Telescope
Telescope

Navigating EU tech regulation: what data centers must do now to manage risk and rising expectations

Read time: 4 minutes

Cybersecurity and operational resilience are no longer separate concerns; they are rapidly converging, and the implications for data centers are significant.

Across the EU, a new wave of regulation is reshaping expectations around governance, risk management and accountability. For operators and their customers, this is not just about staying compliant; it is about protecting value, maintaining trust and keeping pace in an increasingly regulated environment.

Man on Tablet

Cybersecurity and operational resilience are no longer separate concerns; they are rapidly converging, and the implications for data centers are significant.

Across the EU, a new wave of regulation is reshaping expectations around governance, risk management and accountability. For operators and their customers, this is not just about staying compliant; it is about protecting value, maintaining trust and keeping pace in an increasingly regulated environment.

A shifting landscape: what is changing and why it matters

The European Union is implementing a comprehensive and robust framework for regulating digital infrastructure, structured around three key pillars:

  • Network and Information Security Directive (“NIS2”) – cybersecurity enhancement
  • Digital Operational Resilience Act (“DORA”) – operational resilience within the financial services sector
  • Directive on the Resilience of Critical Entities (“CER”) – strengthening the resilience of critical infrastructure

Taken together, these measures signal a clear shift: cybersecurity, resilience and operational risk are now deeply interconnected. For data centers, firmly positioned as critical infrastructure, this means greater scrutiny, more prescriptive rules and heightened expectations at every level of the business.

Raising the bar: NIS2 and cybersecurity accountability

At the heart of the regulatory shift is NIS2, which introduces a new baseline for cybersecurity across the EU.

In reality, this means organizations must move beyond purely technical safeguards and adopt a comprehensive, “all-hazards” strategy for managing ICT risks, encompassing their systems, daily operations and supply-chain relationships.

Key changes include:

  • tighter incident reporting timelines (24 hours, 72 hours and one month)
  • mandatory governance measures, including training for management
  • personal liability for leadership teams in the event of non-compliance
  • harmonization of ICT-security requirements and reporting standards across EU-member states
  • potential unified registration under the EU main establishment

The message is clear: cybersecurity is no longer just an IT issue; it is a board-level priority.

The ripple effect: how DORA is reshaping contracts

While DORA is aimed at the financial sector, its impact is being felt well beyond it. For data centers, the effect comes largely through customer expectations and contractual demands.

Financial institutions are now required to strengthen their management of ICT third-party risk, resulting in significant updates to supplier agreements.

This includes:

  • enhanced audit and termination rights
  • stronger incident response obligations
  • more rigorous testing requirements, including threat-led penetration testing
  • greater focus on subcontractors and supply-chain transparency

At the same time, certain providers are now subject to direct regulatory oversight, reflecting their critical role in the financial ecosystem. For data centers, this means contracts are no longer static; they are becoming dynamic tools for regulatory compliance.

Beyond cyber: a widening regulatory lens

The pressure does not stop with NIS2 and DORA. A broader set of developments is adding further complexity:

  • CER introduces requirements around physical and environmental security, which should be assessed in light of its relationship to NIS2.
  • The EU AI Act brings scrutiny to high-risk AI systems, particularly where it is used in critical infrastructure operations.
  • Data sovereignty is climbing the agenda, driven by political priorities and customer expectations.
  • Data protection enforcement is increasing, especially around employee and visitor data, such as CCTV and access logs.

Individually, these developments are significant. Together, they create a complex and fast-evolving regulatory environment.

From theory to practice: the real challenges

For data center operators, the challenge is not just understanding the rules but applying them in practice. Common issues include:

  • navigating overlapping regulatory frameworks
  • scaling contractual updates across customer bases
  • managing supply chain risk with greater visibility
  • embedding governance and accountability at senior levels
  • balancing compliance with commercial flexibility

These are not one-off tasks; they require ongoing operational alignment.

Where to focus now: practical steps

Against this backdrop, a proactive approach is key. Practical priorities include:

  • clarify your regulatory exposure - understand where NIS2, DORA and CER apply across your operations
  • strengthen governance frameworks - ensure senior leaders are informed, trained and accountable
  • review and update contracts early - anticipate DORA-driven changes rather than reacting to them
  • enhance incident response processes - align with accelerated reporting and documentation requirements
  • take a closer look at your supply chain - identify risks and ensure appropriate contractual safeguards are in place

The direction of travel is clear. Regulation across the EU is becoming more aligned, more demanding and more closely enforced.

For data centers, success will depend on moving beyond reactive compliance to a more integrated, forward-looking approach that brings together cybersecurity, resilience and operational strategy.

Purple Glass

The direction of travel is clear. Regulation across the EU is becoming more aligned, more demanding and more closely enforced.

Where to focus now: practical steps

Against this backdrop, a proactive approach is key. Practical priorities include:

  • clarify your regulatory exposure - understand where NIS2, DORA and CER apply across your operations
  • strengthen governance frameworks - ensure senior leaders are informed, trained and accountable
  • review and update contracts early - anticipate DORA-driven changes rather than reacting to them
  • enhance incident response processes - align with accelerated reporting and documentation requirements
  • take a closer look at your supply chain - identify risks and ensure appropriate contractual safeguards are in place

The direction of travel is clear. Regulation across the EU is becoming more aligned, more demanding and more closely enforced.

For data centers, success will depend on moving beyond reactive compliance to a more integrated, forward-looking approach that brings together cybersecurity, resilience and operational strategy.

Purple Glass

The direction of travel is clear. Regulation across the EU is becoming more aligned, more demanding and more closely enforced.

Key takeaways

  • Regulation is converging across cybersecurity, resilience and operational risk.
  • Data centers are firmly in scope, as regulated digital infrastructure.
  • Management accountability and contractual pressures are increasing.
  • Early, proactive action will be essential to maintain both compliance and competitiveness.
Man on a laptop

Key takeaways

  • Regulation is converging across cybersecurity, resilience and operational risk.
  • Data centers are firmly in scope, as regulated digital infrastructure.
  • Management accountability and contractual pressures are increasing.
  • Early, proactive action will be essential to maintain both compliance and competitiveness.

Authors

Nils Muller

Nils Müller

Partner

View profile
Isabella Norbu

Isabella Norbu Senior Associate

View profile

In this edition

In this edition

Data Centre

Spotlight on Germany’s data center build-out—accelerating demand and regulatory pressure

Read time: 4 minutes

Read more
Inside a Data Centre

Data centers are no longer “infrastructure”—they are reshaping industrial M&A

Read time: 4 minutes

Read more
CPU Chip

Navigating EU tech regulation: what data centers must do now to manage risk and rising expectations

Read time: 4 minutes

Read more
Solar Panels on a roof

Power under pressure: what AI data centers need from the next energy era

Read time: 4 minutes

Read more
Building SIte

Making sure the contract fits the asset: construction risk in data centers

Read time: 4 minutes

Read more
Cyber Security

New risks are changing how data centers are insured

Read time: 4 minutes

Read more

Previous page

Next page

Arrow

© Eversheds Sutherland. All rights reserved. Eversheds Sutherland is a global provider of legal and other services operating through various separate and distinct legal entities. Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed and affiliated firms and the members of Eversheds Sutherland (Europe) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements and operate in accordance with their locally registered names. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global LLP. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client.

Connect with us

linkedin logo
facebook icon
youtube icon