The European Union has ushered in a new era of digital regulation that will significantly impact the data centre industry. With the introduction of the EU Artificial Intelligence Act, the new Network and Information Systems Directive (NIS2) and the Digital Operational Resilience Act (DORA) data centre operators, investors, and service providers must prepare for a more complex and compliance-driven environment.

These legislative developments are part of the EU’s broader Digital Decade strategy, aimed at unlocking the value of data, advancing artificial intelligence, and safeguarding critical infrastructure. Understanding the interconnected nature of these regulations is essential for ensuring compliance while maintaining operational efficiency and growth in the data centre sector.

Opportunities in the EU data centre sector

The European Commission recently published its AI continent action plan, which included plans to increase large-scale data and AI computing infrastructure across the EU. In particular, the Commission is proposing to adopt a new ‘Cloud and AI Development Act’ that seeks to triple the capacity of EU data centres over the next 5 to 7 years through facilitating private sector investment and reducing obstacles to building more data centres (prioritising sustainable data centres).  The action plan envisages that data centre projects meeting requirements related to resource efficiency and innovation could benefit from a simplified permit process and from other public support measures, in line with applicable EU State aid rules. These announcements herald opportunities for investment in EU data centres, including incentives to make data centres more sustainable and innovative.

The Commission intends to adopt a proposal for the new Cloud and AI Development Act in Q4 2025, and it has opened a public consultation until 3 July 2025 for feedback to inform its proposal.

The EU AI Act: a risk-based approach to AI compliance

With the plans for growth front-and-centre, it is important to be alert to the compliance landscape.

The EU Artificial Intelligence Act (AI Act) is one of the world’s first comprehensive laws focused exclusively on artificial intelligence. It will come into effect in stages, and the first set of provisions took effect in February 2025.

The legislation aims to establish a harmonised framework on AI across the EU, taking a risk-based approach depending on the AI use case. The AI Act introduces a risk-based classification system for AI applications, imposing stringent requirements for high-risk AI systems. The AI Act will apply to a party based outside the EU if the use of the AI system impacts people located in the EU.

For data centre operators, this will mean:

  • ensuring that certain AI systems used within facilities or customer services meet the stringent transparency, accountability, and safety requirements of the AI Act
  • implementing a robust risk management framework to identify, assess, and mitigate AI-related risks throughout the lifecycle of any AI system to be built into data centre operations
  • prior to deploying any high-risk AI system:
    • ensuring there is suitable technical documentation that demonstrates how the requirements of the AI Act have been met
    • ensuring that the system is subject to rigorous testing and certification to demonstrate conformance with the requirements of the AI Act.

For investors, it will mean factoring AI Act compliance into due diligence and decision-making processes.

NIS2: a new era of cybersecurity regulation

The NIS2 Directive, which is part of the EU’s Cybersecurity Strategy, expands the scope of the EU’s current cybersecurity framework and seeks to harmonise cyber resilience across the EU. It introduces an enhanced regime with additional obligations and potential penalties for entities operating in critical or high criticality sectors.

Under NIS2:

  • digital providers, including data centre operators and security vendors managing services for data centres, are designated as sectors of high criticality
  • data centres may also be classified as essential or important entities in each Member State, depending on the size and revenue of the entity providing in-scope services. Essential entities are subject to more direct regulatory scrutiny. There is an emphasis on implementing proactive cybersecurity risk management, supply chain diligence, and audit measures – and greater enforcement powers for regulators where cybersecurity measures are not up to scratch.

NIS2 places cybersecurity at the forefront of operational strategy, and compliance is critical for data centre operators. Conducting a targeted gap analysis and developing a compliance roadmap are crucial steps for organisations to meet these new requirements. At DLA Piper, we work with our business advisory consultant colleagues to deliver this for clients.

Unlike the AI Act and DORA, which are Regulations and have direct effect across the EU, NIS2 must be transposed by each EU Member State into national law. The deadline for doing this was 17 October 2024; however, not all Member States have implemented NIS2 into national law, further complicating the picture for businesses that operate across more than one EU jurisdiction.  

DORA: strengthening digital resilience in financial services

The Digital Operational Resilience Act (DORA), which took effect in January 2025, targets the EU financial services sector but has implications for technology providers that support the sector including data centre operators and their supply chain.

DORA aims to enhance the digital resilience of financial entities by mandating robust IT risk management, incident handling, and third-party management practices to ensure that operations can withstand and recover quickly from disruptive events. DORA has introduced a structured set of requirements that is forcing financial entities to re-evaluate (amongst other things) data, cyber and contractual governance, technology estates and testing approaches, and their technology contracts.

Data centre service providers, wherever based, can fall within the remit of DORA indirectly through their delivery of ICT services to those entities. For those data centres it will mean having to: 

  • implement comprehensive cybersecurity measures and ensure that their services are resilient against operational disruptions
  • implement incident response protocols to ensure that financial entities are notified of any disruptions that do occur and are given the information they need to comply with their regulatory reporting obligations
  • ensure that their third-party service providers comply with DORA’s requirements, which can affect vendor selection, contracts and oversight

Such data centre operators will need to assess current capabilities to identify any compliance gaps and what measures are needed to meet DORA’s requirements. In addition, there are mandatory terms which financial entities must include in their contracts with in-scope suppliers, and operators may find their contracts being revisited to reflect those mandatory terms required by DORA.

Some vendors can be designated as critical to the sector – they will be subject to direct scrutiny and oversight by financial regulators for the first time. This means that any data centre operators designated as critical could be subject to more regular audits to ensure operational resilience, could be directed to take remedial action, and could face direct regulatory penalties for non-compliance. This will be a huge shift from a governance and control perspective. In February 2025, the European Supervisory Authorities set out their timetable for the designation process, indicating that they expect to notify affected service providers of their ‘critical’ designation by July 2025.

Strategic compliance: a business imperative

Together, the AI Act, DORA, and NIS2 are pivotal regulations. These laws are not isolated; they form a holistic regulatory framework that demands an integrated compliance strategy implemented effectively at management level.

At DLA Piper, our global data centre sector team has been working with both data centre operators and investors to navigate these complex requirements, providing strategic guidance and pragmatic advice on (amongst others):

  • interpreting and implementing regulatory requirements (eg, to ensure that proposed AI deployments are compliant and align with the AI Act’s provisions)
  • conducting compliance assessments and remediation exercises
  • contract remediation exercises to remedy DORA compliance gaps that have been identified from a contractual requirements perspective
  • investor evaluation of data centre projects

By staying informed and proactive, operators can turn regulatory compliance into a competitive advantage, ensuring that their data centres remain secure, resilient, and future-ready.

For more information on the ways in which DLA Piper can help, please contact Linzi Penman or Mark Rasdale.