A new statutory regime would enable a government watchdog to monitor the operations of cloud providers, with those that failed to meet baseline security requirements potential subject to severe punishment
The government has set out plans to create a new cloud regulator with the power to fine providers or force them to shutdown services if they fail to meet security requirements.
The proposals to implement a “statutory framework and regulatory function” would see one or more bodies – either existing watchdogs or newly created entities – given a remit to oversee the data-hosting industry and a mandate to impose security requirements. Firms that fail to comply with these could then be punished with formal warnings, fines, or forced closure of their services.
All suppliers of storage or computing services from UK-based datacentres – including the UK operations of major cloud players such as Google, Microsoft, and Amazon Web Services – would be in scope of the proposed new laws.
The legislation would compel these companies to meet certain “baseline” requirements intended to reflect “appropriate and proportionate technical and organisational measures to manage risks to security and resilience of these services”.
Such measures would include risk management regimes, as well physical and cyber security infrastructure and processes – including those related “targeted at specific areas or functions – for example meet-me rooms” in datacentre facilities that enable telecoms firms to connect and share traffic.
The requirements would also address monitoring and auditing practices, incident-management, disaster-recovery and service-continuity measures, and management of supply chains.
Indicative measures provided by the government include a stipulation that firms “establish and maintain measures that ensure both physical and logical access is authorised and restricted based on business and security requirements”.
Another requirement might ask that datacentre companies track the “accessibility and traceability of critical supplies”, while also demonstrating “system management of facilities and systems”, including both staff and technical architecture.
Related content
- ‘Use public cloud unless it is not possible’ – government updates guidance
- EXCL: Government agreement offers public sector up to 20% discount on AWS hosting
- Government CTO: ‘There’s room for all the cloud industry players to have a meaningful role’
In instances where firms failed to meet any of these requirements, the new regulator – or regulators – would have the power to impose penalties and formal notices.
This will include the authority to compel companies to provide additional information about breaches, or issue enforcement notices setting out measures that must be implemented and a timeframe for doing so.
The proposed regulation would also include the ability to subject datacentre and cloud firms to an inspection by a government watchdog or designated third party.
For more serious infractions, the regulator would have the power to issue civil fines – possibly using a scale linked to a company’s turnover, meaning the biggest firms would be liable to be hit with the heaviest penalties.
And – as “an option of last resort in situations where a serious security and resilience risk was posed” – the new laws would allow government to impose a forced shutdown of services. This would be enforced via the issuing of a “stop notice [which[ would mean that a relevant datacentre provider must stop providing a datacentre service in the UK within a specified period of time” set out by the regulator.
All these proposals are now subject to a consultation process, which opens today and runs until 22 February 2024. During this time, government hopes to receive feedback from companies that would be in scope of the proposed legislation, in addition to “other relevant market actors such as customers and suppliers, as well as independent or academic experts on data storage and processing”.
In the foreword to the consultation documents, the minister for data and digital infrastructure John Whittingdale said that “without functioning, secure and reliable data infrastructure, the UK will be unable to innovate or compete in the global economy”.
“However, the abundance, importance and value of data accumulating in or passing through such infrastructure makes it an attractive target to those who may have the intention or capability to threaten the UK’s national security, economy, or ways of life, or seek access to data for other malign or criminal purposes,” the minister said. “Like any infrastructure, data centres can also be vulnerable to natural phenomena, especially extreme weather, which have the potential to disrupt continuity of data access.”
He added: “We propose to introduce a new, proportionate statutory framework, focused on data centres, to ensure all relevant operators in the UK are appropriately mitigating risks where they are relevant to the national interest, and national security in particular. This framework would be applicable in future where other risks emerge, especially as a result of new threats, technological developments and commercial models.”
