Assessment of occupational risks in data centers: regulatory issues and legal responsibilities

Introduction

The rapid expansion of the digital economy has propelled data centers to the heart of national critical infrastructure. These facilities, which host and process considerable volumes of data, present specific technical features and occupational risks that require a particularly rigorous risk assessment approach. According to the Interop survey, 52% of data center management workers have experienced at least one human accident, and 14% report four or more accidents, revealing the scale of the safety challenges in this sector.

Faced with constantly evolving regulations and the emergence of new technologies, business leaders, human resources managers, and prevention officers must master the specifics of risk assessment in these complex technical environments. This article examines the regulatory foundations, specific risks, applicable classifications, and legal responsibilities inherent in data center operations.

I. Regulatory and normative framework for data centers

1.1. General obligations of the Labor Code

Article L. 4121-1 of the French Labor Code imposes a general safety obligation on the employer: "The employer shall take the necessary measures to ensure the safety and protect the physical and mental health of workers." This obligation is specifically expressed in the context of data centers through several provisions:

Risk assessment : Article R. 4121-1 requires the transcription of the results of the risk assessment in a single document, particularly critical in data centers given the diversity and complexity of the risks present.

Training and information : Article L. 4141-1 requires the employer to organize practical and appropriate training in security matters, including the risks specific to the technical environments of data centers.

Personal protective equipment : Article R. 4321-1 et seq. governs the provision of PPE adapted to the electrical, chemical and physical risks present in these installations.

1.2. Specific features of the Construction and Housing Code

The Construction and Housing Code (CCH) applies differently depending on whether the data center is built specifically or integrated into an existing building:

Specific constructions : Article R. 111-2 of the CCH requires compliance with fire safety regulations, which are particularly critical in data centers given the significant heat loads and specialized extinguishing systems.

Integration into existing buildings : Articles R. 143-2 et seq. govern changes in use, often necessary when installing a data center in a building not initially designed for this purpose.

Accessibility and evacuation : The provisions relating to accessibility (articles R. 111-19 et seq.) must be adapted to the specific security constraints of data centers.

1.3. Standard EN 50600 and technical references

EN 50600 is a European standard for data centers that uses a holistic approach to provide comprehensive specifications for the planning, construction, and operation of data centers. It defines four main parts:

EN 50600-1 : General concepts and requirements for data centers

EN 50600-2 : Building infrastructure (mechanical and electrical)

EN 50600-3 : Planning and installation of telecommunications infrastructure

EN 50600-4 : Environmental monitoring and infrastructure control

This standard is in line with the obligations of the Labor Code by specifying the technical requirements necessary to comply with the employer's general safety obligation.

II. Classification of data centers and differentiated obligations

2.1. Classification by size and regulatory impact

Regulatory obligations vary significantly depending on the size and capacity of the installations:

Micro data centers (< 40 kW) : Generally not subject to ICPE regimes, these installations are subject only to the common law of the Labor Code. The risk assessment must nevertheless cover specific electrical, thermal, and fire risks.

Corporate data centers (40 kW - 1 MW) : These installations may be subject to the ICPE declaration regime according to section 2910 (combustion) if their thermal power exceeds 2 MW. The risk assessment must integrate the specific obligations of this classification.

Hyperscale data centers (> 1 MW) : Depending on the size and nature of the elements installed for a Data Center project, it is important to check whether this new installation falls into the category of installations classified under the ICPE. These installations are generally subject to ICPE authorization and may fall under the Seveso III directive.

2.2. ICPE regime and risk assessment

Section 2910 : Combustion (emergency generator sets)

• Declaration: thermal power between 2 and 20 MW

• Authorization: thermal power > 20 MW

  
  

Section 1432 : Storage of accumulators (backup batteries)

• Declaration: lead equivalent mass between 50 kg and 250 tonnes

• Authorization: lead equivalent mass > 250 tonnes

  
  

Impact on risk assessment : The ICPE regime requires specific hazard studies and internal operating plans (POI) which must be integrated into the overall assessment of professional risks.

2.3. Seveso III Directive and dangerous substances

Data centers may be affected by the Seveso III directive if they store hazardous substances above regulatory thresholds:

Lead batteries : Low threshold 250 tonnes, high threshold 2,500 tonnes (section P5c) Extinguishing gas (FM-200, Novec 1230) : Classification according to stored quantities Diesel fuel from generator sets : Threshold according to section P2 (flammable liquids)

The application of this directive imposes reinforced obligations in terms of prevention of major accidents and assessment of risks to the environment and populations.

III. Risks specific to data centers

3.1. Electrical risks: specific features and prevention

Data centers present specific electrical risks linked to their technical characteristics:

High voltage and high power : Installations may include high voltage (HV) and very high voltage (VHV) equipment, requiring specific electrical authorizations (H1, H2, HC).

Continuity of service : The obligation to maintain electrical continuity limits the possibilities of lockout, imposing procedures for working under voltage or in the vicinity.

Redundant systems : The presence of multiple power sources (network, inverters, generators) complicates logging procedures and increases the risk of error.

Storage batteries : The BR electrical authorization allows its holder to consign part of an installation for his own account or for an operator under his orders. The large storage capacities (several MWh) present risks of explosion, fire and gas release.

3.2. Fire risks: technical specificities

High fire load : The density of electronic equipment generates high fire loads, accelerating the spread of fire.

Automatic extinguishing systems : Extinguishing gases (Argonite, FM-200, Novec 1230) present asphyxiation risks and require specific evacuation procedures.

Continuity of service : The obligation to maintain critical services limits the firefighters' intervention possibilities, requiring adapted intervention protocols.

Propagation through cable trays : The high density of cabling facilitates the spread of fire and toxic fumes.

3.3. Chemical risks: batteries and refrigerants

Battery Electrolyte : Lead-acid batteries contain concentrated sulfuric acid, which poses a chemical burn and splash hazard.

Gas emissions : Overcharging or malfunctioning batteries can generate releases of hydrogen (risk of explosion) and hydrogen sulfide (toxicity).

Refrigerants : Cooling systems use refrigerants (R134a, R410A, NH3) which present risks of toxicity and asphyxiation.

Maintenance products : Solvents and degreasers used for equipment maintenance present specific chemical risks.

3.4. Ergonomic and organizational risks

Handling : Installation and maintenance of servers (up to 40 kg per unit) exposes you to musculoskeletal disorders.

Constrained spaces : Movement in narrow technical aisles and work under floors presents risks of falls and entrapment.

Thermal environment : Temperature variations between hot and cold zones (differences of 15-20°C) expose you to the risk of thermal shock.

Noise : The noise level of ventilation systems (often > 85 dB(A)) requires hearing protection and limits communications, particularly in data centers that host GPUs.

IV. Emerging risks linked to new technologies

4.1. Liquid cooling and associated risks

The move towards higher power densities leads to the development of liquid cooling:

Leakage risks : Liquid cooling circuits in contact with electrical equipment present risks of electrocution and short circuit.

Pressure and Temperature : Total immersion systems require special dielectric fluids that present new chemical hazards.

Complex maintenance : Interventions on these systems require multiple skills (electricity, plumbing, chemistry) and specific protective equipment.

4.2. Embedded artificial intelligence and physical cybersecurity

The integration of AI systems into data center management generates new risks:

False positives/negatives : Automated systems can generate false alarms or mask real dangers, disrupting emergency procedures.

Physical cybersecurity : Computer attacks can compromise physical security systems (access control, fire suppression, ventilation).

Predictive maintenance : Reliance on predictive maintenance algorithms can lead to underestimating certain risks not detected by sensors.

4.3. Large-scale energy storage

The development of high-capacity Li-ion battery storage introduces new risks:

Thermal runaway : Li-ion batteries can experience thermal runaway, which is difficult to control and generates toxic gases.

Specific suppression systems : These risks require suitable extinguishing systems (water with additives, aerosols) which are different from traditional systems.

Recycling and end of life : The management of waste from used Li-ion batteries presents specific environmental and safety risks.

V. Psychosocial risks specific to data centers

5.1. Work environment constraints

Noise : In today's highly available and high-continuity data center environments, even the slightest outage has a cost and often has consequences for the company's image. The constant noise from cooling systems (fans, refrigeration units) causes auditory fatigue and limits social interaction.

Artificial light : Permanent, artificial lighting disrupts circadian rhythms, especially for night shifts.

Confined spaces : Working in technical environments without access to the outside world can generate phobias and anxiety.

Controlled temperature and humidity : Constant air conditioning can cause breathing problems and a feeling of being trapped.

5.2. Work organization and time constraints

On-call duty and permanence : 24/7, 365 days/year continuity of service imposes permanent on-call constraints generating stress and fatigue.

Time pressure : Emergency interventions to maintain service availability create constant pressure on teams.

Professional isolation : Often solitary work, especially on night shifts, can lead to social and professional isolation.

High responsibility : The awareness that their actions can affect millions of users generates significant professional stress.

5.3. Training and technological development

Rapid obsolescence of skills : Constant technological evolution requires intensive ongoing training, which is a source of stress for some employees.

Versatility required : The need to master various technical fields (electricity, IT, air conditioning, security) can generate a feeling of incompetence.

Permanent certification : The obligation to maintain numerous certifications (electrical qualifications, CACES, safety training) adds an additional mental burden

.

VI. Maintenance and intervention by external companies

6.1. Prevention plan: specific obligations

The intervention of external companies in data centers requires particular attention given the risks of interference:

Article R. 4512-6 of the French Labor Code : The approach to preventing interference risks must be implemented before the intervention of the external company. This obligation is particularly critical in data centers where multiple risks coexist.

Analysis of interference risks : The prevention plan must identify the specific risks resulting from coactivity in a constrained technical environment:

• Electrical risks amplified by the simultaneous presence of several workers

• Risks of service interruption due to lack of knowledge of procedures

• Chemical risks associated with the simultaneous use of incompatible products

  
  

Coordination measures : The plan must define the coordination arrangements between the user company and external companies, including:

• The procedures for consignment and deconsignment

• Emergency communication means

• Data center-specific evacuation protocols

  
  

6.2. Electrical qualifications and specialist training

Required qualifications : Electrical qualification (B1V, B2V), height certifications are often required for data center work. Qualification levels must be adapted to the voltages present:

• Low voltage (LV): B1, B2, BR, BC qualifications

• High voltage (HV): H1, H2, HR, HC qualifications depending on the installations

• 
  

Additional training : Beyond regulatory authorizations, specific training is necessary:

• Data Center Emergency and Evacuation Procedures

• Handling of automatic extinguishing systems

• Safety protocols for batteries and storage systems

• Confined Space Work Procedures

6.3. Confined spaces and working at height

Identification of confined spaces : Data centers contain many confined spaces requiring specific procedures:

• Technical subfloors with cooling air circulation

• Technical battery rooms with risks of gas release

• Technical ducts and cable passages

• 
  

Intervention procedures : Article R. 4412-27 of the Labor Code imposes specific measures for working in confined spaces:

• Permanent surveillance from outside

• Specific means of communication

• Appropriate respiratory protection equipment

• Rescue and evacuation procedures

• 
  

Working at height : Work on cable trays, lighting and ventilation systems requires personal fall protection equipment and CACES PEMP.

VII. Legal liability and case law

7.1. Criminal liability in the event of an accident

The criminal liability of the manager may be incurred in the event of an accident in a data center according to several qualifications:

Homicide or unintentional injuries (articles 221-6 and 222-19 of the Criminal Code): In the event of a fatal accident or one with injuries resulting from a failure to assess risks or implement preventive measures.

Deliberate endangerment (Article 223-1 of the Criminal Code): Failure to assess risks specific to data centers may constitute exposure of others to an immediate risk of death or serious disability.

Failure to comply with safety obligations : Violations of the provisions of the Labor Code regarding risk assessment constitute class 5 offenses.

7.2. Inexcusable fault of the employer

The employer's inexcusable fault corresponds to the latter's failure to meet its obligation of safety of result, in particular revealed by an accident at work or an occupational disease. The employer should have been aware of a danger and did not take the necessary measures to prevent it.

In the context of data centers, inexcusable fault can be found in several situations:

Failure to assess electrical risks : Failure to consider risks associated with high voltages and redundant systems.

Insufficient training : Lack of training of staff in the specificities of data centers (emergency procedures, handling of extinguishing systems).

Poor maintenance : Lack of preventive maintenance of critical equipment (batteries, cooling systems, electrical equipment).

7.3. Recent developments in case law

The 2018 ruling marked a turning point in the enforcement of industrial misconduct. Case law confirms the heavy liability of employers in fatal accidents. The judges reiterated that awareness of the danger is sufficient to establish inexcusable negligence.

This development in case law particularly impacts data centers where:

Technical complexity is no excuse : Lack of awareness of specific risks does not exempt the employer from liability.

The training obligation is reinforced : Judges are increasingly demanding regarding the quality and adaptation of training to real risks.

Subcontracting does not exempt : The delegation of certain activities to external companies does not exempt the employer from its obligation to assess and coordinate risks.

VIII. Practical recommendations for risk assessment

8.1. Specific evaluation methodology

Zone-based approach : The assessment should be structured by functional zones:

• IT production areas (server rooms)

• Technical areas (power supplies, cooling)

• Storage areas (batteries, fuels)

• Reception and administrative areas

  
  

Analysis of workstations : Each workstation must be subject to a specific analysis:

• Maintenance technician (multi-risk exposure)

• Supervision operator (psychosocial risks)

• Security Officer (Emergency Response Risks)

• Administrative staff (environmental risks)

  
  

Taking into account degraded situations : The assessment must integrate emergency and breakdown situations:

• Emergency power supply interventions

• Evacuation in case of activation of extinguishing systems

• Work in security lighting

  
  

8.2. Monitoring tools and indicators

Specific security indicators :

• Frequency rate of electrical accidents

• Number of emergency interventions

• Average duration of noise exposure

• Number of false extinguishing alarms

  
  

Traceability of authorizations : Implementation of a system for monitoring electrical authorizations, CACES and specialized training with renewal alerts.

Periodic audit : Organization of regular internal and external audits covering:

• Compliance of installations with EN 50600 standards

• Effectiveness of emergency procedures

• Adaptation of training to technological developments

  
  

8.3. Action plan and continuous improvement

Prioritization of actions : Use of criticality matrices adapted to the specificities of data centers:

• Probability of occurrence × Severity × Impact on service continuity

• Taking into account the response times of external emergency services

• Assessment of domino effects (power failure → cooling failure → overheating)

  
  

Technological monitoring : Organization of permanent monitoring on:

• Evolution of cooling and storage technologies

• New sector-specific security benchmarks

• Feedback on accidents in the sector

  
  

Continuing education : Implementation of adapted training programs:

• Enhanced initial training for new arrivals

• Periodic refresher on technological developments

• Regular practical exercises in evacuation and emergency response

IX. Prospects for regulatory developments

9.1. Impact of the European directive on energy efficiency

The European directive 2018/2002 on energy efficiency impacts data centers through the obligation to recover fatal heat, generating new risks:

Heat recovery systems : Installation of hot water circuits presenting risks of leakage and scalding.

Cogeneration : Development of combined electricity-heat production systems presenting specific industrial risks.

Thermal storage : Use of phase change materials presenting new chemical risks.

9.2. Evolution of the EN 50600 standard

Energy and environmental sustainability are central elements of the EN 50600 standard. Current revisions incorporate:

Sustainability criteria : Taking into account the life cycle of equipment in risk assessment.

Climate resilience : Adaptation to extreme climate events (heat waves, floods).

Physical cybersecurity : Integration of cyberattack risks on physical infrastructures.

9.3. REACH regulations and chemical substances

The evolution of REACH regulations impacts data centers through:

Restriction on refrigerants : Evolution towards natural fluids (CO₂, NH₃) presenting new risks.

Heavy metal-free batteries : Development of new storage technologies with new risk profiles.

Insulation Materials : Restrictions on certain insulating materials used in electrical equipment.

Conclusion

Risk assessment in data centers poses a major challenge for employers given the multiplicity and specificity of risks present in these complex technical environments. The convergence between the general obligations of the French Labor Code, the specific requirements of the Construction and Housing Code, and technical standards such as EN 50600 requires a rigorous and tailored methodological approach.

The constant technological evolution of the sector, the emergence of new risks linked to liquid cooling and energy storage technologies, as well as the strengthening of case law in matters of employer liability, make it essential for managers and their prevention teams to have a perfect understanding of these issues.

Beyond simple regulatory compliance, an effective risk assessment in data centers helps protect people, contributes to service continuity and can constitute a competitive advantage in a sector where reliability and security are determining criteria for customers.

Faced with the growing complexity of these installations and the considerable economic and legal challenges, support from experts specializing in industrial security and data centers, as well as the implementation of a continuous improvement approach based on sector feedback, appear to be essential investments for any operator wishing to control these emerging risks.

The ongoing digital revolution only amplifies these challenges, making a proactive and anticipatory approach to the prevention of occupational risks in these critical infrastructures of the digital economy more necessary than ever.