Climate Risk in IT Procurement: Assess Data Centre Resilience

In July 2022, London hit 40°C for the first time on record. Google and Oracle data centres overheated and went offline. Two months later, Twitter's Sacramento facility shut down during a Californian heatwave. In early 2025, an AWS availability zone in Northern Virginia failed after a rapid temperature spike, taking Coinbase and other services offline for hours. None of these outages were caused by software bugs, cyberattacks, or hardware failures. The weather caused them.

Standard SLAs rarely cover climate-related disruptions. Most contracts include a force majeure clause that treats extreme weather as unforeseeable. Affected customers had limited recourse. And under current climate trajectories, incidents like these will become more frequent, not less. The question is not whether your cloud provider's facilities face physical climate risk. The question is whether your procurement process accounts for it — and whether your ESG reporting obligations require you to prove that it does.

What This Looks Like in Practice

Scenario A. A mid-sized European company migrates its CRM and ERP to a cloud provider with primary capacity in Northern Virginia. No climate screening is conducted. The SLA guarantees 99.9% uptime. The force majeure clause covers "extreme weather events." In early 2025, a winter storm triggers cascading grid stress in the region. The primary availability zone experiences a four-hour outage. The force majeure clause applies. Zero compensation. Recovery costs exceed the annual contract value. The company's CSRD report later cannot demonstrate climate risk assessment of its digital supply chain.

Scenario B. Same migration, different procurement process. Before signing, the IT team runs a location risk screening using XDI hazard data. They identify elevated heat stress and storm risk at the primary facility. They negotiate geo-redundancy in the Nordic region, add a climate-specific SLA clause treating extreme weather as a foreseeable — not exceptional — risk, and specify quarterly uptime monitoring during heat events. Same contract term. Zero unplanned downtime. And a documented climate risk assessment that feeds directly into CSRD value chain disclosure.

The difference between these scenarios is not technology. It is procurement practice. This article gives you the framework for Scenario B.

What Is Actually at Risk

Cloud services appear intangible. The infrastructure behind them is not. Every cloud contract attaches your operations to specific buildings, specific cooling systems, and specific power grids — all of which are physically located somewhere, and all of which are exposed to climate hazards at that location.

Procurement teams apply geographic risk screening to factories, logistics hubs, and raw material suppliers. They almost never apply it to cloud providers. That asymmetry is closing fast. S&P Global's research confirms that all sectors face at least moderate direct exposure to physical climate hazards by 2030, with additional indirect exposure flowing through their value chains. The IT sector is not exempt. Companies that have migrated core operations to cloud providers without assessing the physical resilience of those providers are carrying undisclosed supply chain climate risk.

The two incidents that best illustrate the financial consequence: the 2022 London heatwave outages affected customers whose SLAs provided no compensation for heat-driven cooling failure, and the 2023 Slovenia floods — though affecting automotive suppliers rather than data centres — produced an estimated 150,000 fewer cars globally from a single localised climate event. A comparable cluster failure in a concentrated digital infrastructure hub would cascade identically across digital value chains.

One thing to remember: A cloud contract is a physical asset risk agreement. Treat it like one.

The Geographic Hazard Map

A 2025 XDI analysis of 8,868 data centres worldwide found that between 20 and 64 per cent of facilities in major hubs — including Hamburg, New Jersey, Tokyo, Bangkok, and Hong Kong — are projected to be highly vulnerable to physical damage by 2050. Three hazard types drive most of the risk.

Extreme heat overwhelms cooling systems. The World Economic Forum estimates climate hazards could raise cumulative data centre running costs by USD 3.3 trillion by 2055. Flooding threatens foundations, cabling, and power systems; coastal and riverine exposure is already material in European hubs like Hamburg and the Netherlands. Water scarcity constrains cooling capacity directly: water-cooled facilities in drought-prone regions face operational curtailment or escalating access costs, a risk that is materialising faster in Southern Europe and parts of Asia-Pacific than most procurement teams realise. For a more detailed treatment of water risk in supply chain assessments, see the linked analysis.

Sources: XDI 2025 Global Data Centre Physical Climate Risk Report; World Economic Forum; Ramboll

What IT Buyers Must Do: RFPs, SLAs, and Architecture

Adding a climate risk dimension to cloud and colocation procurement does not require a sustainability team. It requires the right questions — and the right contractual provisions to enforce the answers.

Questions to Add to Your Next Cloud RFP

• Location risk profile: Which climate zones host the facilities serving your workloads? What flood zone, heat stress, and water availability classifications apply to each site?
• Cooling technology: Is the facility air-cooled, water-cooled (evaporative or chiller), or liquid-cooled (direct-to-chip or immersion)? What are the rated upper operating temperature limits? Do those limits exceed the local 1-in-100-year heat event projection for 2040?
• Backup power: What generator capacity covers peak facility demand? What is the minimum documented fuel storage duration? Has this been tested under real extreme weather conditions — not only scheduled maintenance?
• Water dependency: What is the annual Water Usage Effectiveness (WUE)? What contingency arrangements exist for drought scenarios or water allocation restrictions?
• Business continuity testing: When was the last full failover test? Do DR scenarios include climate-triggered disruptions, or only cybersecurity and hardware failure events?

SLA Clauses Worth Negotiating

Standard SLAs define uptime but carve out extreme weather as force majeure. That framing is no longer defensible: climate hazards are documented, projected, and foreseeable. Forward-looking buyers are negotiating three specific additions.

First, climate-specific uptime provisions that treat extreme weather as a foreseeable operational risk, removing it from the force majeure exemption. Second, transparency obligations requiring providers to disclose the physical climate risk assessment for facilities serving the customer. Third, geo-redundancy guarantees specifying that failover capacity is located in a materially different climate zone — not merely a different building in the same flood-prone metropolitan area.

That last point is frequently overlooked. Two data centres on opposite sides of Hamburg are not a climate-resilient redundancy architecture. They share the same storm surge and flooding exposure. Effective climate geo-redundancy means different hazard profiles, not just different postcodes.

Architecture: Edge and Hybrid as Structural Risk Mitigation

Edge computing distributes workloads to smaller, geographically dispersed facilities closer to end users. This reduces concentration risk by design. Hybrid multi-cloud strategies — combining private or on-premise infrastructure with multiple public cloud providers — enable geographic redundancy: if one provider's northern Virginia facility is compromised, workloads continue from facilities in the Nordics or Central Europe. For a broader treatment of how supply chain transparency shapes competitive positioning, including digital supply chains, the linked analysis is relevant.

One thing to remember: The right questions in an RFP cost nothing. An unplanned outage during a heat event — with no contractual recourse — costs considerably more.

The Regulatory Dimension: CSRD, EU Taxonomy, IFRS S2

If the operational and financial case for climate-resilient IT procurement is not sufficient, the regulatory case will be. Three frameworks create direct, auditable obligations — and all three are already in force or implementation.

CSRD and ESRS E1 require companies in scope to assess physical climate risks across their value chains. Cloud and SaaS providers are Scope 3 suppliers. Their physical climate vulnerability is a material exposure that must be assessed and disclosed — not assumed away. If your organisation uses a Scope 3 Quick Check to prioritise material emission and risk categories, digital infrastructure should appear on the assessment list for any cloud-intensive operation. Auditors are beginning to ask whether digital supply chains were included in ESRS E1 climate risk assessments, or treated as exempt. The answer needs to be documented. For a full treatment of how double materiality analysis identifies value chain exposures, including digital infrastructure, see the linked methodology guide. See also our overview of ESG and sustainability compliance obligations in 2025–2026.

The EU Taxonomy's Do No Significant Harm (DNSH) principle requires that taxonomy-aligned activities demonstrate climate change adaptation assessments covering physical and transitional risks. Procurement decisions that ignore facility-level hazard profiles cannot be straightforwardly taxonomy-compliant for any company seeking to classify digital activities as environmentally sustainable.

IFRS S2 requires scenario-based physical risk disclosures under both moderate (RCP 4.5) and high-emission (RCP 8.5) pathways. In practical terms: your cloud provider's cooling system needs to be rated for not just today's temperatures, but the 1-in-100-year heat event projected for that facility's location under RCP 8.5 by 2040. Understanding how to apply RCP and SSP data in a corporate climate risk assessment is the methodological starting point. The full climate risk analysis methodology, including EU-CORDEX regional data at 11.5 km resolution for European facility assessments, is documented in the linked service page.

Investor pressure adds a fourth dimension. European climate VCs are shifting towards infrastructure investments with embedded physical resilience, and ESG due diligence processes at VC and PE level now routinely include IT infrastructure climate resilience as a diligence dimension.

Assessment Checklist for Procurement Teams

This framework is designed to be used alongside standard vendor assessments, CSRD materiality analyses, and the free Climate Risk Quick Check for value chain exposure mapping.

Provider Location: Climate Vulnerability Scoring

Facility Resilience: Combined Checklist

• Cooling technology confirmed: air / water-chiller / liquid cooling (direct-to-chip or immersion). Rated upper limit exceeds local 1-in-100-year heat projection under RCP 8.5. N+1 redundancy minimum; N+2 for mission-critical workloads.
• Generator capacity covers 100% of peak demand. Fuel storage minimum 72 hours documented; 7+ days preferred. Full-load test completed within 12 months.
• RTO and RPO defined for climate-triggered scenarios specifically — not only cybersecurity or hardware failure events.
• Geo-redundant failover confirmed as operational. Secondary site in a materially different climate exposure profile — verified against hazard data, not assumed on the basis of physical distance.
• Renewable energy integration confirmed for primary and secondary sites. High renewable shares reduce fossil fuel price exposure and grid-access risk during emergency rationing.

Three Priorities for Forward-Looking IT Buyers

The organisations that build climate resilience into their digital procurement now will avoid forced renegotiations later — when risk is priced into insurance premiums, SLA terms, and investor due diligence. These are the organisations positioned to turn climate risk into competitive advantage, not just a compliance burden.

1. Map geographic exposure deliberately. The Nordic region and parts of Central Europe currently offer better long-term physical risk profiles than Asia-Pacific mega-hubs or coastal US metro areas. EuroStack — the EU initiative building federated, distributed digital infrastructure — addresses this directly, enabling providers to share capacity across different climate exposure zones. For enterprises under CSRD, geographic workload diversification is increasingly a disclosure-relevant infrastructure decision.

2. Require real-time environmental monitoring. Well-managed facilities track temperature, humidity, and power metrics continuously. Enterprise customers should specify this as a contractual service requirement. It enables proactive SLA invocation during extreme weather — before an outage, not after. It also provides the audit trail that regulators and insurers are beginning to request. Monitoring capability is one of the key tools for managing hidden climate risks in digital supply chains.

3. Integrate climate clauses before the next renewal. Build climate risk disclosure obligations, adaptation milestones, and explicit extreme-weather SLA protocols into multi-year contracts with cloud and SaaS providers. Generic force majeure clauses are not adequate for a risk that is foreseeable, rising in frequency, and now subject to regulatory disclosure requirements. The time to negotiate these clauses is before renewal — not after the next outage. For climate VC investors, the same framework applies at portfolio level: the IT infrastructure resilience of portfolio companies is a risk dimension that belongs in the ESG scoring model.

Frequently Asked Questions

What is physical climate risk for data centres, and how is it different from cybersecurity risk?

Physical climate risk refers to the direct exposure of data centre infrastructure — buildings, cooling systems, power connections — to climate hazards such as extreme heat, flooding, water scarcity, and severe storms. Unlike cybersecurity risk, it results in outages caused by environmental conditions, not code or actors. Standard IT resilience frameworks and most SLAs treat climate-related disruptions as exceptional. That treatment is becoming untenable as climate hazard frequency increases.

Does CSRD require organisations to assess their cloud provider's physical climate resilience?

Yes. Under ESRS E1, companies subject to CSRD must conduct climate risk and vulnerability assessments covering their value chains. Cloud and SaaS providers are Scope 3 suppliers. Their physical climate vulnerability is a material exposure that must be assessed and disclosed. The EU Taxonomy's DNSH criteria for climate change adaptation add a further obligation for taxonomy-aligned activities. Auditors are increasingly checking whether digital supply chains were included in value chain climate risk assessments, or assumed away.

What makes geo-redundancy effective for climate risk — and when is it just superficial?

Geo-redundancy means distributing workloads across geographically separated facilities so that a failure at one site does not affect operations. It is superficial when the redundant sites share the same hazard exposure — two facilities in the same metropolitan flood zone, for instance. Effective climate geo-redundancy requires secondary sites in materially different climate exposure profiles: different climate zones, different hazard types, verified against physical hazard datasets rather than assumed on the basis of distance.

How does the shift to liquid cooling relate to climate resilience?

Liquid cooling — direct-to-chip and immersion cooling — operates efficiently at higher ambient temperatures and with lower dependence on large volumes of chilled air or evaporated water than traditional HVAC systems. Facilities equipped with liquid cooling are more resilient during heatwaves and less exposed to water scarcity constraints. The market is projected to nearly quadruple to USD 29.5 billion by 2033. That growth rate reflects an industry-wide acknowledgement that legacy air-cooled infrastructure is structurally underequipped for a warmer climate — and it means cooling technology roadmap is now a legitimate procurement-level resilience indicator.

What data sources should IT procurement teams use for data centre location risk assessment?

Four datasets cover most of the relevant hazard dimensions: XDI's 2025 Global Data Centre Physical Climate Risk Report for facility-level hazard exposure across 8,868 sites; WRI's Aqueduct tool for water risk by watershed; the Copernicus Climate Data Store for temperature projections at regional resolution; and NERC or ENTSO-E data for grid reliability. For CSRD-compliant European physical risk assessments, EU-CORDEX regional projections at 11.5 km resolution provide the methodological foundation used in our climate risk analysis engagements.