as outlined in the King’s Speech in July, aiming to bolster the country’s cyberdefences.

This legislation is expected to address growing cyber-risks and enhance the protection of critical digital assets across the UK.

In this feature, five industry experts offer their perspectives on what these developments mean for the sector’s future.

David Varney, Partner, Burges Salmon

The classification of data centres as Critical National Infrastructure marks a pivotal moment for the UK’s digital economy. By providing enhanced protections and support, the UK government aims to ensure the resilience and security of data centres, fostering a secure environment for investment and growth. This move not only intends to safeguard vital data but reinforce the UK’s position as a leader in data security and technological innovation.

Earlier this month, the Technology Secretary, Peter Kyle, declared that UK data centres will now be classified as Critical National Infrastructure (UK CNI), marking the first new CNI designation since 2015.

UK CNI constitutes critical elements of infrastructure of which the loss or compromise could result in major detrimental impact on essential public services, emergency systems, national security, defence or the functioning of the state. 

This new designation places data centres on par with essential services, ensuring they receive prioritised support during critical incidents such as cyberattacks, environmental disasters and IT blackouts. This follows the Science and Technology Committee’s recent inquiry into the cyber-resilience of the UK CNI sector, during which the importance of bolstering the digital infrastructure against potential cyberattack was emphasised.

Dr Aleksandr Yampolskiy, CEO, SecurityScorecard 

We welcome data centres being given greater protections from cyberattacks and IT outages, but more must be done to identify and address single points of failure across the UK critical infrastructure network.

History will continue to repeat itself if the cybersecurity community does not actively monitor supply chain risk. SecurityScorecard’s recent research, in collaboration with McKinsey, shows that 62% of the global external attack surface is concentrated in the products and services of just 15 companies. 

Any outage is a reminder of the fragility and systemic ‘nth-party’ concentration risk of the technology that runs everyday life: airlines, banks, telecoms, stock exchanges and more. Contrasting with the European Union’s proactive stance in cybersecurity legislation with the introduction of NIS2 and CRA directives, the UK currently lacks a cohesive legislative counterpart despite commendable efforts from the National Cyber Security Authority (NCSA).

Our previous report, Addressing the Trust Deficit in Critical Infrastructure, found 48% of global critical manufacturing is at significant risk of breach demonstrating the need for a much more robust integration of cyber and infrastructure planning. SecurityScorecard takes this opportunity to urge the government to advocate for comprehensive legislative action.

For SecurityScorecard, the absence of standardised cyber-risk measurements has perpetuated a security trust deficit, with regulations and standards varying significantly across different sectors and nations. This inconsistency has led to a patchwork of security measures, leaving critical infrastructures exposed to cyberthreats.

Camellia Chan, CEO and Co-founder, Flexxon 

Vast amounts of information are stored and managed in data centres, so it’s about time the UK government declared them a critical national infrastructure. This is especially important since the presence of such huge amounts of data – which is increasing with the rise in data-hungry applications like AI – is a massive motive for cybercriminals. The effects on business operations and continuity, as well as the financial losses of a cyberattack can be devastating – in 2023, the average cost of a data breach was US$4.45 million.

Data centres cannot afford to rely solely on traditional software security such as firewalls and VPNs. These reactive, static and human-centric methods can be too easily manipulated, exploited by Zero Day attackers or weakened by human error. To ensure security across the entire attack life cycle, a holistic approach that detects cyberthreats, responds to them and can recover data in the unfortunate event of an attack is necessary. To do so you need a combination of software and hardware solutions that incorporate self-learning AI.

Chris Grove, Director, Cybersecurity Strategy, Nozomi Networks

The recent designation of UK data centres as Critical National Infrastructure (CNI) marks a significant step forward in the nation’s cybersecurity efforts. This move not only highlights the vital role these centres play in our economy and society but also reinforces the government’s commitment to protecting them from potential threats. 

In line with this, the proposed Cyber Security and Resilience Bill, which focuses on supply chain protection, is another crucial initiative that aims to address the growing risk to the UK’s critical infrastructure. The bill recognises the increasing focus of state-sponsored threat actors on UK consumers and businesses and takes proactive measures to counteract this threat. 

However, while the CNI designation and the proposed bill are indeed commendable steps, it is important to acknowledge that cybercriminals are persistent and continuously evolving. Their interest in CNI will likely remain high due to the potential impact of successful attacks.

Therefore, continuous vigilance, regular updates to security protocols, and strong public-private partnerships are essential to effectively deter these threats and safeguard our critical infrastructure.

Overall, these measures signal a positive shift towards a more secure digital future for the UK, with the government and private sector working hand-in-hand to protect our most vital assets.

Andrew Tipping, Data Centre Director, Zayo Europe

Network resiliency is now a necessity rather than a luxury, and the government is right to classify data centres as critical national infrastructure. However, it’s equally important to recognise the role that the rest of our network infrastructure plays. 

Data centre locations rely on network infrastructure, both terrestrial and subsea, to connect to each other and the Internet. Navigating disruptions, such as those experienced during the Olympics or recent cyber-incidents like Crowdstrike, relies heavily on the security of this underlying infrastructure. 

It’s important that the government, infrastructure providers and data centre operators work together so that all elements of this critical national infrastructure function reliably. This will enable critical organisations, such as the NHS, rail networks and finance systems, to continue to operate smoothly.

Click below to share this article

Browse our latest issue

Intelligent CISO

View Magazine Archive