Question to the Department for Science, Innovation & Technology:

To ask the Secretary of State for Science, Innovation and Technology, whether OpenAI’s UK data storage facilities will be subject to routine government security audits.

Data centres were designated as Critical National Infrastructure (CNI) in September 2024. In recognition of this, the government is expected to introduce proportionate regulatory oversight of this sector. The expected vehicle is the Cyber Security and Resilience Bill (CSRB). This will encapsulate OpenAI operations that use colocation services which are covered by the regulations in the CSRB.

DSIT is actively considering options to further improve the cyber security and resilience of Data Centres, as outlined in the Cyber Security and Resilience Policy Statement that was published on 1 April 2025. This would apply to most UK based data centres, including those used by OpenAI.

Specific questions in relation to contracts between OpenAI and relevant Government Departments are a matter for that Government Department. Departments must carry out cyber security assurance of their critical services through GovAssure, assessing key security outcomes against the National Cyber Security Centre's Cyber Assessment Framework. Government’s Public Procurement Note 014 directs all commercial suppliers holding government OFFICIAL, personnel or citizen data to have a minimum of NCSC’s Cyber Essentials certification.