Digital infrastructure: Data centers enter the security frame

Data centers were once viewed, from a transaction perspective, as infrastructure assets. They required land, power, cooling, capital and long-term customers. They still do. But the regulatory lens has changed.

As demand for cloud services, AI and data-intensive applications accelerates, data centers are becoming more than physical facilities. They are control points in the digital economy. They determine where data sits, who can access it, how resilient essential services are and how dependent a jurisdiction becomes on foreign-owned infrastructure.

That shift matters for foreign investment review. Screening authorities are increasingly asking not only who owns the asset, but what the asset enables. The answer can bring data center investments within scope even where data centers are not expressly listed as protected assets in the relevant legislation.

Data as a strategic resource

Recent FDI enforcement practice reflects a shift toward a function‑based assessment of data centers. Rather than focusing on their formal characterization as physical infrastructure, screening authorities are examining whether an investment confers the ability to influence data‑dependent activities that may give rise to security, resilience or public‑order risks. In this context, data centers are assessed less as real‑estate or energy‑intensive assets and more as nodes within a broader digital ecosystem.  

In practical terms, scrutiny tends to focus on access, control and availability. Authorities may examine whether an investor’s ownership stake, governance rights or operational role could affect sensitive datasets, including personal data, government or emergency services data, or commercially critical information. They may also consider concentration risk, particularly where disruption or misuse could impair essential digital services.

This reconceptualization of data as a strategically sensitive resource has enabled data center transactions to fall within the scope of existing FDI screening regimes even where data centers are not expressly listed as protected assets in some legislation.

Europe moves towards digital infrastructure scrutiny

In the EU, these developments coincide with a significant overhaul of the FDI screening framework. In May 2026, the European Parliament approved a revision of Regulation (EU) 2019/452. The reforms seek to strengthen and harmonize national screening regimes, deepen cooperation between Member States and the European Commission and expand the minimum mandatory scope of review, including by identifying “digital infrastructure” as an area of strategic relevance. Some Member States have already moved to strengthen controls of data center-related investments. Others have already closed, or are moving to close, potential review gaps. The direction of travel is visible across Europe; the Netherlands, Germany and the UK offer three useful examples of how selected jurisdictions are already strengthening, or preparing to strengthen, scrutiny of data center-related investments.

The Netherlands

The Netherlands, which hosts a significant concentration of data centers and is regarded as one of the larger data center hubs in Western Europe, imposed a mandatory notification requirement in October 2020 for certain data center transactions. This includes acquisitions of 30% or more of the voting rights in data centers with a minimum installed capacity of 50 MW, as well as providers of data center services to critical government authorities. The regime is notable because it does not provide an exemption for domestic or EU investors: the filing obligation applies irrespective of the acquirer’s origin.

Under the Dutch investment screening regime, there are currently no publicly known prohibition decisions or remedies imposed relating to data center acquisitions. But the wider policy environment is restrictive. In 2022, the Dutch government introduced a nationwide moratorium on new hyperscale data centers with a capacity of 70 MW or more. That moratorium operates alongside increasingly stringent spatial planning rules, which significantly limit the location and development of new data center facilities. In parallel, the government has identified digital autonomy as a strategic priority, reflecting a broader objective to safeguard Dutch and European control over critical digital infrastructure and reduce reliance on non‑European technology providers.

Germany

Germany has been screening investments in data centers with a minimum installed capacity of as little as 3.5 MW for several years. It is also pursuing a similar strategic objective through its policy on digital sovereignty. Its Digital Strategy 2025 seeks to reduce dependencies on technologies from the US and China and ensure that Germany has the capability to develop and train AI models on domestic infrastructure. To this end, the government intends to make substantial public investments in AI and cloud technologies, with the aim of fostering a sovereign, end‑to‑end domestic technology stack. Beyond investment screening considerations, the regulatory requirements for data center operators have tightened significantly following Germany’s implementation of the EU NIS2 Directive and the EU Directive on the Resilience of Critical Entities. These laws create a dual framework. The KRITIS Umbrella Act focuses on physical security, requiring operators to conduct risk assessments, prepare resilience plans and implement technical measures such as access controls and resilient power supplies. Operators must also register critical facilities and report significant physical incidents.

In parallel, the NIS2 Implementation Act targets cybersecurity. It requires operators to manage digital risks, secure their supply chains, and adhere to strict reporting deadlines for cyber incidents, often starting within 24 hours. The result is a more comprehensive responsibility for both the physical and digital security of their infrastructure, coupled with direct compliance accountability at senior management level.

The UK

In the UK – the largest data center hub in Western Europe   – data centers (and associated data infrastructure) are currently caught by the FDI regime only if they provide services directly or indirectly to certain public sector authorities. However, Ministers are now moving to close that gap: proposed reforms will bring all third-party-operated data centers within scope of the regime either later this year or in early 2027.

The direction of Europe is therefore clear. Data center investment is increasingly assessed through a sovereignty and resilience lens. FDI screening is one part of that picture, but it is not the whole story.

The US remains open, but structure matters

The US presents a somewhat different picture. Data center investment has been subject to fewer investment policy and regulatory constraints, and the current administration has been explicit about attracting that capital into the sector, particularly from government-linked investors. That openness, however, should not be mistaken for a relaxed CFIUS environment.

During his May 2025 Middle East trip, President Trump announced a $20bn Saudi-backed investment in US data centers and energy infrastructure, following a pre-inauguration announcement of a comparable $20bn commitment from Emirati developer DAMAC Properties. This openness reflects the scale of investment required. A McKinsey analysis suggests that by 2030 roughly $2.8tn will be deployed into US data center infrastructure, a level of investment likely to require foreign capital alongside domestic financing.

The link between data center build-out, technological competitiveness and national security is clear. The question is whether CFIUS timing, process risk and mitigation could chill that capital at a critical moment. The administration’s policy framework suggests a more permissive posture. The America First Investment Policy expressly welcomes passive investment, including from sovereign wealth funds. Executive Order 14318 establishes an expedited pathway for large-scale data center projects without adding new foreign investment restrictions. At the same time, the administration has shown a lower appetite for mitigation, including by revisiting agreements reached during the prior administration.

CFIUS scrutiny remains strict where a transaction gives a foreign investor control, governance rights, information access or operational influence over assets that may implicate sensitive data, critical infrastructure or government-linked customers.

The practical implication is straightforward. Transactions should be structured to align with the administration’s preference for passivity. Investors should avoid governance or information rights that are not essential to the investment thesis and should be cautious about accepting rights that trigger CFIUS concerns where they are not needed. Early engagement with CFIUS can further reduce friction by framing individual transactions within a broader and credible investment strategy.

Asia growth brings a wider security question

Asia is experiencing a data center boom, driven by AI workloads, cloud adoption, 5G rollout and hyperscale expansion. Major hubs include China, India, Japan, Korea and Singapore, while several emerging Southeast Asian markets, including Indonesia, Malaysia, Philippines, Thailand and Vietnam, are also experiencing significant growth. For a closer look at the execution issues shaping Japanese data center transactions, see our recent analysis on Japan’s data center execution test.

The regulatory picture is not uniform. Some markets are actively seeking capital and infrastructure capacity. Others are tightening controls around data, cybersecurity, foreign ownership, critical infrastructure and national security. Investors therefore need to assess not only whether a filing is required, but whether the transaction sits within a broader technology or industrial policy concern.

China illustrates the point. Digital and intelligent development, underpinned by computing power, algorithms and data, is a key pillar of China’s national strategy. Although data centers are not expressly mentioned as a sector captured by the Chinese national security regime (NSR), they are plainly relevant to areas of broad strategic interest, including AI, digital transformation, data analytics and digital markets.

To date, there have been no publicly reported interventions targeting foreign investment in data centers in China. However, NSR jurisdiction is broad, and the Chinese authority has wide discretion to intervene where foreign investment is perceived to threaten national security. Recent enforcement under the regime shows that the Chinese authority is increasingly tightening controls on FDI in the AI sector. Given that data centers are essential infrastructure for AI, foreign investors considering data center investment in China should conduct rigorous and early risk assessment.

With thanks to Freshfields Ninette Dodoo, Uwe Salaschek, Colin Costello, Iona Crawford, Ruzica Ciric and Max Immerzeel for their contributions to this update.