US Data Center Security and Sustainability Law Set to Expire as AI Boom Strains Infrastructure

A federal law that sets security and sustainability requirements for US data centers is set to expire within months, with no replacement legislation introduced. The law, which has governed facility standards since its passage, covers physical security, energy efficiency, and environmental reporting for data centers that handle federal or critical infrastructure data.

The expiration comes as US data center capacity is projected to grow by over 40% by 2027, driven largely by AI workloads, according to industry estimates. Without the law, operators lose a unified federal baseline, creating a patchwork of state-level rules that could slow new builds and raise compliance costs.

What the Law Covers and Who It Affects

The law applies to data centers that serve federal agencies or are designated as critical infrastructure. It mandates:

• Physical security standards including access controls, surveillance, and perimeter monitoring.
• Energy efficiency benchmarks tied to Power Usage Effectiveness (PUE) targets.
• Annual sustainability reporting on water usage, carbon emissions, and renewable energy procurement.
• Cybersecurity requirements for network segmentation and incident response plans.

Major operators including Equinix, Digital Realty, and QTS Realty Trust have aligned their facilities with the law's requirements. Smaller colocation providers and edge data center operators would face the most disruption if the law lapses, as they rely on federal standards to guide their security investments.

Implications for AI Infrastructure and State Regulation

The law's expiration coincides with a surge in AI data center construction. Northern Virginia, the world's largest data center market, has seen over 3 gigawatts of new capacity announced since 2023. Without federal standards, states like Virginia, Oregon, and Arizona are drafting their own rules, creating a compliance burden for operators that span multiple states.

Industry groups including the Uptime Institute and the Data Center Coalition have urged Congress to renew the law or pass a replacement. The Uptime Institute's 2024 survey found that 68% of data center operators consider federal security standards critical to their risk management. A lapse could also affect federal contracts, as agencies may require compliance with the expiring law as a condition of doing business.

What comes next is uncertain. The current Congress has not scheduled hearings on a replacement bill. If the law expires, the Federal Trade Commission and state attorneys general could step in to enforce security and sustainability claims under existing consumer protection laws, but that would be a slower, less predictable process. Operators are advised to maintain their current compliance programs voluntarily, but without a federal mandate, enforcement will vary widely.