Standard tags: technology

When data centres become targets: a legal wake‑up call on resilience, data sovereignty and energy security

Vertical garden flourishing on a building facade, with lush green plants covering multiple levels, set against a backdrop of tall glass skyscrapers.
A detailed view of organized blue network cables running through a modern server room rack, showcasing technology infrastructure and digital connectivity in a professional environment.

Recent attacks on data centres during the ongoing conflict involving Iran underline a stark reality. Data centres are no longer just commercial assets. They are strategic infrastructure.

Their targeting reflects how deeply digital infrastructure is embedded in modern economies. Banking systems, healthcare, logistics, government services and AI platforms all rely on uninterrupted access to data. When data centres fail, the consequences are immediate, wide‑ranging and often legally complex.

For businesses, developers and investors, this marks a shift. Operational resilience, data sovereignty and energy security are now legal and strategic considerations, not simply technical ones.

Resilience is becoming a legal obligation

Historically, resilience was addressed through service levels and technical design. That position is changing rapidly.

In the UK, data centres have been designated Critical National Infrastructure, and forthcoming reforms to the cyber and resilience regime will bring large data centres directly within the scope of regulatory oversight. Operators will be expected to demonstrate appropriate and proportionate measures to manage physical, cyber and operational risk, alongside mandatory incident reporting.

From a legal perspective, this raises key questions:

  • How resilience obligations are allocated between landowners, developers, operators and occupiers.
  • Whether existing leases, options, development agreements and collateral warranties adequately address business continuity, outages and force majeure.
  • The extent to which resilience commitments should be reflected in planning conditions, infrastructure agreements and funding documentation.

Standards such as ISO 22301 (Business Continuity) and ISO/IEC 27001 (Information Security) are increasingly relevant as reference points when assessing whether resilience measures are reasonable or market standard. This is particularly so in disputes, regulatory scrutiny or transactional due diligence.

Data sovereignty moves from policy to property

The conflict also sharpens the focus on where data is stored and under whose control.

Data sovereignty is no longer driven solely by data protection law. Geopolitical risk, sanctions exposure and national security considerations are influencing decisions about site selection, ownership structures and operational control of data centres.

For the UK and EU, this is accelerating demand for:

  • In‑country and sovereign data centre capacity.
  • Greater scrutiny of foreign ownership and control.
  • Contractual restrictions on data location, access rights and cross‑border failover arrangements.

From a property and development perspective, this has implications for planning strategy, investment structuring, joint ventures and long‑term asset value, particularly where sites are intended to support public‑sector, regulated or sensitive workloads.

Energy security becomes part of resilience

Recent events in the Middle East underline a further and often under‑appreciated risk. Data centre resilience is inseparable from energy security.

The current conflict involving Iran has driven a sharp increase in global oil prices, compounded by Qatar’s unprecedented decision to halt oil production. That development alone has exposed the fragility of global energy supply chains and the speed at which geopolitical events can translate into economic and operational instability. For infrastructure reliant on continuous, high‑volume power, the implications are immediate.

In this context, energy strategy is no longer just a question of cost or sustainability. Secure, controllable access to power is now a core resilience issue.

While the sustainability case for renewables is well established, the energy security case cannot be undervalued. On‑site and locally generated power, including wind, solar and tidal energy, can reduce dependence on volatile international markets and exposed fuel supply routes when paired with appropriate storage and grid balancing. Small Modular Reactors (SMRs) are also increasingly being examined as a potential long‑term solution for delivering stable, low‑carbon baseload power to energy‑intensive infrastructure such as data centres.

For developers, investors and occupiers, this reframes energy procurement as a legal and strategic risk issue. It raises questions around long‑term power availability, exposure to fuel and pricing shocks, planning and consenting strategy, and how energy risk is allocated contractually across ownership and operational structures.

In short, resilience is no longer just about surviving outages. It is about insulating critical infrastructure from geopolitical energy shocks. Sustainability remains vital, but the current conflict demonstrates that energy security now sits alongside decarbonisation as a primary driver of data centre strategy.

Resilience, sustainability and regulation are converging

Resilience cannot be separated from sustainability. For example, the EU’s Energy Efficiency Directive now imposes reporting and performance obligations on larger data centres, including energy usage, cooling efficiency and waste heat reuse.

While driven by climate policy, these requirements also support resilience by reducing strain on power, cooling and grid infrastructure. All of these are critical during periods of disruption. For developers, energy strategy is increasingly inseparable from resilience strategy.

What this means in practice

For those involved in developing, owning or operating data centres, the lesson is clear. Resilience, data sovereignty and energy security must be embedded at a legal and structural level, not retrofitted later.

That means:

  • Addressing resilience and power security at the site selection and planning stage.
  • Clearly allocating operational and energy‑related risk in contracts and funding documentation.
  • Treating regulatory compliance as a value‑preserving exercise, not a tick‑box.

The events in Iran may be extreme, but the signal is unmistakable. Data centres are now nationally significant assets. Their regulation, design and energy strategy are evolving accordingly.

Those who anticipate this shift will be better placed to manage risk, protect asset value and maintain trust in an increasingly uncertain world.

Cloud infrastructure was always theoretically vulnerable to kinetic warfare, but nobody had priced that risk in so far. Now that has to change

https://www.aa.com.tr/en/middle-east/iran-war-shows-data-centers-emerging-as-critical-targets/3852984

New heat network regulations now in force across Great Britain: what owners need to do

Skyscrapers rise into a cloudy night sky, their windows glowing with interior lights. Nearby buildings reflect on the glass surface, creating an urban atmosphere.
The finger presses the command to the smart house, Smart home automation control system.

Today marks a major milestone for heat networks across Great Britain. From 27 January 2026, Ofgem officially begins regulating heat networks, creating a new compliance landscape for anyone who owns or operates a communal or district heating system. This change introduces long awaited consumer protections and brings heat networks closer to the standards seen in gas and electricity markets.

Why this matters

The Heat Networks (Market Framework) (Great Britain) Regulations 2025 take effect today and establish the legal foundation for the new regulatory framework. 

The new regime is underpinned by Ofgem’s role as the statutory regulator for heat networks. Ofgem has published formal guidance, the regulatory timeline, registration requirements and consultation responses on its official heat networks hub here: Ofgem Heat Networks Regulation Hub.

Together these form the basis for a sector-wide shift in expectations relating to consumer protection, billing transparency and operational standards.

What owners and operators must do immediately

1. Confirm your regulatory role
Heat network ownership brings responsibilities that fall into two regulated categories. The operator controls the physical system. The supplier provides heat to customers. Many building owners fall into both categories and must meet both sets of regulatory requirements. 

2. Begin complying with Ofgem requirements
From today, operators and suppliers must meet new consumer protection standards aligned with wider energy markets. These include transparent billing, clear communication, robust complaints handling and protections for vulnerable households. Consumers now also have formal access to the Energy Ombudsman for unresolved complaints.

3. Prepare for authorisation and registration
All heat networks operating before January 2027 will be automatically authorised – ‘deemed authorisation’. Full registration with Ofgem must be completed by 26 January 2027. Operators of heat networks with deemed authorisation must register with Ofgem using the heat networks digital service by 26 January 2027. After this period, authorisation will be granted by application to Ofgem.

4. Carry out technical due diligence
Alongside the new regulatory framework taking effect today, the Government is also developing the Heat Network Technical Assurance Scheme (HNTAS), which will introduce mandatory technical standards for both new and existing heat networks. According to the Department for Energy Security & Net Zero, HNTAS will not begin immediately but will be phased in with a planned launch in 2027, following further consultation and finalisation of the technical requirements. This phased approach is intended to give the sector sufficient time to understand, shape and prepare for compliance with the forthcoming technical standards. 

5. Continue meeting metering and billing duties
The introduction of Ofgem regulation does not replace existing obligations under the Heat Network (Metering and Billing) Regulations 2014. These duties include installing meters where feasible, billing based on actual consumption and maintaining accurate data records. 

Looking ahead

With Ofgem now holding enforcement powers including financial penalties, compensation orders and ongoing audits, compliance is no longer optional. Today represents a major turning point for the heat network sector. Owners and operators who act early will be best positioned to reduce regulatory risk and deliver a more transparent and reliable service to consumers.

This shift marks an important step forward in building a fairer, more consistent and more resilient heat network market. It strengthens protections for consumers, raises operational standards across the industry, and supports the UK’s long term transition to low carbon heat.