As data centres become increasingly central to the UK’s digital economy, their legal risk profile is evolving rapidly. From planning law to cybersecurity, providers and investors must navigate a complex and shifting regulatory landscape. Below are five key legal risks to watch, and steps to mitigate them.
Planning and land use constraints
Historically, data centre development has been hindered by a lack of clarity in planning and the absence of specific planning policies for data centres. Furthermore, many proposed sites are in or near the green belt.
Recently, the regulatory landscape has become increasingly supportive of data centre growth owing to the government’s wider focus on AI and digital infrastructure. Data centres are now designated as Critical National Infrastructure (CNI). On 15 October 2025, the draft Infrastructure Planning (Business or Commercial Projects) (Amendment) Regulations designated large datacentres as Nationally Significant Infrastructure Projects (NSIPs), enabling developers to apply directly to the Planning Inspectorate and bypass local authorities.
Recent changes have also introduced ‘grey belt’ land, a term designating underutilised or previously developed Green Belt Land, which allows for a more flexible approach to the development of data centres. However, it is worth engaging early with planning lawyers to assess NSIP eligibility and to assist with other strategic site selection decisions, where grid and land constraints are acute.
UK data centres and the grid
Data centre owners face long delays in securing grid connections. OFGEM’s TM04+ reforms introduced in 2025 aim to reduce these delays and prioritise the use of renewable energy sources for projects deemed ‘ready’ for connection. However, projects which had previous connection offers but have not yet been connected are required to reapply under the new ‘Gate 2’ process. This is likely to have a detrimental effect on investment into early-stage projects ,which cannot demonstrate compliance with the Gate 2 criteria, with reports earlier this year that up to 64% of projects could lose their current place in the queue for connection.
The National Energy System Operator (NESO) is expected to open the next application window for Gate 2 offers later this year. Avenues to challenge application refusals are available, though engaging with NESO and OFGEM to fortify draft readiness and strategic alignment submissions before the new applications window opens is recommended.
Cybersecurity
Cybersecurity is one of the most pressing challenges for UK data centres, with threats escalating in scale, sophistication, and impact.
A 50% rise in major incidents was reported by the NCSC in 2025. Ransomware, supply chain vulnerabilities, and state-backed attacks pose serious risks. Cyber resilience should be strategically considered as a board-level priority. As such, data centre operators should adopt NCSC best practices to ensure the organisation’s and customers’ data is kept safe. The NCSC certification scheme includes automatic cyber liability insurance for any UK organisation which certifies its whole organisation and has less than £20m annual turnover.
Construction and supply chain disputes
The complexity of data centre projects can cause issues relating to technological components, permits and permissions. There are likely to be multiple parties and stakeholders involved in the construction of datacentres and their supply chains (such as local authorities, interest groups, utility providers, and investors). The greater the complexity and the more parties involved, the higher the risk of disputes arising.
Data centre operators must ensure all project documentation is carefully drafted, with clear dispute resolution clauses. Parties should consider jurisdiction and forum early on, and ensure that contractual protections are invoked where available.
ESG scrutiny and compliance
ESG scrutiny has intensified over recent years, and data centres face growing pressure to demonstrate sustainability and comply with reporting requirements. Relevant sustainability litigation is fast becoming a key area of exposure and, with an increase in shareholder activism coupled with increasing litigation funding options (and the prospect of collective actions), it is imperative to give ESG appropriate consideration.
The UK data centre sector offers significant growth opportunities. However, it remains a complex landscape of regulations and legal risks. As always, clear procedures, meticulous documentation, and carefully considered contractual arrangements are key to ensuring protection of legal and business interests.
Sophie Ashcroft is a commercial disputes partner at Stevens & Bolton LLP
Read more: The UK government’s roadmap for an AI assurance market should be bolder.
