THE DATA CENTRE INTERVIEW The‘ double whammy’ of direct and indirect regulatory exposure One of the less visible complexities facing large data centre operators is that their regulatory exposure does not stop at the boundary of their own operations. CyrusOne’ s customers – financial services institutions, large technology companies and others – carry their own regulatory obligations, which in turn create indirect requirements for the infrastructure provider supporting them.
“ We have a kind of double whammy,” Alanna explains.“ On the one hand, there’ s targeted regulation that applies to data centre operators or players, which is obviously applicable. But actually, there’ s a whole hidden layer beneath that: when you look at CyrusOne’ s customers and their end users of our services, they may themselves be subject to other regulation or legislation – whether that’ s because they’ re financial services institutions with different regulatory requirements, or big tech companies who, for various reasons, will have other compliance hurdles to meet. So from a CyrusOne perspective, we need to map not only what impacts us directly, but all of these indirect impacts as well.”
This mapping exercise is continuous rather than periodic. The Cyber Resilience Act is one current example where the team has had to work through questions of applicability carefully. Alanna notes that CyrusOne is broadly comfortable that the CRA will not affect the company directly, but that cybersecurity as a broader theme involves a complex web of legislation – NIS2, the UK’ s Cyber Security and Resilience Bill and other instruments – that requires ongoing assessment. The approach is to identify the highest applicable standard across all operating markets and use that as the benchmark.
datacentremagazine. com 27