Article

Geopolitics, AI, and data center development

Geopolitics, AI, and data center development

The advance of AI has made data centers a critical source of geostrategic advantage. However, with the regulatory and political environment evolving at speed, the investment landscape is increasingly complex. In the first of a series of articles exploring different angles on data center development and deployment, we identify the frameworks and risk factors shaping capex flows—and examine the strategies and contractual protections parties are using to mitigate regulatory risk.

In brief

Data centers have become a strategic asset in the AI era, underpinning economic growth, national security and geopolitical influence. 

Investment is accelerating rapidly, with hyperscale data center spending expected to grow sharply over the next decade.

The regulatory environment is becoming increasingly complex, with operators and offtakers navigating overlapping rules on export controls, foreign investment screening, cybersecurity, critical infrastructure, data localization and sovereignty.

Environmental and social pressures are also intensifying as data centers’ energy and water demands rise.

Given the uncertainty and regulatory risk, contracts are becoming a key tool for allocating responsibilities between operators, hyperscalers and tenants.

Market dynamics

Data centers are the backbone of the digital economy, underpinning everything from artificial intelligence to cloud computing and the infrastructure that powers financial markets, energy networks, and healthcare systems. 

The rapid advance of (agentic) AI has seen a drive by governments and businesses to build out digital infrastructure to support the technology’s development and deployment, as well as for wider policy goals relating to national security and geopolitical supremacy

AI leadership is essential to economic growth, with figures suggesting AI and analytics could create USD10 trillion of economic value across the global economy by the turn of the decade. 

From a sovereignty perspective, owning data centers means controlling part of the upstream AI value chain, protecting it from overseas interference and attack.

Against this backdrop, data centers have become a USD200 billion industry, with the number of hyperscale facilities—which comprise vast numbers of servers and provide the compute capacity and storage needed for data-intensive services—doubling every five years. In addition, the rise of neoclouds (AI-first cloud infrastructure providers that provide GPU-as-a-Service (GPUaaS—a topic we explore in more detail here)) puts increasing pressure on the deployment of data centers with sufficient capacity.

Research estimates 28% annual compound expansion in hyperscale investment globally over the next decade, with spending set to exceed USD1.5trn a year by 2034. Capital flows are rising to such an extent that AI capex (defined as spending on AI-related infrastructure and software) contributed more to growth in the U.S. economy in H1 2025 than consumer spending, according to figures from Renaissance Macro Research.

In 2025 alone, Nvidia announced a USD100bn investment to support OpenAI’s development of data centers that use its chips, and agreed deals with Oracle and SoftBank to build another five data centers in the U.S. as part of the Stargate Program, while Amazon, Google, Meta, Microsoft, and OpenAI together announced plans to invest hundreds of billions of dollars in new data centers

The shifting regulatory landscape

This huge spending spree is taking place amid a complex and fast-evolving regulatory environment, as governments across the world use a range of regulatory and policy levers to facilitate capex investment, bolster national security, protect data, and improve cyber and operational resilience. 

Despite administrations seeking to ease existing regulatory constraints on data center development, operators and offtakers (hyperscalers, neoclouds, and those leasing space in co-location and enterprise facilities) remain bound by a complex web of federal, regional, state, and sector-specific regimes. In many areas these regulations overlap or are inconsistent, creating a significant compliance challenge.

Here we explore some of the most consequential regulatory regimes and policies for the data center industry, examine how they are influencing the construction of new facilities and the deployment of high-performance data centers, and share insights on how parties are developing contractual provisions and other strategies to mitigate regulatory and broader risk factors. 

Export controls and foreign investment review

The U.S. is currently the world leader in AI as a result of its prowess in semiconductor design, its control of the most powerful frontier models, and the fact it has more compute capacity than any other country. 

With China’s capabilities developing rapidly, in July 2025 the Trump administration published its AI Action Plan in a bid to preserve America’s advantage. The strategy aims to remove regulatory barriers to U.S. AI innovation; develop domestic AI infrastructure by building data centers and improving the U.S. power grid; and export “full stack” AI packages (“hardware, models, software, applications, and standards”) to America’s allies. 

The U.S. government is also seeking to curtail China’s progress via inbound and outbound investment restrictions (with the same happening in reverse), and is encouraging deals with aligned nations that support America’s technological objectives. Microsoft, Google, and Nvidia have announced major investments in the UK under the UK/U.S. “tech prosperity deal,” while a wave of agreements have also been announced with Middle Eastern countries and investors who themselves are looking to access U.S. technologies

Under the Biden administration, such transactions would have been subject to regulatory oversight under the AI Diffusion Rule, which imposed licensing requirements on technology sales to a broad swathe of countries and prohibited AI-related exports to “countries of concern,” including China. 

Ceding to calls from industry that such tight restrictions were counterproductive, the Trump government has granted Nvidia and AMD export licenses to sell certain chips in China in return for 15% of the relevant sales

The availability of semiconductors—coupled with close scrutiny of inbound investment in data center assets by the Committee on Foreign Investment in the United States and similar authorities in other jurisdictions—is having a major impact on the development of digital infrastructure across the world. 

Cybersecurity frameworks

Given the geopolitical importance of AI—and the rising threat of advanced cyber and physical attacks on digital infrastructure—many jurisdictions now categorize data centers as critical infrastructure. This classification brings with it stringent resilience and reporting obligations for operators—obligations that cannot be downstreamed to data center tenants.

Under the EU’s Network and Information Security 2 Directive (NIS 2)—which aims to strengthen cyber resilience in critical sectors—data center operators are classed as “essential” entities. This means they must register with their national cybersecurity agencies and implement stronger risk management frameworks. NIS 2 carries the threat of significant administrative fines in the event of a cyber breach, as well as personal liability for senior managers.

In January 2026, the Commission proposed further reforms to the EU’s cybersecurity framework, including NIS 2. Under the proposal, essential entities like data center operators would be prohibited from using IT components from high-risk suppliers in their key assets (both previously designated by the Commission) and could be required to phase out existing components. Breaches of these supply chain rules could attract fines of up to 7% of worldwide turnover. 

The Critical Entities Resilience Directive applies to data center operators, requiring enhanced risk assessments, the implementation of more stringent security measures, and compliance with specific notification obligations. Operators may also fall within the scope of the Digital Operational Resilience Act (DORA, which is designed to improve the operational resilience of the European financial sector) if financial entities are their customers or tenants. As with NIS 2, DORA will be further reformed by the Commission to eliminate compliance overlap.

Data centers are also classed as critical national infrastructure (CNI) in the UK. While this designation imposes tougher compliance requirements, it also affords operators more government support when dealing with critical incidents, including by giving them priority access to the UK security agencies. 

The Westminster government is considering bringing data centers within scope of its Cybersecurity and Resilience Bill, which would impose still more stringent obligations around cyber risk management and supply chain security.

In the U.S., breach notification is governed by general state breach notification laws and sectoral federal laws. 

One federal law set to take effect in 2026 is the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). Unlike many other U.S. breach notification laws, CIRCIA is triggered by a substantial cyber event—whether or not personal information is affected. 

CIRCIA will require relevant entities to report cyber incidents to the federal Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours, with notification of ransomware payments within 24 hours subject to certain exemptions. CIRCIA joins a growing body of U.S. legal requirements around cybersecurity that are concerned with critical infrastructure’s resiliency to withstand cyber attacks.

Several jurisdictions across the Asia Pacific region have similarly broadened their definitions of critical infrastructure to include data centers and cloud services. Australia’s Security of Critical Infrastructure Act, for example, has been amended to expressly include data centers, while Hong Kong’s Critical Infrastructure Bill, which came into force on January 1, 2026, also brings data centers into scope.

In Singapore, data centers are now classed as “foundational digital infrastructure.” Here the government has published specific guidance on security and resilience, which encourages operators to implement business continuity management systems, conduct risk assessments, and adopt best practices for disaster recovery and risk mitigation that reference international standards such as ISO 22301.

Data localization and data sovereignty

In response to generalized concerns about data protection, cybersecurity standards, national security, and law enforcement, more than 100 countries—from China to Saudi Arabia—have now introduced data localization frameworks. These rules create an explicit requirement that data be stored and processed within a particular territory—or not transferred to proscribed jurisdictions—and have become progressively more restrictive over time.

Even the U.S., which has historically been relatively less stringent regarding the export of data, has asserted itself in the space. At the end of 2024, the U.S. Department of Justice announced its Data Security Program, which prohibits, with some exceptions, the transfer of “bulk” sensitive personal data and government-related information to countries of concern including China, Hong Kong, and Russia. 

The program creates significant compliance challenges for multinationals including prohibitions and restrictions on certain transactions. Auditing and reporting standards were introduced in October 2025, although there is a 90-day safe harbor period provided “good faith” steps are taken, with no enforcement until July 2026. 

In addition, various U.S. agencies are mimicking the guidance. Also in October 2025, following the DOJ’s lead, the National Institutes of Health (NIH) prohibited entities holding U.S.-person human biospecimens from directly or indirectly distributing those materials to institutions or parties in countries of concern when the biospecimens are collected, obtained, stored, used, or distributed under new or ongoing NIH funding. 

By contrast, data sovereignty is not about location but about nation states retaining formal control over their data, including who has access to it, which regulatory regimes apply to it, and who manages the digital platform on which it sits. 

The EU is pursuing “strategic autonomy” via a broad “Tech Sovereignty Package,”, which was made public on June 3, 2026. The centerpiece is the Cloud and AI Development Act (CADA), which aims to triple EU data center capacity in the next five to seven years by harmonizing permitting processes, fast-tracking strategic projects, and channeling targeted financial support. 

Equally important for data centers, CADA introduces a cloud computing sovereignty framework and mandatory sovereignty risk assessments for public entities, to define what constitutes “sovereign” cloud services within the bloc for critical-use cases. 

In response to this trend, major tech companies have launched sovereign cloud services and states including Luxembourg and Saudi Arabia have set themselves up as hosts for “data embassies”—with cloud facilities within their borders that are under the legal jurisdiction of other nations. 

Given the challenge of relying on foreign cloud providers to handle domestic traffic, offtakers are increasingly pursuing local data storage facilities and single data centers in each cloud region. In Europe, this is leading to the construction of smaller-scale data centers that meet national needs, rather than larger pan-Continental facilities. It is also driving corporations to implement governance reforms. 

Microsoft, for example, announced in May 2025 that it would increase its data center capacity in Europe by 40% by 2027 and would store data within member states’ borders. 

It created a pan-European board of directors for its European operations and gave the roles exclusively to European nationals. In light of tensions between the U.S. and EU over tech regulation, Microsoft has also committed to pursue litigation if it is ever ordered to suspend its European cloud operations.   

Artificial intelligence regimes

The hosting of AI systems in data centers raises additional risk and compliance challenges for operators.

If, for example, an operator used AI to monitor the data center’s energy consumption and cooling—and to predict when systems need maintenance—the operator would fall within scope of the EU AI Act as a deployer. 

The AI system may also be classed as “high risk” under the Act, a classification that attaches to AI systems that provide components of security systems involved in the administration and operation of critical digital infrastructure, and which brings heightened transparency and reporting obligations for deployers.

Environmental, climate, and social tensions

Outside of these regimes, data center operators face further regulatory uncertainty and complexity amid growing calls for moratoriums on data center expansions, in many cases fueled by environmental, climate, and social-related concerns.

Significantly, the growth in energy consumption by data centers has drawn concern from investors, local communities, and civil society, with operators, governments, and regulators now dealing with the backlash. 

According to figures from the International Energy Agency, by the end of the decade the U.S. is set to consume more electricity for data centers than for the production of aluminum, steel, cement, chemicals, and all other energy-intensive goods combined. Amid this heightened demand, direct power purchase agreements are funding extra generating capacity. 

This dynamic—alongside the fact that grid expansion lags data centers’ energy needs—is also diverting investment away from renewable infrastructure and towards gas and nuclear. Questions have been raised in the courts and outside about the compatibility of data center growth and commitments to transition away from fossil fuels at global, national, and business levels.

The most popular current energy sources used to power data centers globally are renewables and gas. In the U.S., the data center boom has led utilities to reverse plans to phase out aging coal-fired power plants, while Trump administration’s “Unleashing American Energy” executive order calls for regulatory restrictions on fossil-fuel generation to be relaxed. At the same time, the U.S. tech giants are investing heavily in nuclear power, including small modular reactors (SMRs), as a potential long-term solution. 

In Europe, some member states are also focusing on nuclear generation (including Sweden and France), while others are leaning on renewable energy sources such as hydropower (for example, Finland). Elsewhere, data center operators are using hydrogen fuel cells for storage rather than fossil fuel generators, while SMRs have been held up as a future solution. (We explore the energy supply landscape surrounding data centers in more detail here.)

Beyond concerns over data centers’ energy footprint, operators are also set to face greater focus on the sustainability impact of their own activities and those of their supply chains. 

As an example, operators may expect to fall within the scope of measures aimed at forcing greater transparency over, and accountability for, the environmental impact of their data centers. Notably, the EU Energy Efficiency Directive already requires data centers with a power demand of at least 500kW to submit data (on a confidential basis) around energy and water efficiency, renewable energy use, waste heat recovery, and operational flexibility. 

While compliance levels are low, the regime paves the way for the upcoming establishment of an EU-wide scheme for rating the sustainability of data centers (expected to be adopted in H2 2026), followed by a consultation for new and existing data centers’ minimum performance standards by 2027. Perhaps unsurprisingly, there are calls for measures in the UK and elsewhere to similarly mandate disclosure by operators in relation to hot button sustainability indicators.

Intensifying scrutiny is also expected in the form of tighter environmental and human rights impact assessments, conditional planning and permitting approvals contingent on meeting sustainability requirements, measures aimed at optimizing resource efficiency, as well as rising engagement from supply chain actors, financiers, and wider stakeholder groups. 

The backdrop is a complex and growing web of divergent data center deployment policies, due diligence laws and norms, sustainability disclosure regimes, regulatory expectations around sustainability indicators and transition planning, growing allegations and reports of human rights and environmental impacts along the AI value chain, and litigation risks.

In addition, the heightened focus on ethical AI at inter-governmental level makes it almost inevitable that nations will continue to ramp up regulation of the AI value chain  in an attempt to prevent or minimize adverse impacts on the climate, environment, and society, though national approaches promise to vary in form and speed. (We explore the sustainability landscape surrounding data centers in more detail here.) 

Focus on contracts to mitigate regulatory risk

Given the complexity of the regulatory environment surrounding data centers, contractual provisions to distribute regulatory risk between operators, hyperscalers, co-location, and enterprise tenants are heavily negotiated.

  • Parties should avoid agreeing to overly broad provisions on regulatory compliance and understand the exact role of each party in the relationship.
  • Separate provisions for different regulatory requirements are becoming commonplace, with the relevant detail set out in the contractual schedules.
  • Offtakers are increasingly scrutinizing general obligations to comply with the policies of a hyperscaler. Master services agreements can often be amended unilaterally.
  • Mutual assistance obligations are similarly in focus, with parties inserting tables into contracts that detail, for each category of compliance, individual responsibilities, joint responsibilities, and which party provides assistance on specific support tasks. 
  • Contractual wording on regulatory change is adapting to detail how costs will be apportioned and how remediation budgets will be approved.
  • Likewise, parties are avoiding overly broad indemnification obligations and termination rights, insisting on clear language to apportion responsibilities for communicating with regulatory bodies.
  • Contractual mechanisms, in addition to strengthened governance and due diligence, can serve to address particular environmental, climate, and social risks.  

Related capabilities