On 30 September, a piece of US legislation that most people outside the datacentre industry have never heard of is due to quietly expire. The Federal Data Center Enhancement Act sets minimum standards for federal datacentres, that cover uptime, power reliability, resilience and – crucially – protection against physical intrusion. When it sunsets, there is no replacement waiting. The floor simply disappears.
It is tempting to read that as a narrow, US, governmental problem. I would argue it is the opposite. The timing tells you everything. We are removing a baseline for physically securing datacentres at the precise moment AI is driving the largest and fastest infrastructure buildout the sector has ever seen.
That combination should concern anyone who operates, finances or depends on a datacentre, wherever in the world they sit.
To be precise about scope, the Act only ever bound US federal datacentres and the contractors that run them for government, never commercial operators. That is exactly why its lapse matters as a signal rather than a local rule change. When even the government’s own floor is allowed to disappear, the baseline everyone else benchmarks against tends to go with it.
The first reaction I usually hear is that other rules will catch it, FISMA and the NIST control catalogue still apply, after all. And they do, up to a point. But the Enhancement Act was the operational mandate, the thing that forced datacentre-specific implementation and assessment. Take it away and agencies are left with significant discretion over how, and whether, they apply physical protections. FISMA provides the principle. The Enhancement Act provided the practice. Principles without a mechanism to enforce them have a way of being interpreted generously.
We have seen this film before. The Act’s predecessor – the Federal Data Center Enhancement Act (FDCEA) – lapsed in 2022 and took years to bring back, even with bipartisan support and an obvious case for renewal.
The risk here is not a single dramatic repeal that makes headlines. It is administrative drift, a requirement that quietly fails to return because nothing forces the issue. That is how security baselines erode: not with a decision, but with the absence of one.
The obvious worry, that established operators will strip out physical security because a statute lapsed, isn’t where the real exposure lies. Their existing facilities, their existing contracts and their own risk appetite keep that spending in place. The exposure is in the new builds.
The AI-era expansions going up right now are specced and procured at extraordinary speed. Most of that capacity is private, built by hyperscalers and developers the federal mandate never bound. That is exactly why its loss matters. It was the one enforceable floor in the system, and once the public benchmark goes there is nothing firm left for the private builds to be measured against. Remove the mandatory assessment framework and physical security becomes something that can be quietly scoped down during procurement to hit a budget or a timeline, with no compliance flag and no formal alert. The gap does not open in the datacentres we already have. It opens in the ones we are racing to build.
This is why the story matters well beyond US federal infrastructure. Every market is in the middle of the same race. The pressure to build AI capacity fast, and the temptation to treat physical security as a flexible line item, are universal. A regulatory sunset in Washington is simply the clearest illustration of a risk that already exists in every fast-moving build. Physical security is the easiest thing to quietly defer, and the hardest to retrofit once the concrete is poured.
There is a deeper contradiction worth naming, too. Governments increasingly classify datacentres as critical national infrastructure, and rightly so. Pulling their security baseline at the same time runs in two directions at once. You cannot call something critical and simultaneously make its protection optional.
The answer is not simply more regulation, although a sensible renewal would help. It is for operators to stop treating physical security as a compliance obligation that rises and falls with the statute book, and start treating it as core design.
The consistent lesson from securing large-scale critical facilities is that physical security cannot be a set of disconnected tools: a camera here, an access reader there, bolted on at the end of a project timeline. It has to be designed as one integrated system from the start, where access control, video, identity and alarms work together and an anomaly anywhere triggers a coordinated response.
The lapse of a law should not be the thing that decides whether that happens. For an asset we all agree is critical, to get its protection right should not require a mandate. But it would help if we stopped quietly removing the ones we already have.
Kumar Sokka is CEO of Acre Security, a global physical security provider

