Beyond the Server Room: Why Data Centers Must Embrace Industrial-Grade Safety and Compliance

As the global demand for digital infrastructure accelerates—driven by artificial intelligence (AI), cloud computing, and global connectivity—the data center industry finds itself at a crossroads as it is outpacing the ability of utilities, regulators, and zones to keep up. Growth is explosive, technology is evolving, and the stakes have never been higher. Still, amid this progress, one truth remains: no matter how advanced the systems are, resilience depends on people, preparation, and compliance. The shift toward AI-scale data centers is reshaping the industrial landscape. While these facilities may not be typical industrial facilities like refineries, marine terminals, or oil depots, they share many of the same environmental, safety, and regulatory challenges.

The laws and lessons that have guided the energy sector for decades are more relevant now than ever. When we talk about data center readiness, most think of cybersecurity, backup power, and network redundancy. Yet some of the most significant risks are not digital—they’re physical and environmental. A data center houses thousands of servers, complex electrical systems, and large-scale mechanical infrastructure. Backup generators store vast amounts of diesel fuel, and cooling systems manage millions of gallons of water. Each of these components introduces potential risks: fire, spills, leaks, or environmental contamination. In the energy, oil and gas, and chemical industries, these risks are managed through decades of regulation and routine drills. Data centers must adopt a similar mindset.

This article provides a high-level overview of many of the regulations and considerations this emerging sector must address as growth continues. While not every item applies to all situations and not every requirement is covered here, it provides insight into how these operations must manage risks similar to those long managed by the established energy sector. Operations, technology, and assets may evolve rapidly, but the foundational laws and regulatory expectations of our country remain constant.

Overview of Core Compliance Concerns

The industrial world has long operated under the strict oversight of environmental laws like the Clean Air Act ("CAA"), Clean Water Act ("CWA"), and the Oil Pollution Act of 1990 (OPA90). Increasingly, these same guidelines are beginning to apply to data centers.

Air Permitting: As data centers scale to meet AI demand, these same frameworks are beginning to apply. Backup generators—the lifeline of uptime—are also major sources of emissions. Whether your facility operates ten or a hundred units, you may trigger federal and state air permitting requirements under the CAA. Key programs include New Source Review ("NSR") Permits, Title V Operating Permits, and NESHAP/RICE Rules (National Emission Standards for Hazardous Air Pollutants ("NESHAP") for Reciprocating Internal Combustion Engines (RICE)), which govern emissions and maintenance. Permitting timelines can delay construction, if not planned early. Engage with regulators during design, not after the first concrete pour. Air permits in particular can be very long processes before approvals are granted.

Water Permitting: AI data centers are water-intensive operations. Cooling towers, chillers, and process systems can trigger multiple layers of CWA permitting from water withdrawal and stormwater management to discharges under NPDES (National Pollutant Discharge Elimination System) regulations. Common missteps include underestimating cooling water withdrawal limits, stormwater construction and operational permits, wastewater discharge requirements, and local water use restrictions. Delays in water permitting can stall commissioning and invite costly retrofits. Proactive engagement and clear documentation are key to keeping projects on schedule.

SPCC Compliance: Under the CWA, facilities storing 1,320 gallons or more of oil or diesel must maintain a Spill Prevention, Control, and Countermeasure ("SPCC") Plan. For data centers, this typically covers diesel tanks for backup generators, oil-filled operational equipment such as transformers and switchgear, and lubricants and hydraulic systems. SPCC compliance isn’t optional or after-the-fact. Plans must be developed by a qualified professional, reviewed regularly, and integrated into facility training and operations. A single overlooked valve or missing containment measure can lead to fines, shutdowns, or environmental damage.

Security: Physical security compliance is a critical component of data center resilience. Facilities should adhere to applicable Department of Homeland Security ("DHS") guidance, implement robust access control, video surveillance, and visitor management programs, and maintain secure perimeters with audited entry points aligned to NIST (National Institute of Standards and Technology) 800-53 PE (Physical-and-Environmental-Protection) controls. Emergency procedures, including evacuation and shelter-in-place drills, must be tested regularly to ensure staff readiness and rapid, coordinated response during incidents.

Health and Safety: Beyond environmental and security, companies must maintain compliance with OSHA (Occupational Safety and Health Administration) 29 CFR Part 1910 for general industry safety, conduct fire suppression system testing in accordance with NFPA (National Fire Protection Association) 75 and 76, implement programs for addressing heat exposure, noise control, and ergonomic risks, and provide annual EHS (Environment, Health & Safety) training along with thorough incident documentation.

Other Regulatory Considerations: Lastly, companies must monitor energy efficiency and, in many cases, manage hazardous materials and refrigerants in compliance with EPA (Environmental Protection Agency) Section 608. They should maintain thorough documentation for state-level environmental permits and sustainability reporting and address any potential waste generation in accordance with RCRA (Resource Conservation and Recovery Act) requirements.

Drills and Exercises: Routine exercises should extend well beyond fire alarms, cyber-attacks, and technology failures. Regular drills should also include disaster recovery scenarios, environmental and safety drills, and operational readiness testing. These exercises empower teams, refine procedures, and expose small but critical gaps—like mislabeled valves, misplaced spill kits, generic or flawed response plans/operating procedures, or communication breakdowns. These small details often determine the difference between a controlled incident and a major emergency.

In oil and gas, routine drills, documented plans, and strict permitting are ingrained by decades of regulation and culture. Data centers, by contrast, are a younger industry built on speed, efficiency, and innovation. As the physical footprint grows, however, the operational and environmental risks mirror those of traditional heavy industry.

Innovation Meets Responsibility

The challenge is clear—how do we retain the agility of a tech enterprise while adopting the rigor of an industrial operator? Every facility, whether a hyperscale AI hub or an edge deployment, must view itself not just as a digital node, but as a complex, high-energy industrial operation. The same diligence that keeps refineries safe must apply to generator yards, chiller plants, and electrical rooms. As this sector expands, we cannot afford to separate innovation from responsibility. Conduct real-world drills, integrate environmental permitting into design timelines, maintain active SPCC, air, and water compliance plans and programs, and share lessons learned across the industry.

Preparedness isn’t built during a crisis—it’s built before one. Data centers may not be refineries or marine terminals, but they are now part of the same essential infrastructure ecosystem. With that comes the same duty: to protect people, the environment, and the continuity of the systems that power modern life.

It is imperative that, as this sector continues to grow, owners and operators establish programs that reflect the rigor of long-standing industrial compliance systems. These programs should ensure robust recordkeeping, training, preparedness, and operational oversight—extending well beyond cybersecurity and IT concerns. By doing so, organizations can mitigate compliance risks, safeguard personnel, protect the environment, and prevent costly incidents before they occur.

Note: Photo above is New Albany Data enter in central Ohio.

About the Author

John K. Carroll III 

John K. Carroll III, Managing Director – Compliance Services, Witt O’Brien’s, part of Ambipar, is an environmental and emergency preparedness professional specializing in compliance and risk management for critical infrastructure, including data centers, energy, and industrial facilities.