techUK response to the DSIT consultation "Protecting and enhancing the security and resilience of UK data infrastructure

We welcomed the Government’s recognition of the value and crucial role the data centre sector plays in the UK’s modern digital economy and note its intention to continue to build the right business environment that encourages investment in the sector allowing for its growth and continued innovation, and ensuring capacity can meet the UK’s ambitions for economic growth, scientific progress and safe development of artificial intelligence and other new technologies.

However, we noted that the scope of the consultation seems to not distinguish among responsibilities between data centre providers and application owners (service and platform providers). 

In our response, we outlined how a full implementation of the proposals could have the following impact on the sector:

• Potential duplication of efforts and compliance to provide data and reporting across interdependent pieces of regulation;
• An unnecessary increase or duplication in regulatory and compliance costs, in particular in regards to UK NIS;
• Potential loss of market flexibility and innovation if the regulator were to impose a set of rules which diverged from international norms and established best practice;
• Potential commercial costs in complying with additional controls set by a regulator.

Some high-level points include:

• techUK and the majority of our members disagreed with the Government’s assessment that there is an unaddressed risk borne by the data centres within scope of this consultation; 
• techUK and our members had concerns over the aims of this consultation and its proposed framework;
• techUK and our members agree there could be room for improvement in terms of information sharing with the UK Government and relevant regulators beyond already existing compliance and regulatory frameworks – mainly threat analysis and incident response.

Recommendations:

• Recommend that the Government reconsider carefully their risk assessment and thresholds. In particular, the Government should consider clearer proposals and re-engagement with key stakeholders on: 
  • what should be reported (as many reporting requirements are already covered under other compliance requirements or contracts); 
  • who should be reporting (whether the reporting responsibilities lie with the sector under scope of this consultation), and 
  • why some incidents should be reported (what the threshold for an incident to be reported should be, what the desired outcome is, and what the regulator will do with that data).
• Therefore, we would recommend that instead of attempting to carve out parts of data centre infrastructure (namely colocation and “co-hosting”), the Government should:
  • Pause before considering further policy development and conduct a comprehensive review of how the various Government proposals relating to cybersecurity and resilience in digital markets fit together in both scope and legal frameworks. The interdependencies outlined in the section below, and the lack of clarity on most of them, makes it challenging to provide a constructive response and introduces the risk of overlapping requirements, duplication of reporting and compliance costs, and at worst, inconsistent regulations. 
  • Assess the merits of alignment with the EU’s ENISA NIS Directive (EU NIS2), and existing ENISA guidance (which includes cloud computing service providers and data centre service providers). Diverging from International and EU standards with our own UK scheme risks increasing compliance costs for businesses operating internationally and fragments further an already complex cybersecurity environment. The Government should consider whether the proposed new framework for data centres set out in this consultation is merited i.e. whether it adds anything additional that is not already catered for by the proposed updates to the NIS framework at EU and UK level.

Read our full response here. 

For more information please contact:

Luisa C. Cardani

Head of Data Centres Programme, techUK

×

Luisa C. Cardani

Head of Data Centres Programme, techUK

Luisa C. Cardani is the Head of the Data Centres Programme at techUK, aiming to provide a collective voice for UK operators and working with government to improve business environment for the data centres sector.

Prior to joining techUK, Luisa worked in the Department for Digital, Culture, Media and Sport as the Head of International Data Protection, where she led on the development of elements of the UK's data protection and privacy policy. In her role, she was also the UK official representative for the EOCD Privacy Guidelines Informal Advisory Group.

She has held a number of position in government, including leading on cross-cutting data provisions in the EU-UK Trade and Cooperation Agreement, and in high priority cross-departmental projects when working in the Department of Business, Energy and Industrial Strategy.

She holds an M.Sc. from University College London's Department of Political Sciences.

Email:

[email protected]

Phone:

07587 210 799

Website:

www.techUK.org

LinkedIn:

https://www.linkedin.com/in/luisacardani

Data Centres updates

Sign-up to get the latest updates and opportunities from our Data Centres programme.