What the critical infrastructure label means for data centre flood risk
Authors
Barrie O'Neill-Williams
View bioIn September 2024, Technology Secretary, Peter Kyle, announced that UK data centres, along with energy and water systems, would be classified as Critical National Infrastructure (CNI).
In his announcement, he stated that, “Bringing data centres into the Critical National Infrastructure regime, will allow better coordination and cooperation with the government against cyber criminals and unexpected events.”
The accompanying press release indicated the formation of a dedicated CNI data infrastructure team consisting of senior government officials tasked with monitoring and anticipating potential threats, primarily focusing on cybersecurity and power-related issues. It also noted that adverse weather conditions could pose a threat. Furthermore, the designation of CNI positions data centres on equal footing with water, energy, and emergency services.
So, what guidance does this provide for data centres in the context of flood risk?
Unfortunately, not much.
What does the policy say?
In the UK, the government’s national development and flood risk policy is governed by the National Planning Policy Framework (NPPF). The NPPF categorises flood risk vulnerability into several classifications:
- Essential infrastructure
- Highly vulnerable
- More vulnerable
- Less vulnerable
- Water-compatible
Notably, none of these classifications specifically include ‘Critical National Infrastructure’. This is somewhat surprising, considering an updated NPPF was released in December 2024, after Peter Kyles announcement.
On the face of it, the wording of ‘Critical National Infrastructure’ seems to align with the NPPFs ‘essential infrastructure’ classification. However, perhaps counterintuitively, this would allow for more relaxed flood risk planning requirements than highly vulnerable infrastructure. Essential infrastructure can be built in flood zone 3 (with an exception test), whereas highly vulnerable infrastructure cannot be constructed in that zone. Thus, classifying data centres as ‘essential infrastructure’ in this context would not be a conservative approach and necessitate justification.
How should we classify the flood risk vulnerability of data centres?
We can rule out ‘water-compatible’ since this category includes infrastructure designed to be flooded – such as docks – or that can be flooded without adverse impacts – like amenity open space. Similarly, we can eliminate ‘less vulnerable’ as this classification pertains to infrastructure that does not need to operate during flooding, contradicting the premise of the press release. This leaves us with ‘essential’, ‘highly vulnerable’, and ‘more vulnerable’ as potential classifications.
The NPPF elaborates on these classifications as follows:
- Essential infrastructure: Utility infrastructure must be located in a flood risk area for operational reasons, such as electricity supply infrastructure, including generation, storage, and distribution systems; water treatment works that must remain operational during floods; wind turbines and solar farms.
- Highly vulnerable: Police and ambulance stations, fire stations, command centres, and telecommunications installations that must remain operational during flooding.
- More vulnerable: Hospitals, non-residential health services, nurseries, and educational establishments.
It is worth highlighting that while the press release puts data centres on equal footing with water, energy, and emergency services, each fall under separate vulnerability classifications regarding flood risk.
Based on these definitions, we can exclude the ‘more vulnerable’ classification, as the press release suggests that data centres are less likely to be compromised during adverse weather events – though this does raise questions as to why hospitals are classified as lower vulnerability. As such, we are left with ‘essential infrastructure’ or ‘highly vulnerable’.
The ‘essential infrastructure’ designation allows infrastructure to be located in a flood-risk area if operational necessity dictates its presence. While it may be challenging to argue that a data centre alone meets this requirement, data centres typically have substations specifically mentioned as fitting this criterion. Thus, it could be argued that data centres should be classified as ‘essential infrastructure’.
We still have ‘highly vulnerable’ as an option, however. Although data centres are not specifically mentioned, this category includes telecommunications installation, and its definition states that such infrastructure must be operational during a flooding. This aligns with the government’s announcement. Therefore, both classifications may be valid arguments.
So, what does this all mean?
Using the NPPF, flood risk vulnerability classification and the wording accompanying the CNI announcement, data centres could be classified as either ‘essential infrastructure’ or ‘highly vulnerable’ development. To understand the implications regarding flood risk, we need to firstly discuss flood zones and the NPPF’s table on ‘Flood Risk Vulnerability and Flood Zone Incompatibility’.
The NPPF defines several flood zones:
- Zone 1: Low probability
- Zone 2: Medium probability
- Zone 3a: High probability
- Zone 3b: The functional flood plain
It provides a compatibility matrix for the different infrastructure classifications against the various flood zones.
This table shows that the classification of data centres as either ‘essential’ or ‘highly vulnerable’ has significant consequences regarding flood risk.
If classified as essential infrastructure, data centres could be built in all flood zones (subject to an exception test). After water-compatible infrastructure, essential infrastructure is the least restrictive classification concerning suitable construction locations. On the other hand, if data centres are classified as highly vulnerable infrastructure, this places them in the most restrictive category, permitting construction only in Zone 1 and Zone 2 (with an exception test for Zone 2). This classification confines infrastructure construction to specific zones and disallows development in Zone 3.
Referencing data centres, the December 2024 NPPF notes that planning policies should:
- Take particular care to facilitate development that meets the needs of a modern economy, including identifying suitable locations for data centres.
- Recognise and address the specific locational requirements of different sectors, including data centres.
Unfortunately, neither of these points guides whether data centres are considered ‘essential infrastructure’ or ‘highly vulnerable’ development.
In summary, the classification of data centres as CNI does not offer much additional clarity regarding flood risk, as there is no classification for it in the NPPF concerning flood risk. With the upcoming establishment of the CNI data centre infrastructure team, we can expect increased scrutiny in the planning and design of data centres.
Given the lack of NPPF guidance on flood risk vulnerability for CNI, it would make sense for the NPPF to clarify and update the flood risk vulnerability classification for data centres to eliminate any uncertainties on the issue. The Environment Agency plans to publish updated flood maps for climate change in Spring 2025, which will serve as an opportune moment for the NPPF to revise their framework. Removing uncertainties in this area will be vital if Rachel Reeves, Chancellor of the Exchequer aims to streamline the promised planning reforms effectively.