Europe’s AI boom is building a new kind of critical infrastructure – and it runs on electricity, explains Ian Hirst, Partner, Cyber Threat Services, Talan.
Every time someone asks a generative AI model to summarise a contract or draft code, an invisible industrial process begins.
GPUs spin, cooling systems surge and power flows into windowless halls far removed from glossy “AI” marketing posters. Those halls are data centres; the physical factory floor of Europe’s digital economy.
As AI demand accelerates, Europe must treat data centres not as “just IT,” but as critical infrastructure whose failure would ripple across healthcare, finance, transport, government and public safety.
The uncomfortable truth is that AI does not only raise questions about data.
It raises questions about power, and about adversaries who understand that disruption is often achieved not only by stealing information, but by undermining availability.
AI demand collides with physics, not just policy
Europe is now living through the consequences of a simple equation: More AI capability requires more compute; more compute requires more electricity; electricity arrives through grids never designed for dense clusters of hyperscale demand.
The European Commission has highlighted how data centre electricity use is rising and how difficult it is to connect new capacity to constrained grids, with EU consumption estimated at ~70 TWh in 2024, rising toward ~115 TWh by 2030 [1].
The International Energy Agency (IEA) notes that while data centres are not the largest drivers of electricity growth, their geographically concentrated demand creates significant grid integration challenges [2].
This is no longer theoretical. Reuters reported that Belgium’s grid operator is considering reforms including flexible connections and capacity allocation as data-centre electricity requests surge alongside AI expansion [3].
So, Europe faces a dual resilience challenge: Protect data centres as digital assets and protect the energy system that keeps them alive.
Why data centres now sit in the same category as power and water
The UK has made the direction of travel explicit.
In September 2024, the UK government announced that data centres would be designated as critical national infrastructure (CNI), citing the impact of outages, cyber-attacks and adverse events on services like the NHS.
That recognition is being translated into regulation through the Cyber Security and Resilience (Network and Information Systems) Bill, which brings data centres into scope as essential services with proportionate security measures and incident reporting duties. Thresholds are based on Rated IT Load (RITL), broadly ≥1MW for many data centres (and ≥10MW for certain enterprise sites).
At EU level, the NIS2 framework establishes a unified cybersecurity regime across critical sectors and strengthens regulatory expectations for entities underpinning the digital economy.
The strategic implication is straightforward: Data centres are no longer “supporting infrastructure;” they are part of national and regional operating capacity.
The threat landscape is converging on digital infrastructure
Talan threat intelligence over the last 18 months shows a clear trend: Financially motivated crime, hacktivism and state-aligned operations increasingly overlap in techniques, tooling and target choice, with digital infrastructure firmly within the blast radius.
ENISA’s Threat Landscape 2025 summarises the EU picture starkly: Ransomware remains a core threat, phishing dominates as an intrusion vector and vulnerability exploitation is rapidly weaponised.
Digital infrastructure remains a strategic target for espionage.
Ransomware and state-aligned threat groups are explicit about their intent.
AI is also shifting attacker economics. ENISA describes AI as “a defining element” of the threat landscape, including AI-supported social engineering and synthetic content. Microsoft’s Digital Defence Report 2025 similarly describes nation-state actors adopting AI to scale operations.
For data centres, that convergence matters because the attack surface is broad: Cloud control planes, identity systems and supply chain dependencies; remote management tooling and MSP access paths; physical facilities tech (BMS, access control, CCTV, generator/UPS monitoring) and the grid interface itself.
Talan’s threat research reinforces how often intrusions hinge on compromised cloud assets and credentials, allowing a single foothold to cascade across platforms and suppliers.
The power grid is part of the security boundary
If the last decade was about protecting “data at rest and in transit,” the next will focus on protecting compute in context, including dependency on electricity. Load Altering Attacks (LAAs) illustrate this risk.
These attacks manipulate demand patterns at scale using internet-controllable devices, creating instability and market disruption. The UK’s Cyber Security and Resilience Bill acknowledges this risk by proposing to mandate “load control”, capturing controllers with potential influence over 300MW or more of electrical load to reduce cyber-enabled grid disruption.
For data centres, this matters because the grid is becoming dynamic: AI clusters drive spiky, dense demand; operators explore flexibility contracts and on-site generation and “smart” demand-side response becomes a balancing tool.
That flexibility is valuable, but it creates a cyber-physical failure mode: Attackers do not need to “hack the grid” if they can compromise the systems that steer load.
What “treat data centres as critical infrastructure” must mean in practice
If Europe is serious, resilience cannot be a label. It must become an engineering and governance discipline spanning data, facilities and grid:
- Make availability a first-class security objective – architect for isolation and recovery: Immutable backups, tested restoration, crisis communications and operational “degraded mode” plans aligned to systemic dependencies
- Treat identity and supplier access as your soft underbelly – harden identity, restrict privileges and assume compromise in MSP tooling
- Bring facilities and OT into the same risk model as cloud – segment and monitor physical access systems, BMS, DCIM, generators and UPS. A “data centre breach” often manifests through environmental or physical control
- Coordinate with grid operators as a security partner – cyber-resilience needs joint exercises, clear communications, shared telemetry expectations and pre-agreed responses to abnormal load behaviour
- Regulate with precision – thresholds, reporting, accountability. The UK approach is instructive: Define thresholds (RITL), set proportionate duties, mandate incident reporting and assign named regulators.
The strategic bottom line for Europe
AI is accelerating Europe’s reliance on a small number of physical nodes where compute, data and power converge. Those nodes are attractive to criminals seeking leverage, hacktivists seeking visibility and hostile states seeking strategic options. Treating data centres as critical infrastructure is not alarmism.
It is acknowledging reality: In an AI-powered economy, the data centre is the factory and the grid is the supply chain. Protecting one without the other creates fragility in practice.
References
- [1] European Commission, Directorate-General for Energy, In focus: Data centres – an energy-hungry challenge, News article, 17 November 2025. States that, based on International Energy Agency estimates, EU data centre energy use was 70 TWh in 2024 and is expected to rise to 115 TWh by 2030
- [2] International Energy Agency (IEA), Energy and AI, IEA, Paris, published 10 April 2025 (CC BY 4.0). Core report setting out the energy-AI demand outlook and modelling assumptions used across the IEA’s analysis
- [3] Alban Kacher, “Belgium mulls energy limits for power-hungry data centres as AI demand surges,” Reuters, 22 October 2025. Reports that Belgium’s grid operator Elia said data centre capacity requests had increased nine-fold since 2022, with reserved capacity for 2034 already at more than double the 8 TWh foreseen in national grid development plans, prompting consideration of capacity allocation limits and flexible connections
