Indian Data Centre Operator Risk Profile: 2026

Indian data centre capacity has grown from approximately 400 MW IT load in 2018 to approximately 1,150 MW IT load by mid-2025, with announced and under-construction capacity adding a further 2,800 to 3,500 MW IT load through the 2026 to 2030 horizon. The growth reflects the convergence of three forces: regulatory pressure for data localisation, hyperscale public cloud expansion into Indian regions, and enterprise on-premises modernisation.

The MeitY data-localisation framework has been the structural driver. The Digital Personal Data Protection Act, 2023 (DPDP Act) creates the framework for personal data protection with specific provisions affecting cross-border data transfer. The Reserve Bank of India data localisation circular for payment data, the SEBI cloud framework for capital market data, and the IRDAI Information Security Guidelines for insurance data all require categories of regulated data to be stored within India. The proposed Digital India Act is expected to extend the framework further. The cumulative effect is meaningful onshore data residency demand driving local data centre capacity expansion.

Hyperscale operators in India include Amazon Web Services (with the Mumbai region operational since 2016 and Hyderabad region operational from 2022), Microsoft Azure (with the Pune, Mumbai, and Chennai regions operational), and Google Cloud Platform (with the Mumbai region operational from 2017 and Delhi region from 2021). The hyperscale operators have announced cumulative India capacity expansion of 2,500 to 3,500 MW through 2030 with specific multi-billion-dollar investment commitments from each.

Colocation operators include the established Indian players (Yotta with major facilities at Panvel, Greater Noida, and Mumbai; CtrlS with facilities at Mumbai, Hyderabad, Bengaluru, Chennai, and others; STT GDC India formerly Tata Communications IDCs with multi-city footprint; NTT Global Data Centers with Mumbai, Bengaluru, and Chennai facilities; Sify Technologies with metro footprint; Nxtra by Airtel with multiple metros; ESDS and Web Werks with regional positioning), the global colocation players (Equinix with India operations following the GPX acquisition), and the new wave of large investors (Adani Connex the Adani-EdgeConnex joint venture with major facility builds; Reliance Industries through Jio data centres; Mukesh Ambani-backed AdaniConnex the joint venture).

The risk profile for these operators spans several layered exposures that the insurance programme must address: property damage to the physical facility and equipment, business interruption from power, cooling, or connectivity loss, cyber-physical exposure from attacks targeting both IT and operational technology, equipment breakdown from sophisticated cooling and power systems, professional and product liability for downstream customer impact, and the layered exposure from hyperscale customer SLA penalties. This post walks through the risk components, the insurance programme design, the regulatory drivers, and 2026 premium benchmarks per MW IT load.

Data centre property exposure has shifted materially through 2018 to 2026 with the transition from valve-regulated lead-acid (VRLA) batteries to lithium-ion (Li-ion) batteries for uninterruptible power supply (UPS) systems. The Li-ion transition delivers higher energy density, longer life, and smaller footprint, but introduces a different fire risk profile that insurers and operators are still calibrating to.

Li-ion UPS fire characteristics.

Li-ion battery thermal runaway produces high-temperature fires with self-sustaining oxygen release, resistant to conventional fire suppression. Once thermal runaway is initiated in a battery pack, the propagation across adjacent packs occurs over minutes to hours with limited intervention options. The fires produce toxic and corrosive smoke including hydrogen fluoride and other electrolyte decomposition products that contaminate the entire facility including server halls.

The propagation pattern in modern data centre Li-ion UPS installations involves rack-level battery containers with limited inter-rack thermal isolation, with consequent risk of propagation across the full UPS room if initial thermal runaway is not contained. The fire suppression design (typically gaseous suppression including FM-200 or Novec 1230) is calibrated for conventional electrical fires and may have limited effectiveness against Li-ion thermal runaway.

Documented international incidents include the 2018 Singapore data centre Li-ion UPS fire, the 2022 Norfolk Virginia data centre fire with significant property damage, and several smaller incidents through 2023 to 2025. The Indian market has not yet experienced a major Li-ion UPS fire at a hyperscale facility but the industry is preparing for the eventual event.

Risk mitigation practices that affect insurance treatment.

Battery management system sophistication. Active monitoring of individual cell temperatures with thermal runaway prediction algorithms. Discharge to safe state before propagation.

Compartmentalisation. Battery rooms separated from server halls with rated fire walls and dedicated suppression. Inter-cabinet barriers within battery rooms.

Suppression system design. Specific Li-ion-targeted suppression systems including water mist and specialised dry chemical systems supplementing conventional gaseous suppression.

Ventilation and gas evacuation. Dedicated ventilation for toxic gas evacuation during a thermal event, preserving server hall environment for shutdown procedures.

Battery chemistry selection. Lithium iron phosphate (LFP) chemistry has lower thermal runaway risk than lithium nickel manganese cobalt (NMC). Operator selection of chemistry affects insurance terms.

Fire incident insurance response for Li-ion UPS events involves both property damage cover and significant restoration cost. Property damage from a major UPS fire affects the immediate UPS room, the adjacent server halls through smoke contamination, the building envelope through structural damage, and the broader site infrastructure through power and cooling system damage. Restoration cost includes equipment replacement, environmental remediation of toxic gas residue, and the extensive cleaning and testing required before facility restart.

The business interruption component of a Li-ion UPS fire is typically the largest single insurance exposure, exceeding the property damage component by 2 to 5 times for major facilities. The interruption duration ranges from days for localised events with rapid containment to weeks or months for major events requiring extensive restoration. Customer SLA penalties and reputational damage compound the direct BI loss.

The other property exposures beyond Li-ion UPS include conventional electrical fires from server and switchgear failures, cooling system failures (particularly liquid cooling for high-density compute), water damage from cooling system leakage or external water ingress, structural exposure from cyclone, earthquake, and flood depending on facility location, and physical security exposure including theft and vandalism.

Business interruption is the dominant loss category for data centre operators, with power-failure-driven BI the largest component within BI. The Indian grid environment, with documented voltage variability and outage frequency in several major cities, makes the BI exposure particularly important.

Power supply architecture at major Indian data centres typically involves multiple grid feeds, on-site generation backup, UPS battery backup, and in some cases on-site combined heat and power generation. The Tier III and Tier IV data centre designs (under the Uptime Institute classifications) provide redundant power paths with concurrent maintainability. The Tier IV design provides fault tolerance with full redundancy. Most Indian hyperscale and major colocation facilities are Tier III or Tier IV.

Power failure events that have produced Indian data centre BI claims through 2020 to 2025 include grid disturbances during monsoon storms, on-site generator failures during grid outages, UPS battery failures during transition events, and switchgear failures during routine maintenance operations.

The business interruption cover for a data centre operator responds to revenue loss from facility unavailability, with the operative trigger typically the loss of either power, cooling, or connectivity beyond a defined threshold. The cover structure varies by wording.

Standard BI cover. Pays revenue loss for the period the facility is unable to provide contracted services. Calculated as gross profit during BI period plus continuing fixed costs.

SLA penalty extension. Covers contractually-required SLA penalty payments to customers triggered by facility unavailability. Premium loading 15 to 30 percent above base BI.

Customer recapture extension. Covers documented costs to retain customers after a major outage event including incentive payments, service credits, and migration costs.

Reputational harm extension. Covers revenue loss continuing after operational restoration due to customer attrition. Most useful for colocation operators with consumer-facing customer base.

The indemnity period for data centre BI cover typically runs 180 days to 360 days. The longer end is justified for facilities with specialised equipment requiring extended lead times for replacement. The waiting period (deductible in time) typically runs 8 to 24 hours for major operations, with hourly waiting period the standard for hyperscale and large colocation facilities.

SLA exposure pass-through is the wording feature with the most material impact on real claim outcomes. Hyperscale operators typically contract with end customers under SLAs providing service credits for facility unavailability, with credits ranging from 10 to 100 percent of monthly service fees for various unavailability thresholds. Colocation operators provide similar SLAs to enterprise customers and to hyperscale tenant operators.

The SLA credit pass-through to the data centre operator can substantially exceed the direct BI calculation. A 4-hour outage at a major colocation facility serving 50 enterprise customers can produce INR 8 crore to INR 25 crore in SLA credit obligations against direct BI calculation of substantially less. The cover structure for SLA pass-through is increasingly explicit in newer wordings but remains negotiable.

Contingent business interruption from upstream provider failures is a meaningful exposure for data centres dependent on specific power utilities, fibre providers, or cooling utilities. The CBI cover structure (named provider, categorical, wide) determines whether upstream events are covered. For Indian data centres, the dependence on specific state DISCOM power supply, specific submarine cable and fibre backbone providers, and water utilities for cooling all create CBI exposure that the cover must address.

The 2024 to 2025 claim experience on Indian data centre BI cover has been driven by several specific events including grid disturbances affecting Bengaluru and Hyderabad facilities, monsoon-related power events in Mumbai and Chennai, and switchgear failures during routine maintenance at multiple facilities. The cumulative claim activity has informed the 2026 underwriting reset with sharper SLA pass-through wording and clearer CBI structure.

Data centres face a distinctive cyber-physical exposure where attacks targeting the operational technology (OT) infrastructure can produce both data security impact and physical facility impact. The integration of IT and OT systems in modern data centre operations creates attack pathways that conventional cyber and property insurance covers handle imperfectly.

OT systems in a modern data centre include building management systems (BMS), power management systems, cooling management systems, security systems including physical access control, fire detection and suppression systems, and the integration platforms connecting these to the IT operations layer. The OT systems are increasingly network-connected and increasingly accessible from the IT network, with consequent attack surface that purely-OT-air-gapped legacy environments did not present.

Documented attack patterns against data centre OT include ransomware encrypting BMS systems with consequent loss of automated cooling and power management, attacks on physical access control systems enabling unauthorised facility access, attacks on fire suppression systems with consequent risk of false alarm or system disable, and attacks on power management systems with consequent risk of power interruption or equipment damage.

The insurance cover structure for cyber-physical exposure spans cyber insurance and property and BI cover with the boundary between them an active area of wording evolution.

Cyber insurance typically responds to network intrusion, data exfiltration, and operational disruption from cyber attacks. The cover extends to BI from cyber events. However, traditional cyber wordings sometimes exclude property damage from the cyber cover, with consequent gap where a cyber attack produces physical equipment damage.

Property and BI insurance typically covers physical equipment damage and operational interruption regardless of cause. However, traditional property wordings often exclude cyber peril as a category, with consequent gap where the proximate cause of damage is a cyber attack.

The combined cover or gap-bridging structures are emerging in the 2026 Indian market. Several insurers offer dedicated cyber-physical insurance products that bridge the traditional gap, providing cover for property damage and BI arising from cyber attack with consistent wording across the two perils. The cover is meaningful for data centre operators specifically because of their integrated exposure.

The IT operations cyber exposure runs in parallel to the OT exposure. Data centre operators are themselves substantial cyber risk targets: customer data resides in the facility, operational systems must be protected, and any breach has cascading customer impact. The cyber cover for data centre operators typically includes substantial limits for breach response, regulatory notification under DPDP Act and customer contractual obligations, customer notification and recourse, and the direct BI from operational cyber events.

The regulatory exposure under the IRDAI Information Security Guidelines (for data centres serving insurance customers), the RBI cyber framework (for data centres serving banks and financial services), the SEBI cyber and cybersecurity framework, and the CERT-In directives including the 2022 directive requiring 6-hour incident reporting and log retention obligations together create operational and disclosure obligations that the cyber programme must support.

The DPDP Act 2023 implementation through 2025 to 2026 has added specific requirements for personal data breach notification to the Data Protection Board with 72-hour timeline (under draft rules). The notification cost and the consequent enforcement exposure are insurance considerations that the cyber programme must address.

For hyperscale operators serving Indian regulated customers, the layered cyber regulatory environment is particularly complex. The customer's regulatory obligations (RBI for banking, IRDAI for insurance, SEBI for capital markets) flow through to the data centre operator's contractual obligations, with consequent insurance implications that the policy must address.

Data centre equipment damage exposure spans the server and storage equipment itself, the network and connectivity infrastructure, the power distribution and conditioning equipment, the cooling system equipment, and the building automation and security systems. The equipment is high-value, specialised, and in many cases on long lead times for replacement.

Server and storage equipment. The compute and storage equipment is typically customer-owned or in some cases operator-owned. Insurance responsibility varies by operating model. In colocation, customers own the IT equipment with the operator's cover responding to building, power, and cooling. In hyperscale operator-owned facilities, the operator owns the IT equipment with the insurance cover extending to the equipment itself. The valuation and replacement cost question for IT equipment is complex given rapid obsolescence and the customer-data residing on the equipment.

Network and connectivity equipment. Core routers, switches, and connectivity infrastructure are similarly high-value with extended lead times for specialised equipment. The cross-connect infrastructure between cabinets and to external fibre providers carries specific exposure including physical damage from cooling system leaks, fire, or seismic events.

Power distribution and conditioning. The UPS systems discussed earlier, the medium-voltage and low-voltage switchgear, the transformers, the generator systems, and the distribution panels. The equipment is custom-specified for the specific facility power architecture and replacement typically requires substantial lead time for specialised manufacturing.

Cooling system equipment. Conventional data centre cooling uses computer room air conditioning (CRAC) and computer room air handling (CRAH) units with chilled water distribution. High-density compute facilities (particularly those supporting AI training and inference workloads) increasingly use liquid cooling at the cabinet or chip level. The transition to liquid cooling introduces new equipment damage exposure pathways including coolant leaks affecting electronics, pump and manifold failures with potential damage to multiple servers simultaneously, and coolant chemistry-related corrosion issues over time.

Building automation and security. The BMS, the physical access control, the surveillance, and the fire detection equipment. The equipment value is moderate per item but the operational importance for facility continuity is substantial.

Machinery breakdown cover is the specialised insurance product responding to equipment failure from internal causes including electrical short, mechanical failure, vibration, and similar internal events. The cover is critical for data centres given the rotating equipment (chillers, pumps, generators) and the high-value electrical equipment (UPS, switchgear). The standard machinery breakdown wording is typically extended for data centre specifics including loss of stored data implications and customer impact passing through.

Equipment lead times that affect both BI calculation and procurement planning include:

Servers and storage. 6 to 16 weeks for standard configurations, 16 to 28 weeks for specialised high-end systems including AI training clusters.

Network equipment. 12 to 32 weeks for specialised core equipment, shorter for commodity switching.

UPS and switchgear. 16 to 40 weeks for custom-engineered installations, shorter for modular off-the-shelf.

Cooling equipment. 20 to 36 weeks for custom CRAC/CRAH, longer for major chiller installations.

The liquid cooling equipment lead times are particularly extended given the smaller installed base globally and the specialised manufacturing requirements. Operators deploying liquid cooling for AI workloads face equipment damage scenarios with extended restoration timelines that the BI cover indemnity period must accommodate.

The 2026 placement practice for major data centres typically combines property cover for fire, explosion, and natural perils with separate machinery breakdown cover for equipment failure, with consistent BI extension across both perils ensuring no cover gap between cause categories.

Data centre operators face a layered liability exposure spanning direct customer claims for service failures, professional liability for service quality and security failures, product liability for hardware and infrastructure failures, and general liability for the standard facility-operator exposures.

Customer SLA and contractual exposure. Discussed in the BI section above. The contractual penalty pass-through is the largest single liability exposure for most data centre operators.

Professional liability. Claims arising from the operator's failure to provide professional services to the required standard. For hyperscale operators, the cover scope is substantial given the breadth of services and the sophistication of customer expectations. For colocation operators, the cover scope is narrower but still meaningful around physical facility services and managed services.

Product liability. Claims arising from hardware or infrastructure components causing damage to customer equipment or operations. The exposure is limited where customer equipment is customer-owned but expands where operator-provided equipment is involved.

General liability. Standard facility-operator exposure including third-party bodily injury, third-party property damage, and the broader general liability scope.

Cyber liability (overlapping with the cyber-physical discussion above). Liability for data breach affecting customer data, regulatory enforcement, and downstream customer impact.

Errors and omissions in the operational context. Claims arising from operator failures in service delivery including manual errors, procedural failures, and supervision issues.

The customer contractual liability cap is the structural mitigant for most data centre operators. Standard customer contracts typically cap operator liability at 6 to 12 months of fees for the affected service with carve-outs for specific categories (gross negligence, wilful misconduct, certain regulatory violations). The contractual cap operates to limit the operator's exposure to a multiple of fees rather than to consequential damages.

However, the contractual cap does not apply to all categories of claim. Claims arising from gross negligence, wilful misconduct, regulatory non-compliance, or certain other categories typically fall outside the cap. The cover should respond to both within-cap and outside-cap claims with appropriate limit calibration.

The hyperscale customer-specific exposure. Data centres hosting hyperscale tenant operators (where the colocation operator hosts an AWS, Azure, or Google sub-tenant) face cascading exposure: a facility outage affects the hyperscale tenant's service to end customers, with the hyperscale tenant's customer SLA penalties potentially passing through to the colocation operator. The contractual chain and the insurance allocation across the chain requires careful negotiation at the customer contract stage and consistent treatment in the insurance programme.

The liability cover structure typically combines general liability cover with professional indemnity cover, cyber liability cover, and product liability cover where applicable. The total liability programme value for a major Indian data centre operation typically runs INR 500 crore to INR 2,500 crore depending on customer mix, contractual exposure, and the specific liability categories covered.

The 2026 insurance programme design for Indian data centre operators reflects the layered risk profile with multiple covers integrated to provide consistent treatment across the cause categories.

Property and BI programme.

Property cover for the facility building, power and cooling equipment, and where applicable IT equipment. Combined with BI cover for revenue loss from facility unavailability and SLA pass-through. Limits typically INR 1,500 crore to INR 8,000 crore for major facilities reflecting both physical property value and BI exposure.

Machinery breakdown cover for equipment failure from internal causes, integrated with the property programme.

The property programme typically uses bespoke wording reflecting the data centre specifics rather than the standard fire policy wording. Negotiation points include the BI trigger (loss of power, cooling, or connectivity beyond defined thresholds), the indemnity period (180 to 360 days), the waiting period (8 to 24 hours for major operations), the SLA pass-through extension, the customer recapture extension, and the cyber peril carve-back where the wording would otherwise exclude.

Cyber and cyber-physical programme.

Cyber insurance with substantial limits for breach response, BI, regulatory notification, and customer impact. Limits typically INR 200 crore to INR 1,500 crore depending on customer mix and data sensitivity.

Cyber-physical extension or dedicated cyber-physical placement bridging the traditional cover gap between cyber and property.

Liability programme.

General liability with limits INR 200 crore to INR 800 crore. Professional indemnity with limits aligned to service exposure. Product liability where applicable. The total liability programme typically INR 500 crore to INR 2,500 crore as noted.

Engineering and construction insurance for new build and expansion projects. EAR cover for construction phase, hot-and-dry testing extension for commissioning phase, DSU cover for delay in start up. Major hyperscale build projects with INR 5,000 crore to INR 25,000 crore project value carry corresponding EAR programmes.

Premium benchmarks per MW IT load.

The 2026 market practice has converged on per-MW pricing benchmarks for the major covers, allowing operators to benchmark across facilities.

Property and BI combined. INR 12 lakh to INR 35 lakh per MW IT load annually for Tier III and Tier IV facilities with mature design, Li-ion UPS with appropriate mitigations, and clean claim history. Variation reflects facility tier, location-specific perils (cyclone exposure for coastal facilities, seismic for specific zones), and customer mix.

Cyber. INR 4 lakh to INR 15 lakh per MW IT load for cyber programme limits aligned to customer mix and regulatory environment. Higher for facilities hosting financial services and insurance customers given the regulatory exposure pass-through.

Liability programme. INR 3 lakh to INR 10 lakh per MW IT load for the combined liability cover, varying by customer SLA structure and hyperscale tenant exposure.

Machinery breakdown. INR 1.5 lakh to INR 5 lakh per MW IT load typically integrated with the property programme rather than separately quoted.

The per-MW benchmarks provide a useful starting point but actual premium varies by the specific risk profile and the negotiation outcome on wording features. The placement cycle for a major data centre programme typically runs 6 to 14 weeks with broker engagement, market submission, underwriting review including risk engineering survey, and final terms negotiation.

Reinsurance capacity for Indian data centre programmes is currently adequate with international markets (Munich Re, Swiss Re, Hannover Re, AIG, Allianz Commercial, Lloyd's syndicates) actively supporting the segment. The capacity availability has expanded through 2024 to 2026 as the segment has matured. GIFT City IIO structures provide additional capacity at upper layers for the largest placements.