Data Center Regulation Trends to Watch in 2025
Discover how upcoming regulations impact data center operators, from new compliance rules to key takeaways from the EU’s challenges with the Energy Efficiency Directive.
Government bodies worldwide are putting regulations in place to improve the sustainability and resiliency of data centers. That, in turn, forces data center operators to implement new processes and procedures to meet the new requirements.
The European Union’s revised Energy Efficiency Directive (EED), designed to reduce energy consumption and greenhouse gas emissions, requires data center owners and operators in its 27 member countries to report data on energy and water usage annually to an EU database – and the first deadline was mid-September of this year.
Meanwhile, the EU’s Digital Operational Resilience Act (DORA), approved in late 2022, requires financial institutions to strengthen resiliency by taking measures to mitigate cyber-attacks and ensure uptime. Starting January 2025, that includes developing and testing business continuity plans, performing penetration tests and vulnerability scans and doing remediation, and reporting any major incidents or face fines for noncompliance.
“Governments rightfully want to understand data center energy usage and control it, and on the other level is the fact that IT operations are critical to our functional economy and our society. And if data centers go down, it’s going to get ugly fast, so they’re looking at how to prevent that,” said Jay Dietrich, the Uptime Institute’s research director of sustainability.
DORA may emerge as a blueprint for other geographies and industries to develop data center regulations to strengthen digital resiliency, according to the Uptime Institute. Likewise, once the EU publishes valid data on energy and water consumption as required by the EED, Dietrich predicts that it will prompt governments in other geographies to follow suit.
“My belief is that once Europe publishes the data, the United States will pull the trigger on something,” Dietrich said.
But as the EU has learned, it’s one thing to pass regulations, it’s another to implement them. Reporting of EED data is off to a slow and shaky start as the EU Commission and member states continue to put the processes in place for data center operators to submit data, Dietrich said.
Here’s a look at some of the data center regulations worldwide related to sustainability and resiliency, more details on the EED’s slow rollout and the necessary next steps the EU must take to work out the kinks, and what data center operators need to do to successfully comply when faced with new regulations.
Sustainability Laws Across the Globe
As AI adoption grows, data center power demand worldwide is expected to increase 160% by 2030, while carbon dioxide emissions could more than double before the end of the decade, according to Goldman Sachs Research.
As a result, all the major economies are beginning to require climate disclosures for companies that are registered on their national stock exchanges or meet minimum revenue or employee count requirements, Dietrich said.
These reports will require corporate-level information on energy use and emissions, but not facility-specific data as required by the EED, he said.
For example, under the EU’s Corporate Sustainability Reporting Directive (CSRD), companies must file reports that include disclosing their sustainability policies and performance, including their goals to reduce greenhouse gas emissions.
The largest listed businesses will need to report 2024 data in 2025. Other businesses – including large private companies, listed small and medium-sized businesses, and foreign businesses with an EU presence – will be phased in and will need to begin reporting between 2026 and 2029.
In Asia, Japan’s Financial Services Agency is working to develop a sustainability disclosure standard – broadly similar to the CSRD – that could force Japanese companies to start reporting sustainability data in 2028, according to a published report. The FSA expects to finalize a sustainability disclosure standard by March 2025.
Meanwhile, Malaysia and Singapore have proposed to require sustainability reporting in 2025, while Hong Kong, South Korea and Taiwan are targeting 2026, the report said.
“I would submit that most major markets will require climate disclosures for the 2027 or 2028 operating years,” Dietrich said.
However, the climate disclosures are simply a reporting exercise and doesn’t mandate reductions, said Sean Graham, IDC’s research director of cloud to edge data center trends.
Some countries have begun requiring mandates. China announced in July a plan to decrease the average power usage effectiveness (PUE) of its data centers to less than 1.5 by 2025. The plan includes increasing the utilization rate of renewable energy by 10% annually, China’s government said.
Meanwhile, China’s stock exchanges are considering environmental disclosure rules for large, listed companies, one report said.
In Australia, data centers that provide services to Australia’s federal government must attain a five-star rating, equivalent to a 1.4 PUE or below, from the National Australian Built Environment Rating System (NABERS) by the middle of 2025.
Elsewhere, mandates are in the works. In the EU, the goal of the EED is to reduce energy consumption by 11.7% and reduce greenhouse gas emissions by 55% by 2030. In May 2025, the EU Commission is required to assess the compiled EED data and submit a report to the European Parliament with proposals to improve energy efficiency, including establishing minimum performance standards.
This past May, Singapore’s Infocomm Media Development Authority launched its Green Data Centre Roadmap, which aims to grow data center capacity, but do it sustainably through green energy and energy-efficient technology.
To support the development of data centers with a PUE of 1.3 or lower, the government said it will collaborate with industry to raise energy-efficiency standards for data centers by the end of 2024 and introduce standards for energy-efficient IT equipment and liquid cooling by 2025.
Climate Disclosure and Local Regulations in the US
In the US, climate disclosure efforts by the Security Exchange Commission and the state of California are currently tied up in court. The SEC in March announced regulations requiring companies to report greenhouse gas emissions and other climate disclosures, but it’s held off on implementing the rule because of nine lawsuits.
Similarly, California last year approved two climate disclosure laws that require large businesses doing business in the state to begin reporting greenhouse gas emissions and climate-related risks in 2026, but it’s also under litigation.
Could the U.S. follow the EU’s lead? As Europe rolls out its data reporting mandates, all eyes are on how America might regulate data center sustainability and resilience next. IMAGE: ALAMY
Other state legislatures have debated whether to tie sustainability requirements to continuing tax breaks for data centers but have had no success.
For example, a Virginia lawmaker introduced legislation this year that would only allow data centers to qualify for tax breaks if they maximized energy efficiency and used renewable resources, but the bill died in the state legislature. This year, Georgia lawmakers passed a bill to pause the state’s data center tax break until they could analyze data center power usage, but the governor vetoed it.
Meanwhile, local jurisdictions in the U.S. have taken the lead in enacting data center regulations, but they are more community-oriented issues such as limiting locations where data centers can be built and reducing noise pollution, Graham of IDC said.
For example, Chandler, Ariz. adopted a new zoning ordinance, which went into effect in 2023, that restricts data center construction to approved locations. New data centers in the city must also adopt sound mitigation measures to reduce noise.
In September 2024, Fairfax County in Virginia passed a zoning ordinance to limit the size of data centers in some locations as well as address concerns about noise, building design and proximity to residents. Meanwhile, Loudoun County is finalizing its own data center regulations.
“They are solving real, concrete local problems,” Graham said. “It’s easier to solve problems locally than nationally or at a large scale.”
Regulations that Boost Data Center Resiliency
Governments are increasingly focused on creating new or updated regulations to strengthen digital resiliency and cybersecurity because of the growing importance of IT in critical services, rising geopolitical tensions, explosion of cyberattacks and increased outsourcing to cloud, according to the Uptime Institute.
EU’s DORA requires the finance industry to establish a risk management framework, which includes business continuity and disaster recovery plans that include data backup and recovery; incident reporting; digital operational resilience testing; information sharing of cyber threats with other financial institutions; and managing the risk of their third-party information and communications technology (ICT) providers, such as cloud providers.
“You’ve got to make sure your data center is robust, resilient, and that it doesn’t go down. And if it does go down, you’re responsible for it,” said Rahiel Nasir, IDC’s associate research director of European Cloud and lead analyst of worldwide digital sovereignty.
Financial businesses will have to ensure their third-party providers meet regulatory requirements by negotiating it into their contracts. As a result, both the finance sector and their service providers will need to implement the tools and procedures necessary to comply with DORA, an IDC report said.
In fact, EU’s three financial supervisory authorities – the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pension Authority (EIOPA) – will have oversight over critical third-party ICT providers.
While DORA doesn’t mandate digital sovereignty, it does support the need for sovereignty at a greater level because it gives financial institutions greater control, including location of data centers and how data is protected, Nasir said. Digital sovereignty is defined by IDC as having digital self-determination and control over its data, systems and applications.
According to the EU, DORA is focused on financial services – including banks, insurance companies and investment firms – because any service disruption can affect companies in other sectors of the economy.
“Over time, we will see (these regulations) extended to other industries,” said Dietrich of the Uptime Institute.
The EU has also passed the Network and Information Systems Regulations Directive (NIS2), a new set of cybersecurity standards that requires companies that provide essential services to bolster their security by January 2025. “It makes sure you are completely resilient when it comes to cybersecurity,” Nasir said.
Other governments are beefing up their data center resilience with new regulations.
In March, Singapore’s Ministry of Digital Development and Information announced an inter-agency taskforce to study the creation of a Digital Infrastructure Act to enhance the resilience and security of key digital infrastructure and services.
Singapore’s government said the effort is necessary because recent data center outages caused widespread disruption of banking services.
Recent data center outages that weren’t caused by cyberattacks but nonetheless caused widespread disruption of banking services makes the effort necessary, Singapore’s government said.
In the Middle East, Saudi Arabia’s “Data Centre Services Regulations,” which went into effect in January 2024, promotes the building of Tier 2 and Tier 3 data centers that have a high uptime percentage and energy management and sustainability plans.
Back in Europe, the United Kingdom in mid-September designated data centers as critical national infrastructure, which will allow the government to coordinate with data center operators to mitigate threats. In December 2023, the UK also proposed new measures that would set minimum data center standards that would bolster security and resiliency.
In Australia, the Australian Securities and Investments Commission implemented new rules in March 2023 that promotes technological and operational resiliency of securities and futures market operators and participants, according to the Uptime Institute.
In the US, the SEC in 2023 adopted new cybersecurity disclosure rules requiring publicly traded companies to disclose material cybersecurity incidents within four days and to disclose their cybersecurity risk management policies, governance structures and incident response protocols in their annual reports.
This past February, the US National Institute of Standards and Technology (NIST) released the NIST Cybersecurity Framework 2.0, which provides new guidance on reducing their cybersecurity risk for every industry and organization, from small schools and nonprofits to large corporations and government agencies.
The framework, updated for the first time in ten years, is required for federal government agencies but optional for everyone else.
EU Stymied by Slow Initial Rollout of EED
Each EU member state must pass a law to enforce the EED in its own country, but as of September, only Germany and the Netherlands have passed legislation, Dietrich said. But regardless of whether EU countries have passed their individual laws, EU data center operators still have to report their energy and water usage to a database.
However, the EU did not introduce the database until Sept. 6 – nine days before the Sept. 15 deadline to submit the required information, according to an Uptime Institute report.
Each member state must appoint a coordinator to issue accounts and IDs to data center operators, so they can submit the data. Progress has been made, but as of late September, 12 of the 27 EU countries still have not appointed coordinators, including Bulgaria, Ireland, Portugal and Sweden.
Experts say the EU Commission and its member states must work with data center operators to obtain the most accurate reporting data possible. IMAGE: ALAMY
For data center operators in those dozen countries, “the deadline is not being enforced at this point, and that’s only reasonable. You can’t expect operators to report to a system that isn’t even in place,” Dietrich said.
The EED requires EU’s data center operators that use 500kW of power or more to report information yearly, including total and IT energy consumption, water consumption, use of renewable energy, and waste heat output.
Data center operators are supposed to report 2023 data this year and 2024 data in May 2025. But initial submissions show that the first year of data that’s being reported could be inaccurate and incomplete.
For example, the law in the Netherlands required data center operators with facilities in its country to report information by July 15. By August 5, however, 29 reporting forms were submitted, representing 22 operators and 69 facilities. But that accounts for only two-thirds of the country’s data centers, according to an Uptime Institute report.
Furthermore, only 25% of the reported IT space included data on energy and water usage, the report said.
One issue is that the EED allows data center operators to not report data if they did not have systems in place to collect data in 2023. But in the Netherlands, Microsoft and Google declared their data to be confidential so they have not provided any data. A third provider – a colocation provider – reported data on its nine data centers, but they aggregated the data instead of reporting facility-level data as required, the report said.
In another case, an operator’s renewable energy consumption was greater than its total energy consumption, so the data is clearly inaccurate.
Dietrich said the EU Commission and its member states must work out the issues with data center operators, so they get the most accurate data possible.
“The process is limping out the gate,” Dietrich said. “They have to get serious about working it out, and industry needs to take it seriously and recognize this data is going to have to be reported and figure out how to get it done.”
As a result, Dietrich questions whether the EU Commission will have enough data by May 2025 to develop a report with recommendations that includes potential minimum efficiency requirements. He believes the EU Commission needs two years of solid data to properly address data center efficiency, but the current timeline is behind schedule, he said.
“They need two years of data to look at and think about what they want to do,” he said.
What Data Center Operators Must Do to Meet Regulations
To comply with new regulations like EED and DORA, data center operators must create a team from across their business to meet the new requirements because it not only affects the corporate level, but also individual facilities, Dietrich said.
To meet EED’s climate disclosure requirements, for example, data center operators must produce facility-level data, such as total energy consumed and IT energy consumed. But they will also have to get data on their IT equipment, such as server and storage capacity.
Companies need to build new business processes and train employees. They have to put systems in place such as sensors, data center infrastructure management (DCIM) software, IT infrastructure management (ITIM) software and IT operations management (ITOM) software, he said.
“You have to have oversight and make sure everything is done consistently across the business,” Dietrich said.
For example, organizations do not want one site that’s diligent and on top of collecting the data, while employees at another site not care, he explained.
Read more of the latest news on data center regulation.
To comply with DORA, the Uptime Institute is encouraging companies to not only take responsibility of their own IT infrastructure, but also with cloud services and colocation facilities that they use.
Businesses can’t assume third-party providers will take care of reliability and run failover tests, he said. As a result, the person or team in charge of procurement must build oversight into their contracts.
“With DORA, not only do you have to worry about internal operations, but the procurement person that negotiates the contract with the colocation provider has to understand that they don’t just write the contract and put it in a drawer for three years and rebid it,” Dietrich said. “Every three to six months, they have to visit (the provider) with technical staff to find out how they’re doing, what they’re doing, and whether they are meeting their contract conditions.”
Both sides – service providers and their business customers – need to collaborate and renegotiate their contracts to get data from each other to meet regulatory requirements, he said.
In the EU, for example, colocation providers will need IT equipment data from its business customers to gather data for their EED reports, while business customers will need energy usage data from their colocation providers for their CSRD reports.
“They need contractual agreements that enable that flow of information,” he said.
About the Author
You May Also Like