Data Centres: European Cybersecurity and Technology Law

NIS2 minimum cybersecurity standards

• EU harmonisation: NIS2 introduces a new minimum harmonisation of cybersecurity. EU member states are at various implementation stages.
• ICT risk-management: The Directive requires data centres to adopt an all-hazards approach and sound ICT risk-management. This includes registration requirements, incident reporting to the supervisory authority (24h, 72h, 1 month) and supply chain management.
• Personal liability of management: The management body must undertake mandatory NIS2 training and will be personally liable for its implementation.
• Data centre specific: As part of the digital infrastructure, data centres are subject to higher standards under the EU Commission implementing standards for cybersecurity risk-management measures. They are also subject to the main establishment rule. 

DORA’s direct and indirect effects

• Evolving beyond outsourcing: Requirements for services to regulated customers in the EU have increased for ICT third-party risk, specifically in the financial and insurance sectors.
• Contractual uplift: Customers are required to uplift their agreements to the new DORA standards, including specific termination and audit rights, business contingency measures, incident support, specific forms of penetration testing (TLPT) and significant subcontractor, and supply chain requirements.
• Direct DORA oversight: ICT services which supply a majority of the EU financial sector have been designated as critical under the oversight framework. Currently 19 suppliers are under the direct supervision of the European financial authorities (e.g., Equinix and InterXion, NTT, Google, AWS, Microsoft).

Other European technology developments

• CER for critical entities: CER introduces physical and environmental security and registration requirements, currently being implemented by EU member states. The relationship to NIS2 obligations should be closely assessed due potential precedence in certain respects.
• EU AI Act: AI systems are subject to increased scrutiny under the EU AI Act where they are classified as “high-risk”. This should be assessed in particular where data centres provide and/or deploy AI systems intended to be used as safety components in the management or operation of their facilities that qualify as critical infrastructure.
• Data sovereignty under increased political and customer focus: The EU explicitly frames “digital sovereignty” as a strategic priority. While DORA and NIS2 place emphasis on visibility of locations in the supply chain, sovereignty‑related requirements at this stage primarily translate to obligations for customers looking to qualify as an EU sovereign cloud.
• Data protection: EU supervisory authorities place increasing emphasis on employee and visitor personal data, such as CCTV, access control, visitor logs and employee monitoring.

In an era increasingly defined by AI deployment, hyperscale infrastructure and data driven business models, compliance is no longer a purely defensive exercise for data centre providers. As cybersecurity, operational resilience and digital governance frameworks continue to converge at EU level, regulatory readiness has become a core element of trust, resilience and commercial differentiation. Providers that proactively embed compliance into their strategies are notably better positioned to meet increasing customer expectations and support long term growth in Europe. In this environment, compliance is a decisive competitive advantage, not only mitigating regulatory risk but also enabling new business opportunities with customers subject to stringent regulatory requirements.

Eversheds Sutherland’s cross jurisdictional data centre and privacy, cyber and tech teams specialise in this precise sector with practical, business focused advice. For more details and bespoke legal advice, please reach out to your contacts below.