How Should CNI Data Centre Operators Modernise Legacy Security Systems Ahead of the Cyber Security and Resilience Bill?

The issue is rarely the hardware itself. It is the absence of secure, well-governed integration between systems, and the absence of the evidence base operators will need as the UK’s cyber and resilience regime tightens around them.

Since data centres were formally designated as CNI in September 2024, expectations on operators have risen, and the Cyber Security and Resilience (Network and Information Systems) Bill, introduced to Parliament in November 2025 and expected to receive Royal Assent in 2026, will bring qualifying data centre services into the NIS regime as Operators of Essential Services. For operators looking at how to modernise legacy security in this context, the priority is building a connected, resilient and auditable security environment that will stand up to the obligations now coming into view.

Why Do Legacy Security Systems Create Resilience and Compliance Risk?

Disconnected systems limit visibility and slow incident response. In a CNI context, this creates both operational and assurance risks, making it harder to produce the evidence trails, documented resilience strategies and incident response capability that the NCSC Cyber Assessment Framework (CAF v4.0) is built around and that the incoming CSR Bill will start to make enforceable.

Common challenges include:

• Unsupported software and firmware on cameras, encoders, controllers and head-end servers
• Manual reporting and monitoring with weak chain of custody
• Limited audit visibility across VSS, access control and intruder systems
• Poor logical and operational connection between physical and cyber security functions
• Increased cyber exposure where security devices sit on flat or poorly segmented networks
• Supply chain risk from equipment now restricted on government estates or under wider scrutiny

A fragmented physical security estate makes it harder to achieve the resilience that CNI status implies, and harder to demonstrate that resilience to regulators, auditors and customers when it matters.

Step 1: Audit the Existing Estate

Before upgrading anything, operators need a precise understanding of what they actually have.

What Should a Security Audit Cover?

A meaningful audit goes beyond a device inventory and should cover:

• Video surveillance systems (VSS) against operational requirements (NPSA OR methodology where applicable) and BS EN 62676
• Access control infrastructure against BS EN 60839, including credential lifecycle and federation with HR/identity systems
• Intruder detection and perimeter intrusion detection systems
• Network architecture, segmentation between IT, OT (BMS, power, cooling) and physical security networks
• Server, storage and recording environments, including retention, encryption and chain of custody
• Firmware currency, vulnerability exposure and supply chain provenance
• Alignment of existing controls to relevant CAF principles, particularly within Objectives A (Managing security risk) and B (Protecting against cyber attack)

This process highlights where systems can integrate securely, where upgrades are genuinely required, and where the most material gaps sit against incoming obligations.

Step 2: Identify Integration Points

Modern CNI data centres need security systems that operate as a connected fabric rather than a portfolio of islands.

Which Systems Should Be Connected?

Typical integration points include VSS / CCTV, access control, intruder detection, video analytics, real-time monitoring platforms, and the wider cyber stack (SIEM, SOAR and the SOC). Bringing these together improves situational awareness, speeds investigation, and produces the timestamped, correlated evidence base that the CSR Bill’s incoming incident reporting obligations (a 24-hour early warning and 72-hour full report under current proposals) will demand. It also creates the operational substrate for the cyber-physical convergence that is now the expected baseline for CNI environments.

Step 3: Build Secure-by-Design Architecture

Secure integration depends on resilient network architecture across IT, OT and physical security domains. Proper segmentation, hardened device configuration, certificate-based device authentication and disciplined patching protect critical systems, reduce cyber exposure and support continuity of operations during an incident.

Secure by design, as set out in NCSC’s Secure Design Principles, means building cyber resilience, scalability and monitoring into the environment from the outset rather than retrofitting them later. In a CNI data centre context this is no longer simply good practice; it is the direction of travel embedded in the CAF, in the CSR Bill, and in the assurance expectations that customers, insurers and competent authorities will increasingly apply.

Step 4: Address Supply Chain Assurance Explicitly

Supply chain is treated as a discrete topic in the CSR Bill, which introduces a category of “critical suppliers” and strengthens obligations around third-party risk. For physical security specifically, operators should also account for the restrictions on certain manufacturers within government and wider CNI estates, the National Security and Investment Act 2021 where relevant to transactions, and the NCSC’s published supply chain guidance.

Provenance, firmware integrity, vendor security posture and end-of-life planning all need to be in the audit and the design, not added on later when a regulator or customer asks the question.

Step 5: Work With an Integration Partner That Understands the Regulatory Landscape

Modernising legacy security in a CNI data centre is not a series of isolated technology refreshes. It needs a partner who understands the CAF, the incoming CSR Bill, the relevant British and international standards (BS EN 62676, BS EN 60839, ISO 27001, IEC 62443 where OT is in scope, SOC 2 where colocation customer assurance is in scope), and the operational reality of running these environments 24/7 with zero tolerance for unplanned outage.

An experienced partner will deliver secure-by-design integration aligned to current and incoming standards, build the audit and evidence capability operators will be asked to demonstrate, and provide the lifecycle support that keeps the environment compliant as the framework evolves.

Ready to Modernise Your Data Centre Security Infrastructure?

North works with CNI data centre operators to integrate VSS / CCTV, access control, intruder detection and network infrastructure into a single secure ecosystem designed for long-term resilience and aligned to the direction the regulatory regime is taking. Whether you are starting with a gap assessment against CAF v4.0 and the emerging CSR Bill obligations, or ready to begin a full integration programme, our team can help you build a defensible, future-ready security environment without disruption to operations.