The 2020s have not yet delivered a GDPR-scale overhaul of US data center regulations, but they have reshaped compliance through steady, cumulative changes – especially in cybersecurity, sustainability, and, increasingly, AI governance. The exception to the “incremental” rule is the emergence of AI-specific regulation, which is setting genuinely new expectations for transparency and risk management.
The result in 2025 was a compliance environment that felt paradoxical: permitting and procurement became easier in some jurisdictions, while operating compliant, transparent, and resilient facilities became materially harder.
This overview distills what matters now and what’s likely next so data center leaders can meet today’s obligations and stay ahead of future shifts.
Cybersecurity: Stricter Expectations and Fuller Audits
Cybersecurity standards tightened meaningfully in recent years and will continue to mature in scope and depth.
In the EU, the Digital Operational Resilience Act (DORA) raised the bar for incident reporting, testing, and third-party risk, requiring data center operators to promptly disclose security breaches and collaborate with relevant authorities to mitigate risks.
NIS 2 broadened the reach of the EU’s cybersecurity regime, capturing more sectors and raising baseline controls. National transpositions in 2025 heightened attention to supply chain security, vulnerability disclosure processes, and continuity measures. Meanwhile, widely adopted frameworks evolved: ISO 27001 tightened control clarity and evidence expectations; SOC 2 revisions clarified compliance requirements and auditing procedures.
While none of these cybersecurity regulations specifically target data centers, they aim to reduce cybersecurity risks across all infrastructure types. For data center operators, they underscore the need for defensible, comprehensive documentation of security procedures across both virtual and physical security controls.
AI Governance: Transparency Becomes the Operating Principle
AI-specific regulation began to crystallize in 2025, led by the EU’s AI Act. The AI Act is the most comprehensive AI regulation to date, imposing requirements for risk assessments, reporting, and disclosures related to AI workloads and their hosting infrastructure. In the US, states such as Maryland and Colorado have introduced regulations governing AI development and use; however, these regulations are narrower in scope compared to the EU’s approach.
Despite AI regulations remaining fluid and evolving, making it hard to draw definitive conclusions about how data center operators should respond, one trend is clear: transparency is becoming the cornerstone of AI governance. For data centers, this translates into practical imperatives: being able to identify and classify workloads, document how they are isolated, secured, and monitored, and explain the controls that govern data flows and supporting infrastructure.
Sustainability: Reporting Depth, Operational Efficiency, and Local Constraints
Governments are intensifying efforts to address the environmental impact of data centers and other energy-intensive IT infrastructure, particularly given AI workloads’ heavy energy demands.
The E.U.’s Energy Efficiency Directive (EED) is key in this area. The EED, originally introduced in 2012, underwent a major revision in 2023. The updated directive requires data centers to report operational efficiency metrics such as power usage effectiveness (PUE) and water usage effectiveness (WUE), and adopt measures that optimize electricity and water usage.
In the US, no federal equivalent of the EED exists, but state-level activity is picking up. Oregon’s POWER Act, enacted in August 2025, establishes a special electricity rate for data centers and other large power consumers, incentivizing efficiency and grid-friendly load profiles.
Construction and Citing: Faster Permitting vs. Local Realities
US federal policy in 2025 tilted toward accelerating the development of critical infrastructure. In July 2025, an executive order aimed to streamline permitting for data centers, supported by updated EPA guidance that was designed to ease the approval process for large-scale projects. This should, in principle, shorten timelines and reduce uncertainty.
In practice, local land-use rules, community benefits negotiations, water rights, and grid interconnection queues continue to be decisive. Operators that succeed will pair federal-level efficiencies with early, transparent local engagement and a site strategy that accounts for water constraints, substation lead times, and community expectations around jobs, noise, and sustainability.
Procurement and Consumption: Easier On-Ramps, Higher Expectations
The US government’s FedRAMP 20x initiative, introduced in early 2025, streamlines the adoption of third-party technology services by agencies. While not directly aimed at colocation or wholesale data centers, it is likely to intensify competition. When public-sector buyers can switch suppliers more easily, vendors face sharper competitive pressures and must demonstrate superior security, performance, and value.
How to Navigate Data Center Compliance
Compliance in 2025 mixes simplification with new complexity. Permitting and procurement may be easier in certain jurisdictions, lowering entry barriers for new builds and services. But day-to-day operations carry heavier expectations: more elaborate cybersecurity evidence, workload-level AI transparency, and sustainability reporting that is moving toward measurable performance outcomes.
The takeaway for leaders is to build faster where possible, but invest in the tools and processes that make compliance provable. The winners will translate compliance into operational excellence.
Revisit 2025 Compliance Development and Trends
1. Trump Tariff Turmoil Seeds Uncertainty in Global Data Center Market: Escalating US tariffs on semiconductors and key data center components raised build and operating costs, slowed new construction, and created supply-chain volatility.
2. Land Barriers: How Zoning Regulations Could Stall Data Center Industry Expansion: Operators must navigate municipal land-use ordinances and secure the proper approvals, with unclear codes creating material timeline and approval risks.
3. How Are Data Centers Taxed, and How Much Do They Actually Pay?: As incentives expire and footprints grow, the need for robust tax governance, documentation, and audit readiness increases.
4. EU Data Centers: Balancing Sustainability, Sovereignty, and Growing Pains: Fragmented EU energy and permitting regimes pose significant barriers to grid connections and project approvals.
5. Local Opposition Hinders More Data Center Construction Projects: Organized activism has increasingly stalled or cancelled US data center builds, making local permitting a top constraint despite federal support.
6. New US Policies Won’t Slow ‘Fast-Moving’ AI Data Center Industry, Experts Say: Analysts argued that, despite the AI Action Plan and new legislation, AI data center growth will continue unabated, with near-term constraints driven more by power access, OEM lead times, and labor than by federal rules.
7. Alaska Governor Pitches State as a Data Center Hub for AI-Era Compute: The state emphasizes a favorable tax posture and bespoke incentives.
8.