Planning, AI and cyber rule changes bring new risks for UK and EU data centre development

Data centre capacity is expanding rapidly as demand from artificial intelligence (AI) and cloud computing continues to grow, bringing wide-ranging planning reforms, heightened community and regulatory scrutiny and evolving risk. These and energy constraints, copyright disputes and tightening cyber rules are among the legal and regulatory issues faced by operators, investors and advisers across the UK and EU. 

UK planning 

Large-scale data centre facilities became eligible in January this year to be treated as nationally significant infrastructure projects (NSIPs). Previously, applications could only be made to local planning authorities under the Town and Country Planning Act 1990. Following the Infrastructure Planning (Business or Commercial Projects) (Amendment) Regulations 2026, developers of qualifying projects can now apply to have their schemes determined by the secretary of state through the development consent order (DCO) process.

Uncertainties remain, however, around the precise thresholds for "national significance". The government is expected to address this through a new national policy statement (NPS) for data centres, though an anticipated consultation on this has not yet been launched. 

Separately, recent changes to the National Planning Policy Framework (NPPF) have introduced "grey belt" land into planning policy, opening up lower-value parts of the green belt for potential data centre development. The judicial review of the hyperscale data centre at Iver, Buckinghamshire illustrates the importance of correctly assessing energy, water and carbon impacts as part of the environmental impact assessment. It also reflects the scrutiny being applied by organisations such as the non-profit community group Foxglove and climate charity Global Action Plan to these developments. Correctly identifying and securing environmental mitigation measures is central to deliverability.

The government's consultation on proposed further reforms to the NPPF, which closed on 10 March, also confirms that the Planning and Infrastructure Act will give the secretary of state power to direct projects out of the NSIP regime on a case-by-case basis where an alternative consenting route is more appropriate. This flexibility may be useful where, for example, a data centre is co-located with an energy generating station, allowing both elements to be consented through the same regime. Secondary legislation to commence this redirection power is intended to be brought forward at the earliest opportunity, alongside guidance for applicants.

Developers will be looking to assess whether their project meets the qualifying criteria for the DCO route. The choice of consenting route merits careful consideration, as the wrong route could cause significant delays and abortive costs. Early engagement with the Planning Inspectorate is advisable to check eligibility before committing to a particular route. They should also monitor and consider responding to the forthcoming NPS consultation, once launched.

AI Growth Zones

The AI Growth Zones (AIGZs) scheme, announced as part of the UK's broader industrial strategy, has designated zones across Oxfordshire, the North East, North and South Wales and Scotland, with the aim of fast-tracking planning consents and grid connections. Data centres operating within these zones are expected to benefit from reduced operational costs. 

The proposed reforms set out in the NPPF consultation would require local plans to account for AIGZs, signalling an intention to embed these designations firmly within the mainstream planning framework. How planning rules will operate in practice remains to be confirmed. Industry concern is growing that high energy prices and grid connection delays are holding back data centre development within AIGZs. The government is currently consulting on proposals to reduce energy costs. It has pledged that from April 2027, subject to legislative timetables, data centres in AIGZs will see a reduction in electricity costs. 

A particular challenge, however, lies around access to power. To obtain designated status, a site must satisfy certain technical criteria, including demonstrable access to 500MW of power by 2030. Many developers face a circular problem: it is the benefits that flow from designation, such as priority access to capacity and ownership of high voltage equipment, that would enable them to secure grid connections within that timescale. In other words, developers require designated status to achieve the power access threshold that the designation itself requires. Unless this issue is addressed, the eligibility criteria risks excluding the projects AIGZs are designed to attract. 

The outcome of the application for a £2 billion data centre at Wapseys Wood, Buckinghamshire, the first proposed data centre to be considered an NSIP and one that could be powered by gas, will be a test of how seriously the government intends to uphold its net-zero obligations in the face of competing economic priorities and its AI growth strategy. 

Community and employment 

Local communities are increasingly challenging data centre construction, particularly on grounds of noise, traffic and environmental concerns. In the Netherlands, residents and farmers successfully challenged a hyperscale facility on grounds of environmental damage and nitrogen-permit impacts. 

In the UK, campaigners are calling for greater transparency around the environmental consequences of construction, particularly concerning noise, energy and water use. A recent report by British engineering consultancy Hoare Lea found that "inadequate community engagement" was causing development delays, noting that the average time to secure planning consent for a data centre was approximately 18 months. Poor community engagement was cited as a cause of opposition in 26 planning applications.

Concerns over community acceptance may in some areas be offset by local employment opportunities.  The European Data Centre Association reports that the rapid growth of colocation and hyperscale facilities has "generated substantial employment" in Europe ranging from on-site roles to broader corporate functions. The outlook in the UK, however, is less optimistic. In May, the House of Commons Library's research briefing on data centres reported that the number of jobs directly created is relatively modest. The UK's AIGZs were projected to generate 5,000 new jobs, yet delays in data centre development across those regions cast doubt on whether that figure will be realised. Local campaign group Action to Protect Rural Scotland is challenging predicted job figures which it considers to be "hugely inflated".

Developers are likely to need to demonstrate meaningful early community engagement and build this into project design from the outset. Innovative measures to mitigate noise, energy and water use will be important to communities. For large projects eligible in the UK under the NSIP regime, mandatory pre-application community consultation will be required prior to submitting a DCO to the Planning Inspectorate. Potential job opportunities could face greater scrutiny, as shown by the challenge mounted by Action to Protect Rural Scotland.

AI and copyright 

Data centres are the physical infrastructure through which AI models are developed and run, making the policy debate around AI and copyright, as well as the current legal disputes over AI training data and model outputs, directly relevant to the sector.

This is particularly the case because copyright laws are territorial. The country in which data centres are located has the potential to impact rightsholders' claims that the use of their copyright protected works to develop AI, which could involve electronic copies of those works being reproduced in the data centres, will infringe copyright. Across Europe, there is a lack of clarity as to the future. The outcome of the European Commission's consultation on the practical implementation of rightsholders' ability to exclude their works from the text and data mining (TDM) exception remains outstanding. Equally, in the UK the government has retreated from its preferred option of a similar TDM exception with a rightsholder opt out. This creates uncertainty for AI developers, who must not only contend with where they train their models, but the potential impact of importing a trained model into another jurisdiction.

Operators are not necessarily neutral parties: they may face court orders to disclose client data, injunctions suspending hosting services and increased contractual pressure from AI clients seeking to shift liability onto them.

Data centres are likely to face tighter contractual terms alongside new regulatory and due diligence obligations. Operators hosting AI workloads would be well placed to consider their own exposure and the contractual protections they might require. These commercial considerations have been cited as a factor by OpenAI's decision to pause its multi-billion pound UK data centre project amid uncertainty over copyright reform. Contract risk allocation between AI developers, customers and infrastructure providers, and how that risk is being managed is attracting increased investor scrutiny.

Cyber resilience and insurance

Cyber incidents ranked as the top global business risk for 2026 by insurer Allianz in its annual risk barometer. Sophisticated cyber-attacks remain at a high level. Criminal groups are increasingly targeting the customers of entities that have been attacked addressing ransom demand for encrypted or exfiltrated data.  It is also anticipated that the current conflict in the Gulf will lead to an upsurge in state-sponsored or state-adjacent attacks focused on data destruction and physical damage. 

Insurers are increasingly introducing AI exclusions in cyber and errors and omissions policies, and standard cyber policies may not adequately cover operational technology incidents arising from complex cooling and power management systems. Even where proactive measures prevent data loss, multi-million pound service level agreement (SLA) breach claims remain a significant exposure, as illustrated by the outage of a major cloud platform in October 2025 that affected around 17 million users. 

The potential scale of attacks linked to the current instability in the Gulf is also leading to close scrutiny on the circumstances in which war exclusions apply to attacks by nation state linked threat actor groups.

In parallel, the regulatory framework around cyber security and resilience is tightening in both the UK and EU. In the UK, the Cyber Security and Resilience Bill will bring managed service providers and certain data centres within scope of the UK's Network and Information Systems (NIS) Regulations, expand reportable incident criteria, significantly increase penalties for non-compliance, and place supply chain suppliers under heightened scrutiny, with implementation expected in stages from this year. In the EU, the Cyber Resilience Act entered into force in December 2024, with mandatory reporting of actively exploited vulnerabilities beginning on 11 September this year and full compliance obligations applying from 11 December 2027.

The insurance market is adapting to reflect data centres' evolving risk profile. Broker Marsh Risk's Nimbus facility, launched in June 2025 and expanded to $2.7 billion of capacity in January this year, is the first large-scale global construction insurance facility specifically designed for data centres, recognising that standard builders' risk policies are inadequate for assets of this complexity.

Recent outages affecting major cloud and internet infrastructure providers have already led to increased scrutiny of business interruption cover and systemic risk exclusions. Boards and investors are increasingly expecting data centres to demonstrate regulatory compliance by design, including around supplier due diligence and incident response. Operators reviewing their insurance arrangements and contractual indemnities will want to ensure they reflect their specific risk profile, particularly around extended outages and SLA exposure.

Energy strategy and new efficiency measures

Significant regulatory and policy developments are under way as lawmakers seek to address the energy demands of the data centre sector, including reforms to energy infrastructure.

The Commission had proposed a Data Centre Energy Efficiency Package, aimed at making data centres carbon neutral by 2030 through mandatory EU-wide rating schemes (to apply from August 2027), sustainability labels and minimum performance standards. The package was due to be adopted on 3 June, alongside a roadmap for digitalisation and AI in the energy sector and the Cloud and AI Development Act. 

However, following extensive criticism by industry that it would significantly affect European competitiveness, it has been put on hold. A revised draft of the strategic roadmap obtained by Politico states that the Commission plans to launch a public consultation on minimum performance standards for new and existing data centres in the EU. The revised text also states that the proposed EU rating scheme will cover clean energy use which is broader in scope compared with "renewable energy use" referred to in the March draft.   

In the UK, the Department for Energy Security and Net Zero is consulting on proposals to amend the grid connections process to address speculative demand and prioritise strategic capacity. Ofgem is also working alongside government and the National Energy System Operator (NESO) to develop a package of demand connection reforms, structured around three pillars: curate, plan and connect. Ofgem has also consulted on reforming the connections process to prioritise strategically important demand projects for connection. 

NESO are also developing a strategic spatial energy plan (SSEP) which will set out the types of energy generation and network infrastructure required, enabling NESO to prioritise grid connections and to give developers more confidence in the sector. The House of Commons' research briefing on data centres reports that witnesses speaking to the Lords Industry and Regulators Committee were broadly supportive of the draft SSEP proposal, which will be published for consultation in early 2027. 

Data centre operators face stricter requirements and expectations on energy efficiency, transparency and priority access. Compliance obligations are likely to include increased reporting and benchmarking, investment in cooling optimisation, heat reuse and renewable energy integration, and site selection strategies that reflect available grid capacity and district heating opportunities.

Osborne Clarke comment

Data centres have become central to national industrial strategy, energy security, AI governance and sustainability. As demand continues to accelerate and governments compete to expand capacity, persistent barriers around power and grid connection remain alongside a regulatory framework that is changing quickly. On planning, the new NSIP and DCO route offers an alternative consenting pathway, but developers face uncertainty, particularly around qualifying thresholds, until the national policy statement brings greater clarity.  

Those who embed compliance, transparency and resilience into every stage of project delivery will be better positioned to attract capital and sustain long-term growth.

Osborne Clarke advises clients across the full lifecycle of data centre projects in the UK, Germany and across Europe, from site selection and grid strategy through to power procurement, planning and financing. To find out more about how we can help, visit our data centres page.