WeVote

Bill

Bill

HB 5849

Businesses: other; cyber-physical security and operational technology protections for data centers; provide for. Creates new act.

2025-2026 Regular Session Introduced by Peter Herzberg and 2 co-sponsors

Michigan data centers must implement a risk-based cybersecurity and resilience program with incident response and disaster recovery plans, plus penalties for noncompliance.

bill electronically reproduced 04/22/2026
0
WeVote Research Nonpartisan
Bill Summary · HB 5849

Summary: HB 5849 (Michigan, 2025-2026)

Purpose and intent

  • The bill would require certain data centers operating within Michigan to implement specified security measures to protect against cyber threats and physical or cyber disruptions.
  • It directs operators to adopt a risk-based cybersecurity and resilience program aligned with recognized frameworks (not mandating a single framework or technology).

Key provisions

Security requirements for data centers

  • Operators must ensure security measures to defend against:
    • Cyberattacks on the data center
    • Physical or cyber disruptions to the data center

Risk-based cybersecurity and resilience program

  • Data center operators must implement a risk-based program to achieve the required security measures.
  • The program should be aligned with nationally recognized cybersecurity frameworks and guidance, including:
    • NIST Cybersecurity Framework
    • Guidance from the Cybersecurity and Infrastructure Security Agency (CISA)
  • The bill explicitly states it does not require compliance with any single framework or technology.

System requirements (as applicable)

Based on size, function, and risk profile, operators must use, where applicable:
- Safety-critical systems capable of defaulting to a safe state
- Redundant cooling and thermal controls
- On-site manual override access
- Segmentation of safety systems from public-facing networks

Required plans

Operators must create and maintain:
- An incident response plan, including:
- Responsible personnel, communication procedures, and notification procedures
- System restoration priorities
- Coordination with emergency responders and utilities
- A disaster recovery plan, including:
- System and data restoration priorities
- Backup, redundancy, or continuity strategies appropriate to the facility
- Periodic testing, review, and updating of the plan

Penalties

  • Civil fines: up to $25,000 for each day of violation
  • Enforcement: Prosecutor of the county or the Michigan Attorney General may bring action to collect fines

Definitions

  • "Critical infrastructure": Systems and assets essential for safe and reliable data center operation (e.g., power supply, cooling, fire suppression, network management).
  • "Data center": A qualified data center as defined in specific Michigan tax code sections (relating to sales and use tax acts).

Affected entities

  • Operators of qualified data centers in Michigan. The bill does not specify exemptions beyond what is defined by “data center” in the cited tax code sections, nor does it detail state agency or local government exemptions beyond general applicability.

Procedural and timeline aspects

  • Introduction and status: Introduced and referred to the Committee on Government Operations on April 22, 2026.
  • Next steps: The bill would move through the usual committee and potential floor actions typical of Michigan legislative process. If enacted, compliance would likely be phased in according to the bill’s text and any subsequent implementing rules.

Practical impact

  • Establishes a comprehensive risk-based security framework for data centers, emphasizing both cyber and physical security.
  • Creates mandated planning, including incident response and disaster recovery, with explicit testing and coordination requirements.
  • Introduces civil penalties for noncompliance, providing a financial incentive for adherence.
  • Encourages use of established national standards and guidance, permitting flexibility in choosing appropriate frameworks or technologies.

Compiled from official sources — confirm details with the bill’s official record.

Sign in to ask a question.