When data centres become targets: a legal wake‑up call on resilience, data sovereignty and energy security
Recent attacks on data centres during the ongoing conflict involving Iran underline a stark reality. Data centres are no longer just commercial assets. They are strategic infrastructure.
Their targeting reflects how deeply digital infrastructure is embedded in modern economies. Banking systems, healthcare, logistics, government services and AI platforms all rely on uninterrupted access to data. When data centres fail, the consequences are immediate, wide‑ranging and often legally complex.
For businesses, developers and investors, this marks a shift. Operational resilience, data sovereignty and energy security are now legal and strategic considerations, not simply technical ones.
Resilience is becoming a legal obligation
Historically, resilience was addressed through service levels and technical design. That position is changing rapidly.
In the UK, data centres have been designated Critical National Infrastructure, and forthcoming reforms to the cyber and resilience regime will bring large data centres directly within the scope of regulatory oversight. Operators will be expected to demonstrate appropriate and proportionate measures to manage physical, cyber and operational risk, alongside mandatory incident reporting.
From a legal perspective, this raises key questions:
- How resilience obligations are allocated between landowners, developers, operators and occupiers.
- Whether existing leases, options, development agreements and collateral warranties adequately address business continuity, outages and force majeure.
- The extent to which resilience commitments should be reflected in planning conditions, infrastructure agreements and funding documentation.
Standards such as ISO 22301 (Business Continuity) and ISO/IEC 27001 (Information Security) are increasingly relevant as reference points when assessing whether resilience measures are reasonable or market standard. This is particularly so in disputes, regulatory scrutiny or transactional due diligence.
Data sovereignty moves from policy to property
The conflict also sharpens the focus on where data is stored and under whose control.
Data sovereignty is no longer driven solely by data protection law. Geopolitical risk, sanctions exposure and national security considerations are influencing decisions about site selection, ownership structures and operational control of data centres.
For the UK and EU, this is accelerating demand for:
- In‑country and sovereign data centre capacity.
- Greater scrutiny of foreign ownership and control.
- Contractual restrictions on data location, access rights and cross‑border failover arrangements.
From a property and development perspective, this has implications for planning strategy, investment structuring, joint ventures and long‑term asset value, particularly where sites are intended to support public‑sector, regulated or sensitive workloads.
Energy security becomes part of resilience
Recent events in the Middle East underline a further and often under‑appreciated risk. Data centre resilience is inseparable from energy security.
The current conflict involving Iran has driven a sharp increase in global oil prices, compounded by Qatar’s unprecedented decision to halt oil production. That development alone has exposed the fragility of global energy supply chains and the speed at which geopolitical events can translate into economic and operational instability. For infrastructure reliant on continuous, high‑volume power, the implications are immediate.
In this context, energy strategy is no longer just a question of cost or sustainability. Secure, controllable access to power is now a core resilience issue.
While the sustainability case for renewables is well established, the energy security case cannot be undervalued. On‑site and locally generated power, including wind, solar and tidal energy, can reduce dependence on volatile international markets and exposed fuel supply routes when paired with appropriate storage and grid balancing. Small Modular Reactors (SMRs) are also increasingly being examined as a potential long‑term solution for delivering stable, low‑carbon baseload power to energy‑intensive infrastructure such as data centres.
For developers, investors and occupiers, this reframes energy procurement as a legal and strategic risk issue. It raises questions around long‑term power availability, exposure to fuel and pricing shocks, planning and consenting strategy, and how energy risk is allocated contractually across ownership and operational structures.
In short, resilience is no longer just about surviving outages. It is about insulating critical infrastructure from geopolitical energy shocks. Sustainability remains vital, but the current conflict demonstrates that energy security now sits alongside decarbonisation as a primary driver of data centre strategy.
Resilience, sustainability and regulation are converging
Resilience cannot be separated from sustainability. For example, the EU’s Energy Efficiency Directive now imposes reporting and performance obligations on larger data centres, including energy usage, cooling efficiency and waste heat reuse.
While driven by climate policy, these requirements also support resilience by reducing strain on power, cooling and grid infrastructure. All of these are critical during periods of disruption. For developers, energy strategy is increasingly inseparable from resilience strategy.
What this means in practice
For those involved in developing, owning or operating data centres, the lesson is clear. Resilience, data sovereignty and energy security must be embedded at a legal and structural level, not retrofitted later.
That means:
- Addressing resilience and power security at the site selection and planning stage.
- Clearly allocating operational and energy‑related risk in contracts and funding documentation.
- Treating regulatory compliance as a value‑preserving exercise, not a tick‑box.
The events in Iran may be extreme, but the signal is unmistakable. Data centres are now nationally significant assets. Their regulation, design and energy strategy are evolving accordingly.
Those who anticipate this shift will be better placed to manage risk, protect asset value and maintain trust in an increasingly uncertain world.
Subcribe to news and viewsCloud infrastructure was always theoretically vulnerable to kinetic warfare, but nobody had priced that risk in so far. Now that has to change
https://www.aa.com.tr/en/middle-east/iran-war-shows-data-centers-emerging-as-critical-targets/3852984
