A cross-border effort between the United States and United Kingdom to streamline modular data center permitting is producing measurable early results - faster approvals and cleaner project pathways - while revealing significant regulatory and standards divergence that could limit scalability, particularly for edge-cloud deployments.
Background
The parallel permitting push emerged from separate but converging policy decisions on both sides of the Atlantic. In the US, President Trump signed Executive Order 14318 on July 23, 2025, directing federal agencies to streamline environmental and permitting reviews for qualifying data center infrastructure projects. The order explicitly aimed, according to the White House, to facilitate "the rapid and efficient buildout of data center infrastructure," including construction on federal lands.
In the UK, the government has pursued its own accelerated path. In September 2024, the Technology Secretary formally designated data centers as Critical National Infrastructure - the first new CNI classification in nearly a decade. The UK's Planning and Infrastructure Bill followed, overhauling the Nationally Significant Infrastructure Project regime to deliver faster, more predictable decisions. A ministerial statement confirmed the intention to remove the statutory pre-application consultation requirement for NSIPs to cut time and duplication.
Underpinning both efforts is the same demand pressure. According to JLL's 2026 Global Data Center Outlook, nearly 100 GW of new data centers will be added between 2026 and 2030, with the global sector expected to grow at a 14% compound annual growth rate. Modular builds - prefabricated, factory-assembled units deployable in weeks rather than years - have emerged as the primary strategy for meeting that pace. Industry observers note that modular campuses have become the "default strategy for speed-to-market builds" in 2025, according to Datacenters.com.
Details
The pilot's early wins stem from narrowing duplicative review processes: modular units manufactured in one jurisdiction are increasingly accepted under the other's local authority sign-off, reducing the need for full re-certification. In the US, industry sources note that states typically share modular regulations - a unit approved in one state is generally accepted in another - though this does not yet extend systematically across international borders.
The gaps, however, are significant. Cybersecurity compliance stands out as the most immediate friction point. The UK's Cyber Security and Resilience Bill, introduced in November 2025, will require data centers above 1 MW of capacity to align with the National Cyber Security Centre's Cyber Assessment Framework and report significant incidents within 24 hours. In the US, the Department of Defense's final Cybersecurity Maturity Model Certification rule, issued in November 2025, formally tied contract eligibility to demonstrated cybersecurity maturity across three levels, according to Morgan Lewis. The two frameworks share goals but diverge in audit pathways, governance structures, and enforcement mechanisms.
On export controls, the picture is more favorable. The US Bureau of Industry and Security's January 2025 updated Export Administration Regulations, which introduced controls on advanced computing integrated circuits and AI model weights, include the United Kingdom on the approved-country list, easing transfer restrictions for qualifying data center hardware. Still, compliance timelines and documentation requirements for validated end users add administrative overhead to cross-border modular deployments.
Standards misalignment adds further complexity. The UK applies the EN 50600 series for data center design and is considering BREEAM certification for green building compliance, while the US relies on UL 2755 for modular data center safety and performance, according to government policy papers. Neither framework currently incorporates a dedicated cross-border modular data center permitting pathway.
The cybersecurity regulatory environment on both sides is tightening simultaneously. The UK's NCSC handled 204 nationally significant cyber incidents in the 12 months to August 2025, up from 89 the previous year, with 18 classified as highly significant. This has accelerated legislative timelines and raised the baseline compliance burden for operators deploying modular infrastructure across jurisdictions.
Outlook
Regulators in both countries are expected to advance their respective frameworks through mid-2026, with the UK's Planning and Infrastructure Bill and Cyber Security and Resilience Bill both progressing through Parliament. The UK government has stated that £45 billion of private investment has been committed to the data center sector since July 2024, sustaining political pressure to resolve bottlenecks. For operators planning cross-border modular deployments - particularly at the edge, where latency requirements demand rapid multi-site rollouts - the pace of standards alignment will be decisive. Without a converged approach to cybersecurity certification and modular type approval, the permitting gains realized so far risk being absorbed by compliance overhead at the operational layer.
