Physical Datacentre Separation as a Reliability Factor in Recovery Architecture
The distance between production systems and recovery infrastructure affects the physical incidents a recovery architecture can withstand. A backup repository, replicated environment, standby platform or disaster recovery site may look adequate in a technical diagram, but its reliability depends partly on where it is located. If the recovery environment sits inside the same building, campus or local infrastructure area as production, it may remain exposed to the fire, heat, flood, power, cooling or access incident that makes production unavailable.
Physical location now deserves closer attention in UK recovery design because datacentre infrastructure supports services that organisations and public bodies cannot easily pause. The UK government designated data centres as Critical National Infrastructure in 2024, and its data centre factsheet links them to services including patient records, email and financial systems. That wider role does not mean every recovery design needs a distant second site. It does mean infrastructure teams need to understand the physical geography behind their recovery assumptions.
The Guy’s and St Thomas’ NHS Foundation Trust incident in July 2022 shows why location needs careful treatment. Two separate datacentres, intended to provide resilience for each other, both suffered failures during a London heatwave, taking down most clinical IT systems across Guy’s, St Thomas’ and Evelina London hospitals. The review later concluded that the relative proximity of the two sites meant an environmental cause such as a heatwave could affect both at the same time. The point is not that dual-site architecture failed as a concept, but that separation has to match the type of incident the organisation expects to withstand.
Local resilience and recovery resilience are related, but they answer different questions. Local resilience concerns the ability of a facility to continue through equipment failure, component loss or routine disruption inside the site. Recoverability concerns whether the organisation still has usable data and a usable recovery environment when the primary location cannot be used. Those placement decisions need to be examined at several levels: the building or campus, the surrounding local area, the location of backup and object storage, the site used for disaster recovery workloads, the UK geography of the design, and the questions infrastructure teams ask when assessing whether the model is fit for purpose.
Removing the Single Building or Campus Exposure
A resilient datacentre can contain dual power feeds, redundant cooling, fire suppression, diverse carriers and strict facilities procedures. Those controls reduce the probability of interruption inside the facility, but the building remains one physical site. A facilities incident can still affect equipment that appears logically separate but is housed in the same room, rack hall, building or campus. Internal redundancy does not remove exposure to site-level events such as fire, water ingress, cooling failure, access restriction or a wider power incident.
Uptime Institute’s Annual Outage Analysis 2025 reported that power remains the leading cause of impactful outages, while IT and networking issues accounted for 23% of impactful outages in 2024. Co-location, hosted private cloud and outsourced infrastructure do not remove dependence on the physical condition of the facility. They may reduce some operational burdens, but the recovery architecture still needs to distinguish between resilience inside one site and recovery from the loss of that site.
In co-location and hosted private infrastructure designs, the assessment should move from general facility resilience to the exact relationship between production and recovery locations. A backup repository in the same datacentre may help with accidental deletion, file corruption or routine restore work. It gives a weaker recovery position if the same power, cooling, fire, access or building incident affects both production and the repository. The same applies to standby infrastructure placed in another room or another hall within the same campus.
The distinction needs to be explicit in design reviews and supplier discussions. “Hosted in a resilient datacentre” is not the same as “recoverable from a physically separate datacentre.” “Dual-site capability” is not enough unless the two sites are outside the same immediate facilities risk. UK organisations using co-location, private cloud or hosted recovery platforms should know whether the second environment survives the loss of the first building, not merely whether the primary facility is well engineered.
Extending Recovery Beyond the Local Area
Building-level separation reduces one category of exposure. It does not automatically address disruption across a wider local area. A second datacentre in the same city can reduce dependence on one building while still depending on overlapping local transport, power, water, access, emergency response and communications conditions. For some workloads that may be acceptable; for others, the chosen distance may need to reflect a wider regional risk scenario.
The UK National Risk Register 2025 describes risks that are relevant to physical infrastructure planning, including storms, high temperatures and heatwaves, coastal flooding, fluvial flooding, surface water flooding, failure of the National Electricity Transmission System and regional electricity network failure. Its heatwave scenario describes an extended period of high temperatures affecting 50 to 70% of the UK population, with maximum temperatures above 35°C and potentially approaching or exceeding 40°C in some places. Its flooding scenarios refer to impacts on roads, railways, hospitals, emergency services, electricity and telecoms.
The North Hyde Substation outage in March 2025 illustrates the type of local infrastructure disruption that can affect operations beyond the failed asset itself. NESO reported that the outage caused the loss of all supplies from North Hyde 275kV substation, affected thousands of customers including Heathrow Airport, and had wider impacts on road, rail, Hillingdon Hospital, homes and businesses. Three data centres also lost power but continued operating through backup generators. For recovery planning, the point is that a disruption in the local power environment can affect transport, access, public services and commercial activity around the recovery or production location, even where individual facilities continue to operate.
Distance should therefore be chosen according to the incident the recovery environment is expected to survive. A second site across town may be enough to handle a building fire, localised access problem or facilities failure. A second site in another region may be more suitable where the concern is heat across a metropolitan area, major flooding, a substation incident, transport restriction or a broader communications problem. The purpose is not maximum distance for its own sake, but a physical location that reduces the right category of exposure without making recovery performance unrealistic.
Placing Backup and Object Storage Away from Production Risk
Backup repository location is a separate recovery design decision from the location of the whole recovery platform. A backup copy does not need to run applications by itself. Its value is that it gives the organisation recoverable data when production data, replicated systems or primary storage are unavailable. For that reason, the physical placement of backup data deserves its own assessment.
A backup copy inside the same datacentre can be useful for fast operational recovery. It may support quick restores after user error, application corruption or local system failure. It is less helpful if the production facility is unavailable because of fire, power loss, cooling failure, water damage or site access restrictions. Offsite backup storage gives the organisation another recovery route when the primary location cannot be used.
NCSC guidance on offline backups says the purpose of an offline backup is to remain unaffected when an incident impacts the live environment, and it notes that cloud storage can provide physical separation from the live environment when used appropriately. The same guidance adds an important limitation: cloud storage used for this purpose also needs to be digitally disconnected when not in use, because it cannot be taken offline simply by unplugging it. NCSC’s ransomware-resistant backup guidance also warns that backup data is not resistant to destructive ransomware by default and needs additional protection.
S3-compatible object storage can support this part of the architecture where the backup or archive workflow supports S3-compatible targets and the storage is placed away from production infrastructure. It is not a substitute for backup policy, access control, restore testing or retention design. Its role here is narrower: it can place recoverable data in a physically different datacentre while remaining accessible to backup software and archive workflows.
This separates data placement from platform placement. An organisation may keep production systems in one environment while sending backup or archive copies to object storage in another UK location. That does not make every workload instantly recoverable, but it changes the position of the recoverable copy. If the production site is inaccessible, the organisation is not relying solely on backup data stored beside the systems it needs to recover.
Locating Disaster Recovery Platforms Outside the Primary Site
Backup storage and disaster recovery platforms serve different roles. Backup storage preserves recoverable data. A disaster recovery platform provides a place where selected systems can be restored, restarted or operated temporarily when the primary environment is unavailable. The physical location of that platform affects whether the organisation can run services during an incident that affects production.
RTO and RPO help explain the difference. RTO, or recovery time objective, means how quickly a service needs to be restored. RPO, or recovery point objective, means how much data loss is acceptable, measured in time. A system with a short RTO may need standby capacity, preconfigured networking and a recovery environment ready to run. A system with a longer RTO may be restored from backup after the most urgent services are back.
Not every workload needs the same recovery model. Payroll, clinical systems, case management, payment processing, customer portals and internal reporting do not normally carry the same recovery priority. Selected systems may need to recover first because they support customer harm reduction, regulatory obligations, patient safety, revenue protection or operational command. Physical separation helps only when the platform chosen for those services remains outside the incident affecting the primary site.
The FCA’s operational resilience policy brings this issue into sharper focus for financial services. Under PS21/3, FCA operational resilience rules came into force on 31 March 2022. In-scope firms then had until 31 March 2025 to ensure they could remain within impact tolerances for each important business service, supported by mapping and testing. The FCA has also emphasised that firms must identify and document the people, processes, technology, facilities and information needed to deliver those services. For DR architecture, that makes the location of the recovery platform part of the evidence base, because “facilities” and “technology” are not abstract categories when a service must continue through a physical disruption.
Giving UK Recovery Architecture a Clearer Physical Geography
Recovery data and backup repositories can hold sensitive information for long periods, so their physical location deserves the same scrutiny as production data. That scrutiny is partly operational and partly governance-related. UK organisations need to know where recovery copies sit, where recovery platforms can run, which legal jurisdictions apply, and which provider teams can support or manage the service. Without that clarity, recovery architecture is harder to explain during supplier assurance, regulatory review or board-level risk discussions.
The ICO’s international transfers guidance covers the rules for transferring personal information to other countries and how to identify restricted transfers under UK GDPR. The NCSC Cloud Security Principles also state that organisations should know where data is stored, processed and managed, which legal jurisdictions apply, and where the service is managed and supported from. These points apply strongly to backup, object storage and DR environments because recovery data often contains copies of the same sensitive records held in production.
UK-based physical separation can therefore support organisations that want recovery infrastructure to remain inside a domestic infrastructure footprint. This may be relevant for financial services, healthcare, legal services, professional services, government-related organisations, MSPs and other sectors where supplier assurance and data location are examined carefully. The architectural value comes from both distance and explainability: where the data sits, where the platform runs, and which UK locations are involved.
When organisations review backup, object storage, co-location or disaster recovery options, the distance between sites should be treated as an architectural detail with operational consequences. A London and Edinburgh model, such as the one described in Extraordinary Data Cloud’s object storage material, gives a concrete example of UK-based separation across more than 330 miles. The point is not to present one distance as universally correct. It is to make physical geography visible enough that infrastructure, risk and governance teams can judge whether the design fits the intended recovery model.
Practical Questions for UK Infrastructure Leaders
A useful review of physical datacentre separation should be specific enough to expose hidden assumptions. The questions should not stop at whether a provider has a resilient facility or whether backup software is configured correctly. They should identify whether recoverable data and recovery platforms are far enough from production to remain usable during the incidents the organisation is planning for.
- Are production and recovery environments in the same building, campus or local area?
- Could one fire, flood, heat event, cooling failure, power incident or site access restriction affect both environments?
- Is the second location far enough away to reduce the physical risks the organisation is trying to address?
- Does the chosen distance still support the required recovery time and recovery point expectations?
- Are backup repositories and object storage physically separate from production?
- Can the disaster recovery platform run selected services if the primary site is unavailable?
- Is the location of recovery data clear enough for governance and supplier assurance reviews?
- Does the recovery architecture stay within the intended UK infrastructure and jurisdictional model?
- Are the most urgent workloads assigned to the recovery location that gives them the right level of physical separation?
- Has the organisation checked whether its second site is genuinely outside the same local or regional risk boundary?
These questions help distinguish between design choices that are often blurred together: a second rack or hall in the same facility, a second datacentre in the same local area, an offsite backup or object storage location, and a separate DR platform able to run selected workloads. Each choice changes the recovery position in a different way. Moving to another rack, another building, another city or another recovery platform does not create the same level of separation. A UK-hosted recovery model is also incomplete unless the organisation can explain the actual locations involved.
Conclusion
Physical datacentre separation improves recovery reliability by reducing the chance that production systems, recoverable data and recovery platforms are affected by the same physical conditions. It does not remove the need for sound backup policy, access control, network design, monitoring, restore testing or operational runbooks. Its contribution is narrower and more concrete: it changes the physical circumstances under which recovery remains possible.
These levels need to be distinguished in the architecture. Building and campus separation address the loss of one immediate site. Local and regional separation address wider disruption across an area or supporting infrastructure. Backup and object storage placement determine where recoverable data sits. Disaster recovery platform location determines where selected workloads can run. UK physical geography helps teams explain how recovery infrastructure fits sovereignty, jurisdiction and supplier assurance expectations.
UK organisations should be able to describe their recovery architecture without vague claims about resilience. They should know where the production environment sits, where backup copies are held, where DR workloads can run, and whether those locations are far enough apart for the incidents under consideration. The most useful test is simple: if the primary environment becomes unusable because of a physical event, the recovery environment should sit outside the conditions that caused that failure.