U.S. Tech Giants in the Gulf: From Trillion-Dollar Investments to Drone Targets
U.S. Tech Giants in the Gulf: From Trillion-Dollar Investments to Drone Targets
On March 13, 2026, the New York Times published an investigation titled "U.S. Tech Giants Flocked to the Persian Gulf. Now They Are Targets." The piece detailed how the largest technology companies in the world had concentrated extraordinary capital and infrastructure in a region that was, almost overnight, transformed from a growth market into an active conflict zone.
The numbers are staggering. Over $2 trillion in combined investment pledges had been made by U.S. technology companies to Gulf states in the three years preceding the conflict. These investments were not speculative — they represented physical infrastructure: data centers, AI training clusters, submarine cable landing stations, and edge computing nodes that served as the digital backbone for financial institutions across the Middle East, North Africa, and South Asia.
For DORA-regulated entities, the NYT investigation reads like a case study in exactly the kind of concentration risk that Articles 28-30 were designed to prevent.
The Investment Map: $2 Trillion in the Crosshairs
The scale of U.S. tech investment in the Gulf is difficult to overstate. What began as data center expansion to serve growing regional markets evolved into a geopolitically entangled web of AI infrastructure, government partnerships, and defense-adjacent computing.
| Company | Investment | Location | Status Post-Conflict |
|---|---|---|---|
| Microsoft/OpenAI | Stargate AI project | UAE (Abu Dhabi) | Operations suspended; staff evacuated |
| Amazon | $5B AI hub | Saudi Arabia (Riyadh/Jeddah) | Construction halted; existing ops limited |
| Cloud region + subsea cable | Qatar, Oman | Operational but degraded connectivity | |
| Oracle | Cloud regions | Saudi Arabia, UAE | Partially operational; latency issues |
| Meta | AI training cluster | UAE | Evacuated; equipment status unknown |
The Stargate project alone — a joint venture between Microsoft, OpenAI, and UAE sovereign wealth interests — represented the single largest AI infrastructure investment outside the United States. Its physical location in the UAE placed it within the operational theater of the Iran conflict.
Amazon's $5 billion Saudi AI hub, announced with great fanfare as a cornerstone of Vision 2030, was still under construction when the conflict escalated. But Amazon's existing Bahrain infrastructure (the me-south-1 region) was directly impacted by the March 20 strikes.
Why the Gulf? The Gravitational Pull of Sovereign Capital
Understanding why U.S. tech companies concentrated so heavily in the Gulf requires understanding the economic incentives that made the region irresistible.
Gulf sovereign wealth funds offered three things that no other market could match simultaneously: massive capital (with minimal return timeline pressure), regulatory flexibility (particularly around AI ethics and data governance), and strategic geographic position (as a hub between Europe, Africa, and Asia).
For cloud providers, the Gulf offered something equally compelling: a customer base of financial institutions, oil companies, and government agencies that were rapidly digitalizing and had limited alternatives to hyperscale cloud services.
The problem — now visible in hindsight — is that these economic incentives aligned with geographic factors that also made the region militarily significant. The U.S. Fifth Fleet in Bahrain, Al Udeid Air Base in Qatar, and Al Dhafra Air Base in the UAE created a military overlay on top of commercial infrastructure that made separation impossible during conflict.
DORA's Third-Party Risk Framework: Tested Under Fire
The Digital Operational Resilience Act (Regulation (EU) 2022/2554) established a comprehensive framework for managing ICT third-party risk. The Gulf crisis is testing every element of that framework simultaneously.
Concentration Risk Assessment (Article 29)
DORA Article 29 requires financial entities to identify and assess concentration risk in their ICT third-party arrangements. The standard interpretation focuses on provider-level concentration: how many institutions depend on AWS, Azure, or Google Cloud.
The Gulf crisis reveals a deeper layer: investment-driven geographic concentration. When cloud providers follow sovereign capital into a specific region, they create a gravitational effect that pulls financial institutions into the same geographic dependency. A European bank that chose AWS's Bahrain region for Middle East operations did not consciously choose to place its data near a military target — but that is exactly what happened.
Critical Third-Party Provider Oversight (Articles 31-44)
The ESAs' oversight framework for critical third-party providers (CTPPs) was designed to ensure that systemically important cloud providers maintain adequate resilience. The Gulf strikes raise a fundamental question: does "adequate resilience" include the ability to survive kinetic military attack?
The answer, practically speaking, is no. No commercial data center is designed to withstand missile strikes. But DORA's framework does require CTPPs to have business continuity arrangements, and it requires financial entities to have exit strategies that can be executed when a CTPP can no longer deliver services.
| DORA Requirement | Pre-Crisis Compliance | Post-Crisis Gap |
|---|---|---|
| Art. 28: Exit strategies | Documented but untested | Activated under duress; many found inadequate |
| Art. 29: Concentration risk | Provider-focused only | Geographic + geopolitical dimensions ignored |
| Art. 30: Key contractual provisions | SLA-focused | No provisions for force majeure via military conflict |
| Art. 31-44: CTPP oversight | Focused on cyber resilience | Physical resilience of infrastructure unaddressed |
The Subcontracting Chain Problem
One of the less visible risks exposed by the Gulf crisis is the depth of the subcontracting chain. A European financial institution might have a direct contract with AWS for its European region, but that region's availability can depend on subsystems — DNS, certificate management, control plane operations — that route through or depend on infrastructure in other regions, including the Gulf.
DORA's provisions on subcontracting require visibility into the ICT supply chain. The Gulf crisis has demonstrated that this visibility must extend to the physical geography of every link in the chain.
The Insurance Question
An underexplored dimension of the Gulf tech concentration is insurance. Commercial property insurance policies for data centers typically exclude acts of war. Cyber insurance policies cover digital attacks, not physical destruction.
This creates a coverage gap that no financial institution planned for: the physical destruction of a cloud provider's infrastructure during a military conflict may not be covered by any standard insurance product. The financial exposure — not just to service disruption but to the permanent loss of data that was not replicated outside the conflict zone — is potentially enormous.
For DORA-regulated entities, this intersects with the regulation's requirements around ICT risk management. Risk assessments that did not account for the war exclusion in their cloud provider's insurance coverage are, in retrospect, incomplete.
Lessons for the DORA Community
The Gulf tech investment crisis offers several concrete lessons for financial institutions navigating DORA compliance.
First, geographic diversification is not optional. The convenience of placing Middle East operations in Gulf cloud regions must be weighed against the geopolitical risk of those regions. The emerging alternative — India's data center ecosystem — offers geographic separation from the Gulf conflict while maintaining reasonable latency to Middle East markets.
Second, exit strategies must be tested, not just documented. DORA Article 28's exit strategy requirement is only meaningful if the exit can be executed under crisis conditions. A plan that requires 90 days of orderly migration is useless when the data center is destroyed in an afternoon. Financial institutions should maintain warm standby environments in geographically independent regions that can absorb production traffic within hours, not months.
Third, concentration risk assessment must include geopolitical analysis. The Herfindahl-Hirschman Index (HHI) for cloud concentration is a useful tool, but it measures provider concentration, not geographic or geopolitical concentration. Institutions need a multi-dimensional concentration risk model that incorporates military presence, cable route dependency, and sovereign alignment risk.
Fourth, the register of information must be living, not static. DORA's register of information requirement exists precisely so that institutions can answer the question "what is our exposure?" within hours of a crisis. Those that treated the register as a compliance checkbox discovered its value the hard way.
| Lesson | DORA Article | Practical Action |
|---|---|---|
| Geographic diversification | Art. 29 | Mandate cross-continental redundancy for critical workloads |
| Tested exit strategies | Art. 28 | Quarterly failover exercises to independent regions |
| Geopolitical risk in concentration assessment | Art. 29 | Add military proximity and cable route analysis to HHI |
| Living register of information | Art. 28 | Real-time dependency mapping with automated alerting |
What Comes Next
The $2 trillion question is whether U.S. tech companies will maintain their Gulf investments after the conflict ends. The infrastructure is physically present (where it survived), the sovereign relationships are deep, and the economic incentives have not disappeared.
But the risk calculus has permanently changed. Every future investment decision in the Gulf will carry the asterisk of March 2026. And for DORA-regulated entities that depend on this infrastructure, the message from the European supervisory authorities is likely to be unambiguous: you cannot outsource geographic risk assessment to your cloud provider.
The ESMA strategic priorities already identified digital resilience as a key supervisory focus. The Gulf crisis will accelerate that focus and, almost certainly, lead to enhanced concentration risk guidance that explicitly addresses the kind of geopolitical entanglement that turned trillion-dollar investments into drone targets.
Voir aussi: Data Centers Are Now Military Targets | Submarine Cables Through the Strait of Hormuz | Multi-AZ Assumptions Shattered
Resume en francais
Avant le conflit americano-iranien de 2026, les geants technologiques americains avaient engage plus de 2 000 milliards de dollars d'investissements dans les Etats du Golfe. Le projet Stargate de Microsoft aux EAU, le hub IA de 5 milliards d'Amazon en Arabie saoudite et les regions cloud de Google au Qatar representaient une concentration massive d'infrastructure numerique dans une zone qui est devenue un theatre de conflit actif. L'enquete du New York Times du 13 mars 2026 a revele comment ces investissements, attires par le capital souverain et la flexibilite reglementaire, ont cree une vulnerabilite systemique pour les institutions financieres du monde entier. Pour les entites reglementees par DORA, la crise impose une reevaluation complete du risque de concentration (Art. 29), des strategies de sortie (Art. 28) et de la surveillance des tiers critiques (Art. 31-44), en integrant desormais l'analyse geopolitique et militaire dans le cadre de gestion des risques ICT.