When Drones Hit the Cloud: Iran's Strikes on AWS Data Centers and the DORA Reckoning for Gulf Finance
The Day the Cloud Got Hit
The tech industry talks about "the cloud" as though it were something abstract and untouchable. But the cloud runs on data centers, those data centers have a physical address, and on March 1, 2026, that address was hit by Iranian drones.
Three data centers operated by Amazon Web Services — two in the United Arab Emirates and one in Bahrain — were struck by Iranian drones or missiles during the broader Iran-U.S. military escalation. The attacks forced the facilities offline and led to service outages affecting banking, payments, delivery apps, and enterprise software across the Gulf region.
This was not a software bug. Not a configuration error. Not a cooling system failure. This was the first deliberate military strike on cloud infrastructure in history.
For the 22,000 EU financial entities governed by the Digital Operational Resilience Act — and for every financial institution that runs workloads on hyperscale cloud providers — the implications are profound. DORA's framers wrote Article 29 on concentration risk, Article 28(8) on exit strategies, and Articles 31-44 on Critical Third-Party Provider oversight because they understood that systemic dependence on a small number of technology providers creates systemic risk. They just didn't anticipate that the risk would manifest as a drone strike.
What Happened: Timeline and Impact
According to reporting by Fortune, the Financial Times, and regional news coverage, the sequence of events unfolded as follows:
| Date | Event | Financial Services Impact |
|---|---|---|
| March 1, 2026 | Iranian drones/missiles strike two AWS data centers in UAE and one in Bahrain | Facilities forced offline immediately |
| Hours 1-4 | Banking and payment systems across Gulf begin failing | ATMs, POS terminals, mobile banking disrupted region-wide |
| Hours 4-12 | Enterprise software outages cascade across sectors | Logistics, delivery, government services, trading platforms impacted |
| March 1+ | Iran's Fars News Agency claims Bahrain facility targeted for military/intelligence role | Dual-use nature of commercial cloud infrastructure confirmed publicly |
| Following week | Iran closes Strait of Hormuz; Houthi threats resurface in Red Sea | 17 submarine cables carrying EU-Asia-Africa data traffic at risk |
Iran's Fars News Agency stated on Telegram that the Bahrain facility had been deliberately targeted "to identify the role of these centers in supporting the enemy's military and intelligence activities." AWS declined to comment. The U.S. military uses AWS to run some workloads, including running Anthropic's AI model Claude for intelligence functions — making commercial cloud infrastructure a legitimate military target in Iran's calculus.
Figure 1: Attack cascade — from drone strikes to DORA regulatory implications
The Dual-Use Problem DORA Didn't Name
DORA's concentration risk provisions in Art. 29 address commercial dependency — the risk that financial entities rely too heavily on too few technology providers. What the regulation did not explicitly address is the dual-use problem: commercial cloud infrastructure that simultaneously serves financial institutions and military operations becomes a military target.
The Pentagon's Joint Warfighting Cloud Capability and its Joint All-Domain Command and Control networks run on the same commercial infrastructure that serves banks and ride-hailing apps. Several news organizations reported that the U.S. military used Anthropic's AI model Claude — running on AWS — for intelligence assessments, target identification, and battle simulations during the Iran strikes themselves.
As Zachary Kallenborn, a PhD researcher at King's College London who co-authored a study on globally critical infrastructure in the journal Risk Analysis, told Fortune:
"If data centers become critical hubs for transiting military information, we can expect them to be increasingly targeted by both cyber and physical attacks."
He added that in conversations with senior officials around the world, "basically no one is thinking about these risks in a systematic way."
This is precisely the gap DORA was designed to close — at least on the commercial side.
DORA Article 29: Concentration Risk Proven Kinetically
Art. 29 of DORA requires financial entities to assess whether ICT third-party arrangements create concentration risk. The assessment criteria in Art. 29(2) map directly to the Gulf strikes:
| Art. 29(2) Criterion | Pre-Strike Compliance Assessment | Post-Strike Reality |
|---|---|---|
| (a) Non-substitutability | "AWS has high market share but alternatives exist" | No operational failover when facilities physically destroyed |
| (b) Multiple arrangements with same provider | "We use AWS for multiple services" | All services — compute, storage, networking, AI — lost simultaneously |
| (c) Systemic concentration across entities | "Other banks also use AWS" | Entire regional banking system disrupted in parallel |
| (d) Geographic concentration | "Multi-AZ deployment covers UAE + Bahrain" | Both countries struck in single coordinated military operation |
The pre-strike assessment would have checked every box on a compliance form. The post-strike reality exposed every assumption as insufficient.
Physical Security: The Gap in DORA's Framework
DORA's ICT risk management framework (Art. 5-16) addresses cyber threats, software failures, and third-party dependencies. It does not explicitly address physical military attacks on ICT infrastructure.
Data centers have long maintained physical security — fences, access controls, cameras — aimed at preventing ground-level espionage or sabotage. But as Sam Winter-Levy, a fellow at the Carnegie Endowment for International Peace, told the Financial Times:
"If you knock out some of the chillers you can take them fully offline."
The exposed infrastructure — cooling units, diesel generators, gas turbines — can be disabled without a direct hit on the server halls. Data centers are sprawling, visible complexes.
Chris McGuire, who worked on technology policy at the National Security Council under the Biden administration, told the Guardian:
"If you're actually going to double down on the Middle East, maybe it means missile defense on data centers."
This represents a new category of operational resilience risk:
| Risk Category | Current DORA Coverage | Post-Strike Assessment |
|---|---|---|
| Cyberattack | Comprehensive (Art. 5-16, 17-23, 24-27) | Unchanged |
| Software failure | Comprehensive (Art. 7, 11, 12) | Unchanged |
| Third-party technical failure | Comprehensive (Art. 28-44) | Validated |
| Natural disaster | Implicit (Art. 11 business continuity) | Needs strengthening |
| Military/kinetic strike | Not explicitly addressed | Critical gap — new threat category |
| Geopolitical supply chain disruption | Implicit (Art. 29 concentration) | Needs explicit treatment |
| Submarine cable severance | Not addressed | Must enter Art. 8 asset registers |
The Submarine Cable Dimension
The physical infrastructure risk extends beyond data centers. Seventeen submarine cables pass through the Red Sea, carrying the majority of data traffic between Europe, Asia, and Africa. With Iran's closure of the Strait of Hormuz and renewed Houthi threats in the Red Sea, both critical data chokepoints are now in active conflict zones simultaneously.
Doug Madory, director of internet analysis at network intelligence firm Kentik, told Rest of World:
"Closing both choke points simultaneously would be a globally disruptive event. I'm not aware of that ever happening."
For financial institutions, submarine cable disruption means cross-border payment settlement delays (SWIFT and correspondent banking depend on these cables), cloud replication failure between regions, and disaster recovery site unreachability. Art. 8 of DORA requires financial entities to identify all ICT assets supporting business functions — most institutions' Art. 8 registers do not extend to submarine cable routing or geopolitical exposure of their connectivity dependencies.
DORA's CTPP Framework: Validated by Violence
AWS was designated a Critical Third-Party Provider under DORA in November 2025, along with 18 other providers. The designation gives the European Supervisory Authorities direct oversight powers under Art. 31-44.
The Iranian strikes validate the CTPP framework's fundamental thesis: when 15 companies represent 62% of the global technology market, their physical infrastructure is systemically important and warrants regulatory oversight.
But the framework's current scope — focused on cyber resilience and operational processes — must now expand to include physical resilience of CTPP facilities and geopolitical risk assessment of their geographic footprint.
Figure 3: The dual-use problem — military and commercial workloads share physical infrastructure
Exit Strategy Credibility: Art. 28(8) After the Strikes
Art. 28(8) requires documented exit strategies for every ICT third-party arrangement supporting critical or important functions. Post-strikes, the credibility bar has changed fundamentally:
- Multi-region within a single provider is not sufficient. Deploying across UAE + Bahrain AWS regions was best practice. Both were struck in the same military operation. Multi-region within a single provider's geographic cluster provides zero protection against coordinated physical attacks.
- Multi-cloud becomes operationally mandatory. Genuine diversification requires workloads running on independent providers with physically separate infrastructure in geographically uncorrelated locations.
- Data sovereignty creates exit barriers. Gulf financial regulations require data residency within the GCC. If all GCC-located cloud facilities of a single provider are destroyed, data sovereignty and business continuity requirements directly conflict.
- Recovery timelines must account for physical destruction. A technical outage resolves in hours. Physical facility destruction requires weeks or months. RTO targets must reflect this new reality.
The Gulf AI Hub Ambitions: Disrupted
The strikes land at a particularly fraught moment for the Gulf's ambitions to become a global hub for artificial intelligence. President Trump's Gulf tour in May 2025 generated over $2 trillion in investment pledges, including the planned Stargate UAE campus in Abu Dhabi — what would be the largest AI facility outside the United States. Amazon committed $5 billion to an AI hub in Saudi Arabia.
Winter-Levy warned that physical attacks on data centers "are only going to become more common moving forward as AI becomes more and more significant." He called the strikes "a harbinger of what's to come" and warned that such attacks would not be limited to the Middle East.
Immediate Actions for DORA-Regulated Entities
| Priority | Action | DORA Reference |
|---|---|---|
| Critical | Reassess geographic concentration of all cloud workloads against geopolitical risk | Art. 29 |
| Critical | Validate exit strategies assume physical facility destruction, not just technical outage | Art. 28(8) |
| Critical | Test DR/BC plans against multi-facility physical loss scenarios — see our testing programme roadmap | Art. 11, Art. 25 |
| High | Update ICT asset registers with physical infrastructure: data center locations, submarine cable routes, conflict zone proximity | Art. 8 |
| High | Assess dual-use exposure — does your cloud provider serve military clients in your hosting region? | Art. 29 |
| High | Review CTPP oversight and engage with ESA consultations on physical resilience requirements | Art. 31-44 |
| Medium | Update board reporting to include geopolitical infrastructure risk as standing agenda item | Art. 14 |
| Medium | Evaluate submarine cable dependencies for cross-border operations | Art. 8 |
Key Takeaways
- Cloud infrastructure is now a military target. The Iranian strikes on AWS data centers in the UAE and Bahrain are the first deliberate military attack on cloud infrastructure in history — but experts warn they won't be the last.
- DORA's concentration risk framework (Art. 29) was validated — but needs expansion. The regulation correctly identified systemic dependence on few providers as a risk. It did not anticipate kinetic military attacks as the threat vector.
- Multi-region deployment within a single provider's geographic cluster provides no protection against coordinated military strikes. Genuine multi-cloud and multi-geography diversification is now a non-negotiable resilience requirement.
- The dual-use nature of commercial cloud — serving both civilian financial services and military operations — creates a new category of concentration risk that DORA's next revision must address explicitly.
- Physical infrastructure mapping must enter the Art. 8 asset register. Data center locations, submarine cable routes, and their proximity to conflict zones are now first-order operational resilience factors.
- Exit strategies (Art. 28(8)) must be tested against facility destruction scenarios, not just technical failures. Recovery timelines of hours become weeks when infrastructure is physically destroyed.
- Board directors (Art. 14) need to understand that cloud provider selection is now a geopolitical strategic decision, not just a technology procurement choice.
The cloud is not abstract. It has an address. And that address can be hit by a drone.
Sources: Fortune (Jeremy Kahn, "Iran's attacks on Amazon data centers in UAE, Bahrain signal a new kind of war," March 9, 2026), Financial Times, Rest of World, The Guardian, Risk Analysis journal (Kallenborn et al., "Globally Critical Infrastructure"), Carnegie Endowment for International Peace, EBA CTPP designation, SecurityScorecard, AWS status communications, Iran Fars News Agency.
Quand les drones frappent le cloud
Le 1er mars 2026, des drones et missiles iraniens ont frappe trois centres de donnees operes par Amazon Web Services — deux aux Emirats arabes unis et un a Bahrein. C'etait la premiere frappe militaire deliberee sur une infrastructure cloud de l'histoire. Les attaques ont force la mise hors service des installations, entrainant des pannes bancaires, de paiement et de logiciels d'entreprise a travers le Golfe.
L'agence de presse iranienne Fars a declare que l'installation de Bahrein avait ete deliberement ciblee pour "identifier le role de ces centres dans le soutien aux activites militaires et de renseignement de l'ennemi." L'armee americaine utilise AWS pour certaines charges de travail, y compris le modele d'IA Claude d'Anthropic pour des fonctions de renseignement — faisant de l'infrastructure cloud commerciale une cible militaire legitime dans le calcul iranien.
Pour les entites financieres europeennes regies par DORA, les implications sont sismiques. L'article 29 sur le risque de concentration, l'article 28(8) sur les strategies de sortie, et les articles 31-44 sur la surveillance des prestataires tiers critiques s'averent plus prescients que quiconque ne l'avait imagine — mais le cadre doit maintenant s'etendre pour inclure le risque militaire cinetique et l'evaluation geopolitique.
Les conclusions cles : le deploiement multi-region au sein d'un meme fournisseur ne protege pas contre les frappes militaires coordonnees. La nature double usage du cloud commercial — servant a la fois les services financiers civils et les operations militaires — cree une nouvelle categorie de risque de concentration. Les strategies de sortie doivent etre testees contre des scenarios de destruction d'installations. Et la cartographie des infrastructures physiques — centres de donnees, cables sous-marins, leur proximite avec les zones de conflit — doit entrer dans le registre d'actifs de l'article 8.
Le cloud n'est pas abstrait. Il a une adresse. Et cette adresse peut etre frappee par un drone.