India's Data Center Boom: How the Gulf Strikes Accelerated South Asia's Cloud Ambitions

The Migration Wave: Scale, Speed, and Challenges

The migration of cloud workloads from Gulf to Indian regions unfolded rapidly in March 2026, creating both opportunities and risks for the financial sector.

Scale of Migration

Industry reports indicated that cloud workload migration requests to Indian regions increased by 300-400% in the two weeks following the first confirmed disruptions to Gulf data center facilities. Major cloud providers expedited capacity expansion in their Indian regions, with AWS reportedly accelerating the deployment of additional server capacity in Mumbai and Hyderabad, and Microsoft fast-tracking planned Azure expansion in Pune and Chennai.

Financial institutions led this migration wave. Banks, insurers, and payment processors with Gulf operations were among the first to initiate migrations, driven by the immediate operational impact of the AWS Bahrain disruption and the risk committee imperative to reduce exposure to conflict-zone infrastructure. The migration included not just primary workloads but also disaster recovery infrastructure — institutions that had used Gulf regions as DR sites for their Asian or African operations redirected DR to Indian regions.

Capacity Constraints

The rapid influx of workloads tested Indian data center capacity limits. While India had been investing heavily in data center infrastructure — with planned capacity additions of several gigawatts over the 2024-2028 period — the sudden demand surge created localized capacity constraints. Power allocation, cooling capacity, and network interconnection bandwidth were the primary bottlenecks. Some institutions reported multi-week waiting times for provisioning new cloud infrastructure in the most popular Indian regions.

Regulatory Navigation

The migration required institutions to navigate a complex regulatory landscape. India's data protection framework (Digital Personal Data Protection Act 2023) imposes requirements on cross-border data transfers that institutions must comply with when migrating workloads from other jurisdictions. Additionally, some GCC data sovereignty regulations prohibit the transfer of certain categories of financial data outside the Gulf region — creating a potential conflict between the regulatory requirement to keep data in the Gulf and the operational imperative to move it to a safer location.

For DORA-subject institutions, this regulatory complexity affected the speed and scope of migration. Institutions had to balance compliance with multiple data sovereignty regimes while executing urgent workload migrations — a challenge that pre-incident planning had not always anticipated.

The New Concentration Risk

Perhaps the most significant risk created by the migration was the formation of a new concentration of financial workloads in Indian cloud regions. If hundreds of financial institutions simultaneously converge on AWS Mumbai and Azure Central India, those regions become critical infrastructure for a significant portion of Middle Eastern and South Asian financial services. A failure in these Indian regions would then cascade through the same institutions that migrated from the Gulf — potentially creating a worse concentration risk than the one they were fleeing.

DORA Art. 29's requirement for ongoing concentration risk assessment applies here: institutions must continuously monitor whether their migration decisions are creating new concentrations that require their own mitigations.

The Great Cloud Migration

The Gulf military strikes of March 2026 triggered an unprecedented acceleration in the migration of cloud workloads away from Middle Eastern data center regions toward perceived safer alternatives. India, with its growing data center infrastructure, favorable regulatory environment, and geographic proximity to both the Middle East and Southeast Asia, emerged as the primary destination for this migration.

Multiple reports from March 2026 documented the phenomenon. Financial institutions that had placed workloads in Gulf region cloud facilities — AWS Bahrain, Azure UAE, Oracle Cloud Abu Dhabi — began evaluating and executing migrations to Indian cloud regions (AWS Mumbai ap-south-1, Azure Central India, Google Cloud Mumbai). The migration was driven not by a single regulatory mandate but by risk committee decisions at individual institutions, each independently concluding that the geopolitical risk of Gulf region cloud deployment had become unacceptable.

The scale of the migration created its own challenges. India's data center capacity, while growing rapidly, was not dimensioned for a sudden influx of workloads from the Gulf region. Leading data center operators (Adani Group, Reliance Jio, NTT India, STT GDC) reported surge demand for colocation space and cloud interconnection capacity. Power and cooling infrastructure — already stretched in some Indian data center markets — faced additional pressure.

For DORA compliance, the India data center boom illustrates a secondary effect of geopolitical risk on cloud infrastructure: the migration of workloads from disrupted regions creates concentration risk in destination regions. If hundreds of financial institutions simultaneously migrate from Gulf to India, the Indian cloud regions themselves become a new concentration risk that must be assessed under DORA Art. 29. The solution to one concentration risk can create another.

The migration also tested data sovereignty frameworks. Financial institutions moving workloads from the Gulf to India had to navigate Indian data localization requirements, cross-border data transfer regulations, and the interaction between GCC data sovereignty rules (which may require data to remain in the Gulf) and the operational imperative to move workloads to a safer region.

DORA and the Geography of Cloud Resilience

The India data center boom following the Gulf strikes provides critical lessons for DORA's treatment of cloud geography, concentration risk dynamics, and the interaction between geopolitical events and cloud infrastructure planning.

Art. 29 — Dynamic Concentration Risk

The India migration demonstrates that concentration risk is dynamic, not static. An institution's concentration risk profile changes not only when it adds or removes vendors but when external events cause coordinated migration across the sector. DORA Art. 29's ongoing concentration risk assessment must account for herd behavior — the tendency of financial institutions to simultaneously migrate toward or away from specific cloud regions in response to shared threat perceptions.

This creates a paradox: the individually rational decision to migrate from a disrupted region creates a collectively irrational outcome when hundreds of institutions make the same decision simultaneously. The destination region becomes the new concentration risk. Effective DORA compliance requires institutions to consider not just their own concentration but the sector's aggregate concentration in each cloud region.

Art. 28 — Multi-Region Cloud Strategy

The Gulf-to-India migration validates the importance of multi-region cloud strategies for DORA Art. 28 compliance. Institutions that had pre-established presence in multiple cloud regions across different geopolitical zones were able to execute smooth migrations. Institutions attempting to establish new cloud region presence under crisis conditions faced delays, capacity constraints, and regulatory complexity.

DORA Art. 28's third-party risk management framework should drive institutions to pre-establish cloud presence in multiple geopolitically diverse regions as a standing resilience measure — not as a crisis response. The time to establish a cloud region presence is before you need it, not during a geopolitical emergency.

Art. 6(8) — Geopolitical Risk as ICT Risk

The India data center boom reinforces the lesson from the AWS Bahrain disruption: DORA Art. 6(8)'s requirement to consider the broader risk landscape means that geopolitical risk assessment must be integrated into cloud strategy. Financial institutions should classify cloud regions by geopolitical risk tier, implement workload placement policies that distribute critical workloads across geopolitically diverse regions, and maintain migration playbooks for rapid workload redistribution when geopolitical conditions change.

Data Sovereignty Harmonization

The regulatory complexity of the Gulf-to-India migration highlights the need for international data sovereignty harmonization — or at least mutual recognition frameworks — that allow emergency cross-border data movement during physical infrastructure threats. Without such frameworks, financial institutions face impossible choices between compliance and resilience during crises.

Reshaping the Global Cloud Map

The Gulf-to-India cloud migration of March 2026 is reshaping the global geography of financial services cloud infrastructure, with implications that extend well beyond the immediate crisis.

India's Data Center Ascent

India is emerging as a Tier-1 cloud destination for global financial services. The combination of geopolitical stability (relative to the Gulf), regulatory modernization (Digital Personal Data Protection Act 2023), growing data center capacity (projected 2+ GW by 2028), and network connectivity improvements positions India as a credible alternative to Gulf regions for Middle Eastern, African, and South Asian financial institution workloads.

However, India's ascent creates its own risks. The rapid concentration of financial workloads in Indian cloud regions creates the same systemic dependency that DORA is designed to address. If Indian data center infrastructure becomes as concentrated as Gulf infrastructure was, a future disruption — whether from natural disaster, political instability, or infrastructure failure — would cascade through the same institutions that sought safety in migration.

The Multi-Region Imperative

The fundamental lesson is that no single cloud region — regardless of its perceived stability — should be the sole host for critical financial workloads. The principle of geographic diversification that applies to physical infrastructure applies equally to cloud infrastructure. Financial institutions should distribute workloads across geopolitically diverse regions, maintain failover capability across at least two geographically distant regions, and regularly reassess the geopolitical risk profile of every cloud region in their portfolio.

Implications for DORA Compliance

Financial institutions should update their DORA Art. 29 concentration risk assessments to reflect post-migration workload distribution, ensuring that the migration from Gulf to India has not created a new single-point-of-failure dependency. They should review cloud contracts to ensure that DORA Art. 30 exit strategy provisions cover the scenario of geopolitical deterioration in the destination region, not just the origin region. And they should include the India migration experience in their DORA Art. 24 resilience testing scenarios — verifying that their migration playbooks work and that destination region capacity is sufficient.