Implications Of EU Network Directive For Data Center Owners

With the deadline for the implementation of the European Union's new cybersecurity regime under the Network and Information Systems, or NIS2, Directive [1] fast approaching in October, member states are starting to introduce national implementing legislation.

It is now time for data center owners and operators — buildings that house IT and network equipment that provides data storage, processing and transport services — to complete their scoping assessment and think about necessary compliance steps, given the new strengthened cybersecurity obligations.

Data centers are directly in scope of the new regime, and it is essential that operators are prepared to meet the new requirements. Not only the national regulators but also their tenants, some of whom will also be subject to the regime, e.g., communications providers or cloud service providers, will subject them to compliance checks and other contractual obligations.

In this article, we discuss the practical considerations that data center operators may need to consider in relation to NIS2 compliance in the EU, as well as the U.K.'s cybersecurity regime.

Details on the current EU implementation status for transposition of the NIS2 directive into national laws can be found in the NIS2 Directive Implementation Tracker.[2]

What Data Center Operators Need to Do

Data center operators will need to comply with the following core obligations.

• Registration requirements: Notify relevant authorities in the country of their main establishment in the EU.
• Risk-management requirements: Carry out compliance audits and ensure they have certain measures in place to manage cyber risks, e.g., measures regarding incident handling, business continuity, supply chain security, human resources security, access control policies and asset management.
• Reporting obligations: Be ready to report significant incidents that have an impact on services provided to competent authorities. It may also be necessary to inform relevant tenants.
• Cybersecurity certification: For the purposes of demonstrating compliance with cybersecurity risk-management measures, member states may require data center operators to use particular information and communication technology products, services and processes that are certified under European cybersecurity certification schemes.
• Governance requirements: Senior management boards and committees will be required to approve and oversee the implementation of the cybersecurity risk-management measures. In addition, members of company management bodies will be required to follow training and shall encourage entities to offer similar training to their employees on a regular basis.
• Accountability of top management, supervision and enforcement: The regime also introduces accountability and liability of top management for noncompliance with cybersecurity obligations and empowers stronger enforcement by national authorities as well as stricter enforcement requirements and aims to harmonize sanctions across the EU.
• Administrative fines: Fines of up to €10 million ($10.8 million) or of a maximum of 2% of the total worldwide annual turnover in the preceding financial year can be imposed for noncompliance, whichever is higher.

To facilitate compliance and in line with the requirements of the directive, the European Commission published a draft implementing regulation in June.[3] This sets out draft proposals to further specify the compliance steps for data centers and other digital infrastructure and service providers.

The draft implementing regulation describes in detail the technical and methodological requirements of cybersecurity risk-management measures, including security policies; management responsibility; risk management frameworks; compliance monitoring; incident handling; response; monitoring and reporting; business continuity and disaster recovery; supply chain security and contractual requirements; security in acquisition of ICT services or products; product life cycle; cyber hygiene practices; cryptography; human resource security and background checks; access controls and management; asset management; and environmental and physical security.

While it is early days, the additional level of detail is helpful to provide industry with guidance on likely compliance steps. However, much will still be left to the discretion of member states.

In addition, the draft implementing regulation provides guidance on the interpretation of a significant incident that would result in a reporting obligation to competent authorities.

The current thresholds foreseen by the draft to determine a significant incident are very strict — in practice, this may result in a significant compliance burden. Below are some examples of thresholds foreseen for data centers:

• Unavailability of the data center services;
• Failure to meet service level agreements for more than one hour;
• Failure to meet service level agreements due to malicious action;
• Data compromise caused by malicious action; and
• Physical access to the data center is compromised.

Steps to Consider Data center operators should consider the following steps in advance of the regime coming into force:

• Carry out a scoping exercise to determine the applicability of the regime;
• Track and analyze the local NIS2 implementation in the countries of interest;
• Review current processes and procedures to assess what changes need to be made to align with the new requirements;
• Update incident response plans and processes, including those aimed at compliance with other laws, such as the General Data Protection Regulation, data breach reporting and telecoms reporting requirements;
• Draft a practical compliance plan with specific target dates;
• Review and update contracts with service providers and suppliers to include relevant flow-through requirements; and
• Ensure that regulatory efforts in related areas, e.g., IT contracts, privacy and sector-specific laws, are consistent.

When dealing with customers operating in a financial sector, there may be additional requirements to consider, e.g., the application of the Digital Operational Resilience Act,[4] which addresses cybersecurity risks in the financial sector and affects ICT third-party suppliers.

U.K. Key Obligations

Given Brexit, the U.K. is not required to implement the new NIS2 directive and instead the old NIS regime as currently implemented in the U.K. under the Network and Information Systems Regulations 2018[5] remains in place.

In reality, while there is a degree of divergence, companies will need to consider both regimes in parallel if providing services in the EU.

This applies to:

• Operators of essential services — providers of services that are essential for the maintenance of critical societal or economic activities, e.g., water, energy, transport, health and digital infrastructure; and
• Relevant digital service providers — providers of online search engines, online marketplaces and cloud computing services. It does not directly apply to data center operators unless they provide cloud computing services that may include cloud hosting services — if offered by data center operators.

Notwithstanding this, the previous Conservative government proposed to expand the scope of the cybersecurity regime to cover managed service providers, noting that telecoms services will remain subject to the separate telecoms security regime in the U.K., unlike the EU where telecoms security now falls under the NIS2 regime.

The new U.K. government has indicated that it may adopt similar measures, although the scope of this remains to be seen. The recent King's Speech for 2024 announced a Cyber Security and Resilience Bill that could potentially expand the U.K. NIS regime:

The Bill will strengthen our defenses and ensure that more essential digital services than ever before are protected, for example by expanding the remit of the existing regulation, putting regulators on a stronger footing, and increasing reporting requirements to build a better picture in government of cyber threats.[6]

The bill is expected to also include increased incident reporting to give government better data on cyberattacks.

The new government has also announced a strategic defense review into the current state of the U.K.'s defense capabilities and potential threats. A report is expected to be delivered in the first half of 2025 that may consider relevant cybersecurity issues.[7]

To the extent that data center operators are providing services that are captured by the NIS regime, noting that cloud hosting services may be of particular relevance to data center operators, it may be necessary to consider these cybersecurity requirements in the U.K. and future developments as the new Labour government's proposals progress.

The U.K. is also proposing regulation to improve the security and resilience of data infrastructure, including data centers,[8] with a focus on the following:

• Security threats such as cyberattacks, physical attacks and insider threats;
• Resilience risks resulting from hazards such as human error and extreme weather; and
• Improving information-sharing and cooperation across industry and government to better identify and address risks.

However, Labour has not confirmed whether its priorities and policies might change in this regard.

Finally, as noted, telecoms services in the U.K. will remain subject to separate telecoms security requirements. The U.K. has recently implemented a new strengthened telecoms security framework that may be either directly relevant to data center service operators if they also provide telecoms services or indirectly relevant where managed services are being provided to telecoms providers operating in the U.K.

That is, these providers may expect their data center providers to have relevant safeguards, measures, procedures and processes in place to mitigate security compromises. Providers may also expect their data center providers to seek to flow down obligations into relevant contracts to mitigate security risks, as well as require them to complete supplier risk assessments.

The European Commission and EU member states, as well as the U.K., have recognized that data centers are a critical part of the telecoms and digital ecosystem. In an effort to strengthen resilience and minimize vulnerabilities, data centers must take necessary steps to manage their cybersecurity risks.

This article was first published in Law360: Implications Of EU Network Directive For Data Center Owners - Law360 UK

[1] Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS2 Directive), available at: https://eur-lex.europa.eu/eli/dir/2022/2555.

[2] Available at: https://www.twobirds.com/en/trending-topics/cybersecurity/nisd-tracker.

[3] Available here: https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/14241-Cybersecurity-risk-management-reporting-obligations-for-digital-infrastructure-providers-and-ICT-service-managers_en.

[4] Available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554.

[5] Available at: https://www.legislation.gov.uk/uksi/2018/506/contents.

[6] See page 94 of the background briefing notes of the King's Speech 2024, available at: https://assets.publishing.service.gov.uk/media/6697f5c10808eaf43b50d18e/The_King_s_Speech_2024_background_briefing_notes.pdf.

[7] Further information available at: https://www.gov.uk/government/news/government-launches-root-and-branch-review-of-uk-armed-forces.

[8] Available at: https://www.gov.uk/government/consultations/protecting-and-enhancing-the-security-and-resilience-of-uk-data-infrastructure.