U.S. lawmakers and industry leaders are evaluating whether data centers should be designated as a standalone critical infrastructure sector, following a House Homeland Security cyber subcommittee hearing on April 29, 2026. The discussion reflects concerns that current federal frameworks do not clearly assign responsibility for securing data centers or coordinating responses to incidents.
Officials and experts noted that data centers are increasingly targeted by adversaries and are central to cloud services, financial systems, healthcare data, and communications infrastructure, with three providers—Amazon Web Services, Microsoft Azure, and Google Cloud—accounting for 63% of the market.
The hearing also highlighted recent incidents involving physical attacks on data centers, alongside ongoing cyber risks, prompting proposals to create a dedicated coordinating body or sector designation to improve collaboration between government and industry. No formal decision has been made, and discussions are ongoing regarding how federal agencies should structure oversight and protection efforts.
Doc McConnell, Head of Policy and Compliance, Finite State:
“There is no denying that data centers are becoming more critical to the functioning of our existing critical infrastructure, including healthcare, communications, energy, and financial services. And there is likely value in closer coordination among data center owners to collectively share risks and respond to incidents.
“But the designation of data centers as critical infrastructure does not, in and of itself, solve this problem. The 2024 National Security Memorandum on critical infrastructure established a shared responsibility model between the public sector and private owners and operators. Building that collaboration, collectively identifying risks, pooling resources to address them systematically — that’s where the real value comes from.
“If the federal government moves to make this designation, they must follow up by leading a national effort with clear outcomes, action plans, and resource commitments from both the public and private sectors. Otherwise, this won’t lead to the strengthened security and resilience that we need.”
Matt Wyckhouse. Founder & CEO,Finite State:
“Data centers are no longer just IT facilities — they are strategic infrastructure underpinning AI, cloud services, financial systems, healthcare, communications, and national security. Treating them as critical infrastructure makes sense, but the designation itself is only the starting point.
“Recent conflict-linked attacks on data center infrastructure in the Middle East, including reported Iranian drone strikes on cloud facilities in the UAE and Bahrain, show that this is no longer a theoretical risk. Data centers are becoming part of the modern battlespace, where cyber operations, physical attacks, supply-chain compromise, and geopolitical coercion can converge.
“The bigger issue is that data center risk is not limited to physical security or perimeter cyber defenses. These environments depend on an enormous technology supply chain: servers, networking equipment, firmware, cooling systems, access-control systems, operational technology, cloud software, and the vendors who build and maintain all of it. A serious compromise may not begin with a front-door attack on a hyperscaler; it may begin much earlier in the lifecycle, through a vulnerable component, manipulated firmware, insecure update mechanism, or opaque supplier relationship.
“If policymakers move toward a standalone data center critical infrastructure sector, the focus should be on measurable assurance: knowing what technology is inside these environments, where it came from, how it was developed, whether it contains known vulnerabilities or exploitable weaknesses, and whether operators can produce defensible evidence of security and resilience. We need to move beyond voluntary checklists and toward continuous, evidence-based assurance across the full supply chain.
“Data centers are becoming the factories of the AI economy. If we are going to depend on them for national-scale compute, we should secure them with the same seriousness we apply to energy, telecommunications, defense, and financial infrastructure.
Jacob Krell, Senior Director: Secure AI Solutions & Cybersecurity, Suzu Labs:
“Data centers are already critical infrastructure in practice. The policy debate is just catching up to operational reality. These facilities are no longer passive real estate where servers happen to sit. They have become part of the operating layer of the modern economy.
“When a major facility or shared dependency fails, the impact does not stay neatly inside one company’s environment. It can become a broader continuity problem very quickly. A standalone designation can help, but only if it turns vague concern into clear ownership and a response model that works when the incident has outgrown a customer support ticket.
“The AI buildout makes this harder to ignore. Training and inference depend on concentrated infrastructure that has to keep working under pressure. That concentration creates efficiency, but it also places more national capacity inside a smaller number of highly important facilities. The threat model is no longer just cyber either. Physical disruption, geopolitical pressure, operational technology compromise, and cloud outages increasingly converge at the same layer.
“The recurring theme in Washington is naming something critical without building the machinery needed to protect it. A sector label only matters if it comes with practical coordination and federal partners that operators trust during a crisis. If agencies like CISA lose capacity while data centers become more strategically important, policymakers trade substance for ceremony.”
John Carberry, Solution Sleuth, Xcape, Inc.:
“The move by Congress to designate data centers as a standalone critical infrastructure sector marks a long-overdue transition in federal risk management. Internet-based services have evolved from business conveniences into safety-critical utilities; however, the current regulatory framework remains bifurcated between the IT and Communications sectors. This oversight gap is increasingly untenable given that three hyperscalers – AWS, Azure, and Google Cloud – now control 63% of the market. This concentration creates a systemic single point of failure where a coordinated cyber campaign or physical sabotage could trigger cascading collapses across healthcare, finance, and government operations.
“Formalizing this 17th sector would mandate stricter incident reporting and create a dedicated Sector Coordinating Council (SCC) to align federal response with the “foundational layer” of the modern economy.
“For leadership, this shift signifies that cloud resilience will soon face the same federal scrutiny as the bulk power system or water utilities. It is a necessary acknowledgment that in 2026, data center availability is no longer a localized operational concern, but a prerequisite for national security and public safety.
“In 2026, treating data centers as “non-critical” is like calling the power grid an optional hobby for people who enjoy light bulbs.”
I am not sure why this is a conversation because in my mind we’re way past the point where datacenters should be considered critical. Or put another way, this conversation should have happened years ago. Clearly congress is late to the party here.
Congress weighs treating data centers as critical infrastructure
Posted in Commentary with tags US on May 1, 2026 by itnerdU.S. lawmakers and industry leaders are evaluating whether data centers should be designated as a standalone critical infrastructure sector, following a House Homeland Security cyber subcommittee hearing on April 29, 2026. The discussion reflects concerns that current federal frameworks do not clearly assign responsibility for securing data centers or coordinating responses to incidents.
Officials and experts noted that data centers are increasingly targeted by adversaries and are central to cloud services, financial systems, healthcare data, and communications infrastructure, with three providers—Amazon Web Services, Microsoft Azure, and Google Cloud—accounting for 63% of the market.
The hearing also highlighted recent incidents involving physical attacks on data centers, alongside ongoing cyber risks, prompting proposals to create a dedicated coordinating body or sector designation to improve collaboration between government and industry. No formal decision has been made, and discussions are ongoing regarding how federal agencies should structure oversight and protection efforts.
Doc McConnell, Head of Policy and Compliance, Finite State:
“There is no denying that data centers are becoming more critical to the functioning of our existing critical infrastructure, including healthcare, communications, energy, and financial services. And there is likely value in closer coordination among data center owners to collectively share risks and respond to incidents.
“But the designation of data centers as critical infrastructure does not, in and of itself, solve this problem. The 2024 National Security Memorandum on critical infrastructure established a shared responsibility model between the public sector and private owners and operators. Building that collaboration, collectively identifying risks, pooling resources to address them systematically — that’s where the real value comes from.
“If the federal government moves to make this designation, they must follow up by leading a national effort with clear outcomes, action plans, and resource commitments from both the public and private sectors. Otherwise, this won’t lead to the strengthened security and resilience that we need.”
Matt Wyckhouse. Founder & CEO,Finite State:
“Data centers are no longer just IT facilities — they are strategic infrastructure underpinning AI, cloud services, financial systems, healthcare, communications, and national security. Treating them as critical infrastructure makes sense, but the designation itself is only the starting point.
“Recent conflict-linked attacks on data center infrastructure in the Middle East, including reported Iranian drone strikes on cloud facilities in the UAE and Bahrain, show that this is no longer a theoretical risk. Data centers are becoming part of the modern battlespace, where cyber operations, physical attacks, supply-chain compromise, and geopolitical coercion can converge.
“The bigger issue is that data center risk is not limited to physical security or perimeter cyber defenses. These environments depend on an enormous technology supply chain: servers, networking equipment, firmware, cooling systems, access-control systems, operational technology, cloud software, and the vendors who build and maintain all of it. A serious compromise may not begin with a front-door attack on a hyperscaler; it may begin much earlier in the lifecycle, through a vulnerable component, manipulated firmware, insecure update mechanism, or opaque supplier relationship.
“If policymakers move toward a standalone data center critical infrastructure sector, the focus should be on measurable assurance: knowing what technology is inside these environments, where it came from, how it was developed, whether it contains known vulnerabilities or exploitable weaknesses, and whether operators can produce defensible evidence of security and resilience. We need to move beyond voluntary checklists and toward continuous, evidence-based assurance across the full supply chain.
“Data centers are becoming the factories of the AI economy. If we are going to depend on them for national-scale compute, we should secure them with the same seriousness we apply to energy, telecommunications, defense, and financial infrastructure.
Jacob Krell, Senior Director: Secure AI Solutions & Cybersecurity, Suzu Labs:
“Data centers are already critical infrastructure in practice. The policy debate is just catching up to operational reality. These facilities are no longer passive real estate where servers happen to sit. They have become part of the operating layer of the modern economy.
“When a major facility or shared dependency fails, the impact does not stay neatly inside one company’s environment. It can become a broader continuity problem very quickly. A standalone designation can help, but only if it turns vague concern into clear ownership and a response model that works when the incident has outgrown a customer support ticket.
“The AI buildout makes this harder to ignore. Training and inference depend on concentrated infrastructure that has to keep working under pressure. That concentration creates efficiency, but it also places more national capacity inside a smaller number of highly important facilities. The threat model is no longer just cyber either. Physical disruption, geopolitical pressure, operational technology compromise, and cloud outages increasingly converge at the same layer.
“The recurring theme in Washington is naming something critical without building the machinery needed to protect it. A sector label only matters if it comes with practical coordination and federal partners that operators trust during a crisis. If agencies like CISA lose capacity while data centers become more strategically important, policymakers trade substance for ceremony.”
John Carberry, Solution Sleuth, Xcape, Inc.:
“The move by Congress to designate data centers as a standalone critical infrastructure sector marks a long-overdue transition in federal risk management. Internet-based services have evolved from business conveniences into safety-critical utilities; however, the current regulatory framework remains bifurcated between the IT and Communications sectors. This oversight gap is increasingly untenable given that three hyperscalers – AWS, Azure, and Google Cloud – now control 63% of the market. This concentration creates a systemic single point of failure where a coordinated cyber campaign or physical sabotage could trigger cascading collapses across healthcare, finance, and government operations.
“Formalizing this 17th sector would mandate stricter incident reporting and create a dedicated Sector Coordinating Council (SCC) to align federal response with the “foundational layer” of the modern economy.
“For leadership, this shift signifies that cloud resilience will soon face the same federal scrutiny as the bulk power system or water utilities. It is a necessary acknowledgment that in 2026, data center availability is no longer a localized operational concern, but a prerequisite for national security and public safety.
“In 2026, treating data centers as “non-critical” is like calling the power grid an optional hobby for people who enjoy light bulbs.”
I am not sure why this is a conversation because in my mind we’re way past the point where datacenters should be considered critical. Or put another way, this conversation should have happened years ago. Clearly congress is late to the party here.
Leave a comment »