This bill mandates that operators of data centers implement specific security measures to protect against cyberattacks and physical or cyber disruptions. It requires the establishment of a risk-based cybersecurity and resilience program that aligns with nationally recognized frameworks, such as the NIST cybersecurity framework. Operators must also utilize various safety systems, including safety-critical systems, redundant cooling controls, and manual override access, depending on the data center's size and risk profile. Additionally, they are required to create and maintain incident response and disaster recovery plans that outline personnel responsibilities, communication procedures, and system restoration priorities.

Violations of these requirements can result in civil fines of up to $25,000 per day, enforceable by the county prosecutor or the attorney general. The bill defines "critical infrastructure" as essential systems for the operation of a data center and specifies that a "data center" refers to a qualified data center as defined in existing tax laws. The new legal language emphasizes the importance of cybersecurity and resilience in the operation of data centers, reflecting a growing concern over data security in the digital age.