Missile Defense for Data Centers? The New Physical Security Reality After the Gulf Strikes
Missile Defense for Data Centers? The New Physical Security Reality After the Gulf Strikes
The question sounds absurd until you remember what happened on March 20, 2026. Three AWS data center facilities in Bahrain were struck during Iranian retaliatory operations against U.S. military assets. The facilities were not the intended targets — but in a country smaller than Rhode Island that hosts both the U.S. Navy's Fifth Fleet and a major cloud provider's regional infrastructure, the distinction between military and civilian targets becomes academic under a barrage of ballistic missiles.
The strikes have forced a question that no one in the data center industry wanted to ask: what level of physical security is appropriate when your facility is located in a region where military conflict is possible?
The Physical Security Baseline: What Data Centers Were Designed to Withstand
Commercial data center design standards — primarily Uptime Institute's Tier classification and the TIA-942 standard — focus on reliability against environmental and operational threats: power failures, cooling system breakdowns, flooding, fire, and seismic events. The highest standard, Tier IV, guarantees 99.995% uptime through fully redundant infrastructure with fault tolerance.
None of these standards contemplate military attack.
| Threat Category | Tier IV Design Response | Effectiveness Against Military Strike |
|---|---|---|
| Power failure | 2N redundant power, 96-hour fuel reserve | Irrelevant if facility destroyed |
| Cooling failure | 2N redundant cooling | Irrelevant if facility destroyed |
| Fire | VESDA detection, FM-200/Novec suppression | Ineffective against missile-caused fires |
| Flooding | Elevated equipment, water sensors | Not designed for blast-caused flooding |
| Earthquake | Seismic isolation, structural reinforcement | Partial protection against blast effects |
| Physical intrusion | Mantrap, biometric, guards, CCTV | Not designed for military penetration |
| Electromagnetic pulse | Faraday cage (rare, optional) | Partial protection at short range |
| Missile strike | Not addressed | Zero protection |
Chris McGuire, former National Security Council director, told The Guardian that the fundamental issue is not hardening but proximity: "You cannot harden a commercial data center against a modern missile. What you can do is not build them next to military installations. The colocation of military and commercial infrastructure in the Gulf was a policy failure, not an engineering failure."
The Dual-Use Dilemma: An Unsolvable Problem?
Sam Winter-Levy of the Carnegie Endowment for International Peace has written extensively about the weaponization of dual-use infrastructure. His analysis, published on Carnegie's website, argues that "the convergence of military and civilian digital infrastructure in small states creates targeting problems that international humanitarian law has not yet resolved."
The dual-use problem in the Gulf is particularly acute because of the region's geography. Gulf states are small — Bahrain is 780 km², roughly the size of a medium European city — and their modern infrastructure is concentrated in narrow corridors. Physical separation between military bases and commercial data centers would require one or the other to relocate, which neither economic incentives nor defense strategy encourage.
For international humanitarian law (IHL), the principle of distinction requires attackers to distinguish between military and civilian objects. But when military command-and-control systems are collocated with or routed through commercial cloud infrastructure — which intelligence reports suggest was partially the case in Bahrain — the legal calculus becomes murky.
What Physical Hardening Can and Cannot Do
In the wake of the strikes, several data center operators and industry groups have proposed enhanced physical security measures. These range from the practical to the fanciful.
Measures with some defensive value:
- Underground construction: Facilities built 30+ meters underground can withstand conventional munitions. Norway's Green Mountain DC1 (inside a former NATO ammunition bunker) and Sweden's Pionen (former nuclear shelter) demonstrate the model. Cost premium: 200-400% over surface construction.
- Geographic dispersal: Rather than concentrating capacity in a single campus, distributing micro-data centers across a wider area reduces the impact of any single strike. This trades operational efficiency for resilience.
- Blast-resistant perimeter walls: Reinforced concrete walls (300mm+) with anti-fragmentation measures can protect against blast effects from near-miss detonations at 200+ meters. Ineffective against direct hits.
- EMP shielding: Faraday cage construction protects electronics from electromagnetic pulse effects, which can extend well beyond the blast radius. Relevant for facilities near but not at the impact point.
Measures that are impractical or performative:
- Anti-missile defense systems: Commercial data centers cannot operate their own missile defense. This is a military capability that requires sovereign authority, massive investment, and integration with national defense networks.
- Relocatable data centers: Container-based mobile data centers exist for military and disaster response use, but they cannot replicate the capacity, connectivity, or cooling efficiency of permanent facilities.
| Hardening Measure | Cost Premium | Protection Level | Practical for Financial Infrastructure |
|---|---|---|---|
| Underground construction | 200-400% | High (conventional munitions) | Yes, for critical national infrastructure |
| Geographic dispersal | 30-50% | Medium (reduces single-point failure) | Yes, aligns with DORA concentration risk |
| Blast-resistant perimeter | 15-25% | Low (near-miss only) | Yes, reasonable risk reduction |
| EMP shielding | 10-20% | Medium (EMP effects only) | Yes, for critical processing facilities |
| Anti-missile defense | Not feasible | High (theoretical) | No — sovereign military capability |
DORA's Physical Security Requirements: Article 11 and Beyond
The Digital Operational Resilience Act (Regulation (EU) 2022/2554) addresses physical security primarily through Article 11, which requires financial entities to implement "ICT business continuity policy" including response and recovery plans for "severe business disruption." The regulation also requires consideration of "physical security" within the broader ICT risk management framework under Article 9.
However, DORA's physical security provisions were drafted with threats like facility flooding, fire, and unauthorized physical access in mind — not military strikes. The Gulf crisis exposes a gap between the regulation's physical security assumptions and the actual threat landscape in certain regions.
What DORA Requires vs. What the Gulf Demands
The practical implication is that DORA-regulated entities operating in or dependent on infrastructure in conflict-adjacent regions must go beyond the regulation's explicit requirements. A compliant business continuity plan that assumes cloud regions are always recoverable within hours is not adequate when the recovery scenario involves a destroyed facility in an active war zone.
The ESAs' Likely Response
The European Banking Authority has not yet issued specific guidance on physical military threats to ICT infrastructure. However, the EBA's existing regulatory technical standards on ICT risk management include provisions for "extreme but plausible" scenarios in business impact analysis.
Following the Gulf strikes, we expect the ESAs to:
- Issue a statement clarifying that physical destruction of cloud infrastructure falls within the scope of "severe business disruption" under Article 11.
- Update concentration risk assessment criteria to include physical security posture of cloud provider facilities in assessed regions.
- Require enhanced testing scenarios that include permanent loss of a cloud region, not just temporary outage.
Practical Recommendations for Financial Institutions
For DORA-regulated entities, the physical security question is not about building bunkers — it is about making informed decisions about where to place critical workloads and how to recover when a facility is permanently lost.
First, map your physical exposure. Identify every cloud region and data center that hosts your workloads. For each, assess the proximity to military installations, the geopolitical stability of the host country, and the physical security posture of the facility. This goes beyond standard third-party due diligence but is now a practical necessity.
Second, design for permanent loss. Traditional disaster recovery assumes that the primary site will eventually recover. Military strikes may result in permanent facility destruction. Your DR architecture must support indefinite operation from secondary sites without manual intervention that requires access to the destroyed facility.
Third, test with realistic scenarios. Your resilience testing programme should include a scenario where an entire cloud region is permanently unavailable with zero notice. This is not a hypothetical — it is exactly what happened on March 20.
Fourth, reassess your geographic strategy. If your critical workloads are in regions with military installations nearby, consider migration. The India data center ecosystem and European sovereign cloud options offer alternatives with lower kinetic threat profiles.
| Action | Priority | DORA Article | Timeline |
|---|---|---|---|
| Physical exposure mapping | Critical | Art. 9, Art. 28 | Immediate (0-30 days) |
| DR for permanent facility loss | Critical | Art. 11, Art. 12 | 0-90 days |
| Kinetic threat testing scenarios | High | Art. 24, Art. 26 | Next test cycle |
| Geographic strategy review | High | Art. 29 | 0-180 days |
| CTPP physical security assessment | Medium | Art. 31 | Next oversight cycle |
Conclusion
The physical security of data centers has entered a new era. The Gulf strikes have demonstrated that commercial cloud infrastructure can be destroyed by military action, and the industry's response cannot be to build bunkers around every facility. Instead, the response must be architectural: design systems that can survive the permanent loss of any single facility, region, or even country.
For DORA-regulated entities, this means that operational resilience is no longer just about surviving cyberattacks and service outages. It is about surviving the full spectrum of physical threats that modern geopolitics can produce. The institutions that recognized this before March 20, 2026, were prepared. The ones that did not are learning the lesson now.
The age of assuming data centers are protected by their civilian status is over. The only protection that matters is the ability to function without them.
Voir aussi: Data Centers Are Now Military Targets | U.S. Tech Giants in the Gulf | Multi-AZ Assumptions Shattered
Resume en francais
Apres les frappes sur trois installations AWS a Bahrein, l'industrie des centres de donnees fait face a une question fondamentale : quel niveau de securite physique est approprie quand les installations sont situees dans des zones de conflit potentiel ? Chris McGuire, ancien directeur du NSC, affirme que le probleme n'est pas le durcissement mais la proximite avec les installations militaires. Sam Winter-Levy de Carnegie met en garde contre la convergence des infrastructures militaires et civiles. Les normes actuelles (Tier IV, TIA-942) ne prennent pas en compte les attaques militaires. Les mesures de durcissement pratiques — construction souterraine, dispersion geographique, protection anti-EMP — offrent une protection partielle mais a un cout de 200-400%. Pour les entites DORA, la reponse n'est pas de construire des bunkers mais de concevoir des architectures capables de survivre a la perte permanente de n'importe quelle installation. Les Articles 9, 11 et 12 de DORA couvrent la securite physique mais doivent etre reinterpretes a la lumiere des menaces cinetiques.