Data Centre Security Obligations

The UK Cyber Security and Resilience Bill imposes obligations on data centre operators across four areas: enhanced physical security controls (perimeter, access control, CCTV, visitor management aligned to NCSC CAF Objective B), resilience and redundancy standards (N+1 power and cooling, 72-hour generator capacity, tested failover), mandatory incident notification to Ofcom within 24 hours (significant incidents) or 72 hours (major incidents), and annual security audits against the NCSC Cyber Assessment Framework. Data centres above 1MW rated IT load (non-enterprise operators) or 10MW (enterprise operators) face the full obligation set.

Data centre security compliance assessments start from £12,000 on a fixed-price basis agreed before work begins. Single-site facilities with existing security controls typically fall in the £12,000 to £18,000 range for gap analysis, physical security audit, resilience testing, and a complete NCSC CAF evidence pack. Multi-site operators or colocation providers hosting CNI workloads typically require £20,000 to £35,000. Large colocation providers with multiple customer classes and complex regulatory profiles typically invest £35,000 to £40,000 or more. Annual re-assessment is available from £6,000 per year. All engagements are fixed-price with the scope and cost confirmed in writing before any work commences.

Scope is determined primarily by rated IT load and the nature of services hosted. Data centres above 1MW rated IT load (for non-enterprise operators) or 10MW (for enterprise operators measured on an enterprise basis across all sites) face the full obligation set as Operators of Essential Services under the Bill. The question of whether colocation customers' load counts toward your threshold is among the most common scoping ambiguities. The gap analysis and scoping stage (Step 01) exists precisely for this: you receive a written determination with supporting rationale, not a verbal opinion. If you are not in scope, we tell you that and the engagement ends.

The NCSC Cyber Assessment Framework (CAF) is the primary compliance framework for Operators of Essential Services under the UK Cyber Security and Resilience Bill. It organises security requirements into four objectives: (A) Managing Security Risk, (B) Protecting Against Cyber Attack, (C) Detecting Cyber Security Events, and (D) Minimising the Impact of Cyber Security Incidents. For data centres, each objective maps to specific operational requirements: Objective A covers security governance; Objective B covers network security, access control, and physical security controls including EN 50600-2-5; Objective C covers monitoring and intrusion detection; Objective D covers incident response and the mandatory Ofcom notification procedures. The CAF uses Indicators of Good Practice (IGPs) to assess compliance. These are observable, evidenceable behaviours rather than binary pass or fail checks. ISO 27001 and Uptime Institute certification address different, partially overlapping frameworks. Most certified facilities find they satisfy 60 to 70 percent of CAF requirements; the remainder requires additional documentation and incident reporting procedures.

A data centre security audit under the Cyber Resilience Bill framework covers four areas conducted across a defined period (typically 5 to 10 working days on-site plus documentation review). Physical security assessment: perimeter inspection, access control testing (card and PIN, biometric, mantrap anti-passback, tailgating resistance), CCTV coverage and retention policy review, visitor management, SIA-licensed guard force review, and EN 50600-2-5 alignment. Resilience and redundancy review: UPS capacity validation, generator switchover testing, fuel supply agreements, cooling N+1 configuration, network path diversity, and documented recovery time objectives. Logical security review: network segmentation architecture, privileged access management, monitoring and alerting, patch management, and security event logging aligned to CAF Objective C. Incident reporting readiness: incident classification procedures, notification runbook completeness, tabletop exercise with your NOC and legal team, and regulatory engagement protocol documentation. You receive a written report mapping findings to NCSC CAF Indicators of Good Practice, a prioritised remediation roadmap, and an evidence pack formatted for regulatory review.

ISO 27001 and Uptime Institute address different frameworks than the NCSC Cyber Assessment Framework. Neither maps directly to the CAF's four objectives. Your existing certifications significantly reduce the audit effort: we spend time identifying gaps rather than documenting controls you have already evidenced. Most certified facilities find they are 60 to 70 percent of the way there. The remaining 30 percent is typically incident reporting procedures with the 24-hour and 72-hour Ofcom notification workflows, CAF Indicator of Good Practice documentation formatted for regulatory review, and in some cases additional physical controls such as anti-passback enforcement or PIDS. We map your existing ISO 27001 Annex A controls to CAF objectives and identify the specific gaps rather than duplicating work you have already completed. See also our ISO 27001 consultancy service for organisations managing both frameworks.

Under the Bill, significant incidents must be notified to Ofcom as the competent authority within 24 hours of first awareness, with a full report within 72 hours. The phrase 'first awareness' is operationally significant: the 24-hour clock starts from the moment any employee becomes aware of a qualifying event, not from when the CISO is briefed. Qualifying incidents include significant service outages affecting critical services (typically defined as outages exceeding four hours), security breaches involving customer data, physical security incidents involving unauthorised access, and environmental failures with potential operational impact. Our incident notification runbooks resolve the 'first awareness' ambiguity with role-specific escalation chains your NOC team can follow at 2am on a Sunday, linking to our supply chain incident reporting guide for events with third-party involvement.

Non-compliance with the UK Cyber Security and Resilience Bill can result in: financial penalties up to £17 million or 4% of global annual turnover (whichever is higher) for serious violations including failure to implement appropriate security measures, failure to report significant incidents within required timelines, or failing to cooperate with regulatory investigations; improvement notices requiring specific remediation within set timeframes; mandatory public disclosure of enforcement action; and in extreme cases, criminal sanctions for directors who knowingly permit non-compliance. Ofcom also has broad investigatory powers including on-site inspections without advance notice, document production orders, and staff interviews. These enforcement powers apply regardless of whether non-compliance caused an actual security incident.

The Bill, read alongside NCSC CAF Objective B and EN 50600-2-5, requires data centres to implement: perimeter security (fencing, barriers, hostile vehicle mitigation where appropriate), multi-factor access control systems with anti-passback and tailgating prevention, 24/7 CCTV monitoring with defined retention periods, formal visitor management procedures with escorted access for non-authorised personnel, and where criticality warrants, SIA-licensed security guard force with documented patrol records. Physical security must be assessed annually and the assessment documented as part of the CAF evidence pack.

The Bill requires annual security audits for data centres in scope as Operators of Essential Services. Audits must cover physical security controls, logical access controls, resilience testing, incident response procedures including notification runbooks, and environmental systems. As the secondary legislation is finalised post-Royal Assent, specific audit cadence requirements for different facility classes will be confirmed. We recommend completing the initial gap analysis and compliance programme now: the framework obligations are already clearly signalled and will not change materially, and organisations demonstrating early good-faith compliance effort are better positioned in the event of early regulatory contact.