A clear and up-to-date definition of which infrastructure areas qualify as a data centre is of equal importance to companies and public authorities. This is because it often has an impact on management decisions (e.g. in the context of IT investments) and the interpretation of normative specifications. Practical criteria are required that enable relevant infrastructure areas to be identified and classified as data centres in a comprehensible and reliable way.

In view of the changing IT landscape, the definitions of data centres and server rooms from the early years of the IT-Grundschutz are no longer up to date and are increasingly losing their practical applicability. In addition, the DIN EN 50600 standard has come progressively into force since 2014 as the "data centre standard" and has established a new framework with which the old definition from the IT-Grundschutz is no longer consistent. A fundamental characteristic of the new data centre standard is (in DIN EN 50600-1 under No. 3.1.9) that it contains a very broad definition of the term data centre and is deliberately based on functionality rather than design or size. The standard thus removes the need to make a distinction between a data centre and server room.
The Federal Government's IT consolidation project provided another reason to revise the definition of a data centre. As part of this project, the BSI was commissioned by the Budget Committee of the German Bundestag with the analysis of existing data centres in the Federal Administration. The BSI was also commissioned with the development of a minimum standard pursuant to Section 8 (1) of the BSIG to regulate the application of the HA-Benchmark Compact 3.0 for the federal agencies. The minimum standard was published by the BSI on 26 May 2017.

Both of these commissions made it necessary to revise and redraft the definitions from the mid-1990s of data centre and server room. As part of this process, the previous approach of making a distinction between the definition of a data centre and server room depending on safeguards applied, organisational forms or operating size has been dropped. The new definition is solely based on the significance of the IT structure for the fulfilment of tasks of the organisation using the IT structure and thus corresponds to the methodology according to DIN EN 50600.

Data centre definition

1. If an organisation using IT has only one central area of IT operations, this, together with the required support areas, must generally always be treated as a data centre according to the protection needs.
   The term "area of IT operations" refers to rooms in which hardware is installed and operated to provide services and data. In addition to the area of IT operations, the data centre comprises all other technical support areas (power supply, supply of cold air, extinguishing technology, security technology, etc) that facilitate the correct operation and security of the area of IT operations.
2. If the organisation's IT operations are distributed over several areas within a building or the premises and these areas are connected among each other and to the IT users by internal LAN connections, the functionally most significant of these areas (at minimum) must be treated as a data centre. In addition, areas whose correct operation is crucial for 50% or more of the users or from which 50% or more of the services and data (proportionate to all areas) are provided must be treated as a data centre.
3. If the organisation using the IT is located at several physically separate sites and these are connected to each other by connections other than internal LAN connections, each of the sites must be considered and treated separately according to (1).
4. An area of IT operations in which IT required for critical business processes (processes whose disruption or failure would significantly impair the fulfilment of an organisation's primary tasks) is located must always be treated as a data centre, independent of the size or the proportion specified in number (2).
5. Areas of IT operations from which services for third parties are performed must always be treated as a data centre. Here, it is irrelevant whether these services are subject to fees.
6. If there is a substantial interest to treat an IT operations area together with its support areas as a server room contrary to the above regulations, reasons must be provided together with the resulting reduction of IT security safeguards on the basis of a risk analysis.

The minimum standard mentioned above already uses this new definition in a simplified form. As such, federal authorities can already use the new approach in the implementation of the minimum standard.