Too Big to Ignore: Regulating the Data Centre Boom

Critical Infrastructure

The crucial role of data centres in the digital economy was recognised in 2024 when they were designated as critical/ essential entities and critical national infrastructure under EU and UK law (respectively), in both cases putting data centres on an equal footing with water, energy and emergency services systems. While such a designation recognises the importance of data centres and the essential nature of the services they provide, it also brings with it greater regulatory oversight and control. This includes, in the UK, the proposed Cyber Security and Resilience (Network and Information Systems) Bill ("CSR (NIS) Bill"), which would introduce regulatory duties for operators of UK data centres above defined capacity thresholds, requiring them to notify Ofcom and satisfy structured information requirements – see our briefing for more details.

The AI Boom

The rapid progress of AI has also accelerated interest in investment and development of data centres worldwide. Indeed, governments appear to be recognising the opportunity and importance of maintaining a competitive position in the digital race in an increasingly challenging global market. Last year, the European Commission launched its AI Continent Action Plan, targeting the tripling of data centre capacity in the EU in five to seven years. In the UK, plans for the UK's biggest AI data centre, comprising four sites generating 2.5GW of AI computing power, were approved earlier this year in North Lincolnshire.

Climate and environmental impact

Such opportunities do not come without risk. Cybersecurity and critical infrastructure risk remains top of the list. However, it is important to recognise that data centres also represent a potential risk for investors looking to capitalize on the AI boom without compromising their carbon and energy credentials or targets; they are notoriously energy and water intensive, generating high levels of heat and noise.

Indeed, data published by the IDCA (International Data Center Authority – a global non-governmental thinktank) in 2026 shows that in the UK, data centres account for 5.9% of electricity consumption, and in the US the figure stands at 6%, both well above the global average of 2%. In its 3 November 2025 data centre planning, sustainability and resilience research briefing the UK government estimated that UK data centres consume around 2.5% of the UK's electricity and predicted this would increase four-fold by 2030.  At the same time, the government reported that while it was seeking to prioritize strategically important projects including AI data centres, in the 6 months to June 2025 the queue to connect to the grid had grown by 460%, contributing to waits of up to 15 years for projects to connect to the grid. With this backlog of grid connection requests, it has recently been reported that data centres are planning to connect to gas networks to secure their primary supply of electricity (as they already do in the US), putting the UK's Clean Power 2030 target in doubt. Forward-thinking data centre developers might instead put some upfront thought into these fundamental resource issues, considering whether sufficient private wire renewable generation can be installed alongside the data centre (optimally sited where they can also use reclaimed or desalinated water to reduce water stress).

Data centre reporting on energy performance

Owners and operators of data centres in the EU with over 500kW of installed IT capacity must report a range of key performance indicators (KPIs) by 15 May each year. These KPIs are detailed in Delegated Regulation (EU) 2024/1364, which came into force on 6 June 2024, and cover details including the data centre's owner and operator, location, installed power, annual data traffic, energy consumption, power utilisation, and water usage.

The reported information will be published in aggregated form and made accessible in an EU database. This public dimension adds a layer of reputational exposure that owners and investors must carefully consider.

Beyond data centre-specific reporting, the EED also introduces updated energy audit and management system requirements that are highly likely to capture data centres given their energy intensity.

Entities with average annual energy consumption exceeding 85 TJ must implement a certified energy management system by 11 October 2027*, while those consuming more than 10 TJ must undergo an energy audit (where no energy management system is in place), with the first audit due by 11 October 2026* and must be repeated every four years thereafter. It is worth noting that the previous audit obligation applied to "large" companies based on turnover, balance sheet, and employee number thresholds. The new energy consumption thresholds may bring SMEs into scope and are very likely to capture data centres given the scale of their energy use.

Importantly, in-scope entities must also produce a "concrete and feasible Action Plan" based on audit recommendations, implementing each recommendation where technically or economically feasible. Both the Action Plan and the implementation rate must be published, adding further transparency obligations.

A separate but related obligation under the EED applies to larger data centres. Data centres with a total rated energy input exceeding 1MW must utilise waste heat or apply other waste heat recovery measures, unless they can demonstrate it is technically or economically unfeasible to do so. Feasibility must be demonstrated at the planning stage or during substantial refurbishment, based on a cost-benefit analysis.

Figure 1: draft label taken from Annex I to Delegated Act supplementing Directive (EU) 2023/1791 and amending Regulation (EU) 2024/1364 as regards the establishment of a common Union rating scheme for data centres.

The data centre sector stands at an inflection point. Once largely unregulated beyond planning controls, data centres are now recognised as critical national infrastructure on both sides of the Channel, bringing with them a rapidly expanding web of regulatory obligations. The investment opportunity clearly remains significant, with global capital flows into data centres continuing to trend upwards and governments actively backing large-scale expansion.

While EU transparency and reporting rules and the proposed ratings scheme might at first appear to seek to stifle investment in data centres, they provide an opportunity for differentiation in the face of discerning procurement teams who may need to have an eye to their own companies' climate targets. Demand for energy, water and heat efficient data centres is therefore likely to grow in parallel with demand for the IT capacity, processing power and storage space that they provide. Data centres that can demonstrate strong environmental credentials may in turn prove easier to market and command a premium over less efficient competitors. It may also not be too long before other countries follow the EU's lead (potentially in Asia, or even perhaps the UK, though not the US in the short term at least). Developers, purchasers and investors should keep the direction of travel in mind now to enable not just compliance but also to future-proof such assets against what is likely to become an increasingly demanding market.