Health and safety, CDM governance and construction-phase risk are now central to deliverability, resilience and licence to operate, writes Shane Moore.
The EMEA data centre market is growing faster than the surrounding infrastructure. For the teams actually building these facilities, that pressure is creating a delivery-risk story that has very little to do with megawatts — and everything to do with governance.
Consider a scenario that H&S advisers on major data centre programmes will recognise. Six weeks before a facility is due to go live, the commissioning process stalls. Not because of a transformer failure or a planning objection — but because a fire compartmentation sign-off cannot be completed.
The relevant documentation, produced across three subcontractor chains in multiple languages, has not been properly collated, reviewed, or approved. The developer faces a six-week programme delay.
In a market where pre-leasing commitments are now common in major European hubs and vacancy rates in several Tier 1 markets remain historically low, a six-week slip does not simply hurt margin. It can constitute a breach of a lease agreement, a reputational event, and a margin crisis simultaneously.
Failure is not hypothetical
The scenario I’ve given here is a composite of real events, but it’s important to stress that the failure mode it describes is not hypothetical. It is a recognised pattern on large, complex construction programmes delivered under schedule pressure.
JLL’s EMEA Data Centre Report describes development pipelines across the region continuing to expand while the gap between demand and available powered land widens in established markets. Vacancy across several major European corridors has remained tight relative to historical norms.
Pre-leasing has become an increasingly common commercial structure, particularly for hyperscale and AI-capable capacity. And in some of the most constrained markets, developers are managing grid connection processes that extend well beyond the construction programme itself — a constraint with direct consequences for build sequencing and programme risk that reach far beyond energy procurement.
In this environment, every element of a build programme that underperforms creates a cascade of risk. Health and safety and CDM governance — long treated as a compliance overhead — have become among the most operationally significant disciplines on major data centre programmes.
What follows is a practical account of where that risk is concentrated, and what getting it right actually requires.
1. CDM governance and dutyholder management
In the UK, the Construction (Design and Management) Regulations 2015 provide the legal framework for managing risk on construction projects. Across Europe, comparable regulatory frameworks exist with varying structures, and while the specific dutyholder terminology differs between jurisdictions, the underlying principle is consistent: accountability for construction-phase risk must be allocated clearly before work begins, not negotiated after something goes wrong.
Under CDM 2015, the Client bears primary responsibility for ensuring that suitable management arrangements are in place, that dutyholder appointments — Principal Designer, Principal Contractor — are made early, and that those appointees have the time, resources, and information they need.
On a hyperscale data centre build, that allocation is genuinely complex. Projects can involve dozens of specialist subcontractors, multiple Principal Contractors across different phases, international design teams, and procurement structures that did not exist when the regulatory frameworks were written.
The most common failure is not ignorance of the rules; it is ambiguity about who holds which duty at which point in the programme. That ambiguity tends to surface at the worst possible moment: an HSE inspection, a near-miss investigation, or a handover audit that cannot produce a clean compliance trail from design intent to delivered facility.
The value of a specialist CDM adviser is most visible precisely here — not in producing documentation after the fact, but in maintaining a live, structured picture of dutyholder accountability through every phase of a programme, and ensuring that accountability is demonstrable when it matters.
In the UK context, that means keeping the CDM compliance trail clean across the Principal Designer and Principal Contractor appointments from inception to handover. For pan-European programmes operating across multiple regulatory environments, it means building an equivalent discipline into the project governance structure from the outset, even where the precise legal framework differs.
That is a distinct function from day-to-day site H&S management, and on complex programmes it requires dedicated resources to sustain it.
2. Construction-phase health and safety management
If CDM governance is the architecture of risk management, construction-phase H&S is its daily practice. On a large data centre build, that practice operates under conditions that amplify normal construction risk: sites are large and long-duration; they involve high-voltage electrical infrastructure, heavy lifts, large-scale mechanical plant, and the simultaneous or closely sequenced work of dozens of specialist vendors.
Many programmes run extended shifts to meet aggressive go-live dates. Workforce numbers can peak in the hundreds, with significant turnover between phases.
According to HSE statistics, work-related ill health and injury led to an estimated 40.1 million working days lost across Great Britain in 2023/24, with the annual cost of workplace injury and new cases of work-related ill health estimated at £22.9 billion.
Those figures represent the aggregate of individual projects in which active site management was insufficiently robust. The data centre sector is building more, faster, and at greater technical complexity than at any previous point. That does not reduce the exposure; it compounds it.
RAMS, inductions, permits to work, traffic management, lifting plans, temporary works coordination, welfare provision, and structured subcontractor monitoring are not administrative burdens on these projects. They are the primary mechanism through which schedule certainty is maintained.
A recordable incident triggers an investigation that pauses work. A serious injury can trigger an HSE intervention that halts a site entirely — at a point in the programme when the pressure to deliver is already at its highest.
Active H&S management is not a back-office function on a data centre build. It is one of the most direct levers available to a project director trying to protect their programme.
3. Workforce competence, compliance and documentation
Data centre projects draw on a specialised and increasingly stretched labour pool. Electrical engineers with high-voltage experience, MEP specialists familiar with large-scale cooling systems, and commissioning teams who understand the interface between temporary and permanent power are all in demand across multiple major programmes simultaneously.
Labour scarcity not only creates cost pressure, but it also creates competence risk when the deployment of workers whose skills, qualifications, or direct experience do not fully match the tasks they are being asked to perform, often without the project leadership being aware of it.
The documentation of competence is where many projects create their own vulnerability. Training records that are incomplete, inductions conducted at pace without genuine verification of understanding, language and accessibility barriers that are not identified or addressed, accreditation records held by the subcontractor but never reviewed at programme level — these are routine findings on complex builds.
When something goes wrong and regulators investigate, the central question is not only what happened but whether the project can demonstrate that the relevant workers were competent, properly inducted, and operating within a controlled system. The inability to answer that question clearly is a regulatory and legal exposure in its own right.
Competence assurance on a data centre programme is not a subcontractor obligation that can be delegated and filed. It requires central oversight, regular review, and documentation that is maintained — and accessible — throughout the project lifecycle.
Practically, this means checking accreditation records rather than accepting them at face value; running inductions that verify understanding rather than record attendance; and maintaining a programme-level view of who is on site, doing what, under what level of supervision. The resulting paper trail is not administrative overhead; it is the evidence that protects the project when something goes wrong.
4. Fire safety and the separation of critical rooms
Fire safety in a data centre is a design and construction issue before it becomes an operational one. The decisions made at the early design stage have direct consequences for both the safety of people on site and the resilience of the facility once it is live.
Where are critical monitoring and security rooms located relative to the main hall? How is fire compartmentation achieved across a building that may span tens of thousands of square metres? How are emergency access routes maintained during and after construction?
Many high-specification data centre fire strategies are designed with critical operational rooms achieving up to two hours of fire resistance separation from the main facility — a level referenced in guidance from bodies including FM Global and NFPA, and commonly required by insurers and clients operating to demanding availability standards.
The precise requirement will depend on the facility classification, design philosophy, applicable local regulations, and the specific terms of the client and insurer. What is consistent is the principle: where a fire strategy requires meaningful separation of critical areas, achieving that separation is a construction-phase obligation, not a condition to be assessed at handover.
The role of H&S oversight here extends beyond protecting people during construction. It includes protecting the client’s ability to demonstrate that the fire strategy documented at design was actually delivered. Facilities that cannot produce a clear evidence trail from design intent to constructed reality face significant challenges at handover.
Those challenges are most damaging when occupiers have contractual obligations around uptime and resilience from day one of operation.
5. Electrical safety and high-density power systems
The power requirements of AI-capable data centres are transforming the electrical infrastructure of major construction programmes. High-density rack deployments, more complex UPS architectures, larger battery installations, and the interface between utility supply and on-site generation all create elevated risk during installation, testing, and commissioning, the phases when energisation sequences are most complex and when the boundary between temporary and permanent systems is hardest to manage cleanly.
The scale of electrical infrastructure on a modern hyperscale build places these projects at the demanding end of construction electrical risk. Permit-to-work systems, lockout/tagout discipline, isolation procedures, and the clear delineation of energised and de-energised zones are essential control measures on these projects.
The specific challenge on data centre builds is that commissioning activity frequently runs in parallel with fit-out work in adjacent areas, under intense schedule pressure, and with a mix of specialist contractors who may not share equivalent familiarity with the site’s electrical control systems. Safe installation and testing protocols need to be agreed, communicated, and enforced before commissioning begins, not developed on the fly as energisation progresses.
Operational transition risk deserves particular attention here. The handover from construction to live operations — with integrated systems testing, live-environment permitting, and the overlap between contractor and operations teams — is consistently identified as one of the highest-risk phases in the project lifecycle.
It is also the phase most likely to be compressed when the programme is running late. Getting the electrical safety framework right before that phase begins is significantly cheaper than managing the consequences of getting it wrong during it.
6. Liquid cooling and MEP risk
Direct-to-chip and immersion liquid cooling systems are a growing and increasingly important part of the data centre construction landscape, particularly for AI-capable facilities with higher power densities.
The transition is not yet universal — a significant proportion of new builds continue to use air-cooling or hybrid approaches — but the direction of travel is clear, and the construction and commissioning risk profile of liquid-cooled facilities differs materially from what most site teams have previously managed.
Closed-loop systems at rack level change construction sequencing, commissioning methodology, the interface between building services and IT infrastructure, and the maintenance assumptions that facility teams will carry for the life of the building.
The H&S implications are specific: leakage control during installation and testing, pressure testing of pipework systems in partially occupied or live-adjacent facilities, the management of dielectric and other specialised fluids in environments that also contain high-voltage electrical infrastructure, and the careful sequencing of commissioning activities to avoid cross-contamination between systems.
These are manageable challenges, but they require pre-construction planning, clear method statements, and site supervision by people who understand the technology, not just the general construction process.
Projects that treat liquid cooling as a variant of the MEP packages they have managed on previous air-cooled facilities are likely to discover the differences at commissioning, when the cost of corrections is highest, and the opportunity to plan around the risks has passed.
The construction-phase H&S framework needs to reflect the specific risk profile of these systems from the earliest stages of site mobilisation.
7. Physical perimeter and hostile threat resilience
The physical security of data centre facilities is increasingly embedded in design standards rather than addressed as a post-construction requirement. For facilities that handle critical national infrastructure or operate under the most demanding client specifications, design options may include hardened structural elements, enhanced perimeter access control, vehicle barrier systems, and surveillance integration.
The extent of such measures varies significantly depending on the facility’s risk profile, client requirements, and applicable national security guidance. They are not uniform expectations across the sector.
The construction phase creates a specific challenge regardless of the security specification: sites that will eventually operate as controlled-access environments are temporarily open to the full range of hazards associated with large construction programmes, including vehicle movements, contractor access, material deliveries, and a workforce that changes week to week.
Maintaining meaningful access controls during construction, while also managing the operational requirements of a complex build site, requires risk assessment and emergency response planning that is built into the construction programme from the outset.
For the H&S and CDM team, the relevant discipline is design-for-security: ensuring that the security measures embedded in the architectural design are understood by the construction management team, that their installation sequencing is coordinated with the wider programme, and that evidence of their delivery is captured in the project’s construction-phase record.
8. Grid and utility coordination
Power availability is the defining constraint on European data centre development in the current cycle. In some of the most constrained markets — parts of the UK, Ireland, Germany, and the Netherlands among them — developers are working with grid connection timelines that extend several years beyond the construction programme itself.
That constraint reshapes how builds are sequenced, how temporary and permanent power systems interact, and how commissioning activities are planned in relation to connection milestones that the construction team cannot control.
For construction-phase H&S, the practical consequence is a heightened risk of compressed timelines and improvised sequencing decisions as connection dates slip or accelerate. Temporary power on large sites is a significant safety risk in its own right: generator installations, temporary distribution networks, and the progressive energisation of permanent systems all require careful planning, clear ownership, and regular review as the programme evolves.
When that planning is treated as a logistics question rather than a safety-critical activity, the gap between intended and actual site conditions tends to widen, and the risks within that gap remain invisible until they are not.
The most effective approach is to bring grid and utility coordination within the scope of the construction-phase H&S plan rather than managing it as a separate workstream. The safety-critical dependencies across utilities, contractors, and commissioning teams are too closely interconnected to be managed in silos, and the consequences of a sequencing failure at the power interface are too significant to be treated as someone else’s problem.
9. Community impact and licence to operate
Data centre developments are generating community scrutiny across European markets at a level not previously seen in this sector. The primary concerns — power consumption, water use, impact on local grid infrastructure — are mostly operational and planning-stage issues.
But the construction phase contributes its own friction: noise, dust, HGV movements, extended working hours, and the physical scale of sites that can dominate local areas for two or three years.
Poor construction site practice not only generates complaints, it creates conditions for planning interventions, enforcement actions, and local opposition that can complicate future phases of a development programme or affect a developer’s ability to secure consent at adjacent sites.
There is a direct connection between good site H&S practice and community relations that is rarely made explicit. The controls that protect workers from noise, dust, and vehicle hazards are the same controls that reduce impact on neighbouring businesses and residents.
Traffic management plans designed to protect on-site pedestrians and cyclists also govern the HGV routing that residents object to. Welfare facilities that support workforce wellbeing also signal to the local community that the developer takes its responsibilities seriously.
Managing that connection consciously — and demonstrating it — is increasingly part of the licence to operate that developers need to maintain across their portfolios, particularly as data centre development moves into secondary and emerging markets where community relationships are less established.
10. Workforce wellbeing, fatigue and the cost of pressure
According to HSE statistics published in 2025, work-related stress, depression, and anxiety accounted for approximately 52 per cent of all work-related ill health in Great Britain. The figures reflect the aggregate of all sectors, but the conditions that drive them — long hours, high-pressure delivery environments, complex multi-contractor hierarchies, and schedule compression — are directly present in major data centre construction programmes.
The practical controls available at programme level are specific: fatigue-aware shift planning, adequate supervision ratios, clear escalation routes for workers raising concerns, and the disciplined protection of time for toolbox talks and briefings even when the programme is under pressure.
The response most commonly deployed — workforce surveys, EAP programmes, wellness app subscriptions — is not commensurate with the structural drivers of the problem.
Fatigue on an extended data centre programme is not a personal resilience issue; it is a programme management issue. When supervision ratios are too thin, when workers lack a visible route to raise concerns without fear of consequence, when the pressure of a commissioning deadline overrides the time required for a proper handover briefing, the conditions for incidents are created at the organisational level.
The H&S adviser embedded in the programme — rather than parachuted in after an event — is the practical mechanism for identifying those conditions before they produce a consequence.
The HSE’s estimated 40.1 million working days lost across Great Britain in 2023/24, with a cost approaching £22.9 billion, are not abstract headline figures. They represent the cumulative consequences of programmes in which the pressure was allowed to exceed the capacity of the people managing and executing them.
For developers and contractors delivering critical national infrastructure under public and regulatory scrutiny, the human and commercial costs of that model increasingly reinforce one another.
What’s next?
The European data centre sector is expanding at pace during a period in which the regulatory, insurance, and stakeholder environment governing construction is tightening. In the UK, the Health and Safety at Work etc. Act 1974 mandates that employers protect their workforce so far as is reasonably practicable — a standard whose application to the scale and complexity of modern hyperscale construction is being tested in ways the original legislation did not anticipate.
Across European jurisdictions, comparable duties exist within different legal frameworks, but the direction of travel is consistent. Insurers are asking harder questions about construction governance before they write cover. Occupiers under tight SLAs are scrutinising the project record at handover with a level of care that was less common in previous market cycles.
The 10 issues described here cover different territory. CDM governance is about legal accountability.
Construction-phase H&S is about live-site control. Competence assurance is about the documentation that proves people were qualified to do what they did.
Fire, electrical, and liquid-cooling risks are the specific technical hazards that distinguish data centre construction from other complex build programmes.
Security, grid coordination, community impact, and workforce wellbeing concern the systemic pressures that accumulate when a programme is under stress.
An embedded H&S and CDM capability addresses all of these: not as a compliance function that runs alongside delivery, but as a discipline woven into the programme at every stage, giving developers, contractors, insurers, and occupiers confidence in what has been built and how.
The projects being scoped and designed now will be built in 2026 and 2027 in a market with less tolerance for delivery failures than in any previous cycle. Developers and contractors who have that governance infrastructure in place — and who can demonstrate it — will be in a materially different position from those who are constructing it under pressure after something has already gone wrong.
H&S governance is not one of the 10 risks described here. It is the discipline through which all of them are managed.
- Shane Moore is CEO of QSC Safety Consultants, a Derby-based firm that has spent more than 30 years helping blue-chip industrial and manufacturing clients manage workplace and building safety across high-risk plants and complex estates.
