Which certifications are important for data centers?

The vast majority of all data on the internet is managed and stored in data centres and is essential for both businesses and individuals. It is no coincidence that they are considered the preferred location to protect information from local hardware failures and to make it permanently accessible. To achieve and guarantee this standard, the relevant providers must possess the necessary certifications. These certifications are designed to enable uninterrupted accessibility and to ensure the integrity of data in the event of an incident. Various levels must be considered because the security of data centres must address numerous factors such as protection against physical intrusion, compromise from cyber attacks, hardware failures, and other risks like fire, power supply failure, or a permanent and redundantly secured connection to the global network.

What is the purpose of data centre certifications?

Anyone storing data online outside their own hardware must be able to trust the security of data centres - whether it's websites, internal data storage like globally accessible information on a Network Attached Storage (NAS) within a Virtual Private Network (VPN), or public and private platforms like Git Repositories or collective access to documents that can be viewed or edited together. Official certifications aim to provide the user with maximum protection against the failure of the IT infrastructure they have rented and to minimize damage in the event of an incident. They are usually carried out by independent bodies such as TÜV on behalf of the operator or are legally required for services of a certain scale.

In contrast to administrators of websites or externally managed IT systems, data centres must consider not only digital attacks but also specific and local scenarios. The high heat output from hardware such as processors, GPU units, and specialised CPUs for applications like Artificial Intelligence (AI) or drives requires reliable and continuous climate control with active cooling. All lines must also be securely installed, laid out, and clearly structured to prevent failures. The requirements for a data centre are correspondingly high and encompass numerous aspects that require specialised personnel and a redundantly secured design. A particular effort here is colocation, where data centres rent out space for third-party hardware and must provide owners with access to it. Certifications for a data centre aim to consider all possible factors and evaluate them under objective criteria according to a universal standard.

What are the key official criteria for certifications for data centres?

The requirements for data centres to operate securely are as high as they are diverse. They must consider different levels and range from the security of a building to the redundancy of connections to the network and power supply, to ecological criteria such as the use of renewable energies. The key criteria for certifications according to international standards include:

• Physical security of data centres under normal and exceptional conditions
• Clear authentication of users and employees, for example through biometric access control
• Monitoring and efficient control of room climate through a ventilation system
• Redundancy in critical infrastructure such as network connectivity and power supply
• Regulated and consistent flow of processes and work steps
• Protection against accidents such as fire or natural disasters like floods and storms
• Ensuring quality and information security based on independent standards
• Optional additions such as data protection, ecological power supply, or international financial transactions

Until around 2020, it was common practice for all these requirements to be regulated in different standards, for which certification bodies issued individual certifications. There was no overarching and universally binding catalogue specifying the standards that data centres had to meet. This led to a very confusing situation where certifications were often carried out solely on a voluntary basis or published for customers. In order to change this situation and standardise the certification requirements, the European Union developed a general standard DIN EN 50600, which came into effect in 2019.

What do certifications according to the new standard DIN EN 50600 entail?

The most important framework within the European Union (EU) enabling certification of fail-safe data centres is the DIN EN 50600 named "Information technology - Data centre facilities and infrastructures" and covers several sub-areas. It is the first pan-European standard that defines a uniform and comprehensive norm for the secure operation of data centres, encompassing all steps from planning through construction and execution to ongoing operation. The content of the interrelated certifications includes:

• Theoretical planning and basic architecture for new constructions
• Construction and installation of the building
• Appropriate and fail-safe power supply
• Efficient and adequate cooling of server rooms
• Redundant and peak-load capable network connectivity
• Professional management and control of workflows
• Physical security of data centres to protect the data
• Prevention against accidents such as fire and natural disasters like storms and flooding

The DIN EN 50600 is intended to replace several certifications and consolidate the security requirements into a unified catalogue. However, it primarily serves as a guide that, following a modular system, sets out the relevant premises. For certifications, there is a separate test catalogue called TSI.EN50600, which defines all criteria for a successful acceptance individually and in detail. Currently, version 2 of this catalogue is valid, which came into effect in April 2020 and replaces the legally binding version 1 from 2019 after a transition period of three years.

What other and older certifications for data centres exist?

Over the past decades, numerous different standards for data centres have been established since the spread of the internet, some of which formulate general requirements and others that were developed for specific purposes - such as operating in a financial or industrial environment. The most important among them include:

• ISO 27001: Information technology - IT security techniques - Information security management systems - Requirements
• ISO 9001: Quality management systems - Fundamentals and vocabulary
• IT baseline protection from the Federal Office for Information Security (BSI)
• Payment Card Industry Data Security Standard (PCI-DSS)
• Trusted Site Infrastructure (TSI) from TÜV Informationstechnik GmbH
• ISO 14000 ff: International standard for environmental management
• Availability through various Tier classes

These norms and certifications, such as ISO 27001, TSI, or IT baseline protection, explicitly refer in some cases to modern information and communication technology including data centres. In others, like ISO 9001 or ISO 14000 ff, they are certifications that can be applied to all companies regardless of the industry, certifying compliance with certain standards. A third group, including PCI-DSS, covers particularly security-critical areas such as electronic payment transactions, for example, with credit cards. An important task of the DIN EN 50600, which came into force in 2019, is to standardise these different certifications and consolidate them into a single standard to create high transparency.

Who issues certifications for data centres?

When it comes to the aforementioned standards, it must be explicitly emphasised that some of the responsible institutions do not carry out their own certifications to independently confirm the requirements for data centres and their compliance. This is especially true for the International Organization for Standardization (ISO) and the German Institute for Standardization (DIN), both of which only define standards and leave the verification to non-affiliated companies or the users themselves. For this reason, large data centres operated by international providers often undergo external checks by reputable providers such as TÜV and explicitly highlight these in their certifications. However, as this process incurs significant costs and is not mandatory, others may forego such checks and ensure compliance with the specified requirements themselves. Such self-certification is not uncommon and is also widely practiced in the industry. The most prominent example is the CE marking required for electrical devices and other products in the EU, which signals the manufacturer's knowledge and compliance with certain rules but does not involve any testing.

Are data centres legally required to be certified?

There is no legal requirement mandating a specific examination for a data centre. Certifications for data centres with or without colocation are generally voluntary and initiated by the operator upon request. However, there are restrictions, such as the need for certain certifications related to public tenders. Many medium-sized companies and large corporations also ensure, in their own interest, that the data centres they use are assessed and certified by an independent body. While there is no direct legal obligation for data centres to obtain specific seals or undergo inspections, there is a strong commercial pressure for them to do so once they reach a certain size, in order to acquire the relevant certifications.