Iranian Strikes on Data Centers: A Legal Analysis Under International Law and DORA

The Legal Framework: Dual-Use Infrastructure Under International Humanitarian Law

The legal analyses published in March 2026 examined a question that had been theoretical until the Gulf conflict made it urgent: what is the legal status of commercial data centers under international humanitarian law when those data centers serve both civilian and military functions?

The Dual-Use Dilemma

Under the Geneva Conventions and their Additional Protocols, attacks must distinguish between civilian objects and military objectives. Military objectives are defined as objects which by their nature, location, purpose, or use make an effective contribution to military action, and whose total or partial destruction offers a definite military advantage.

Commercial data centers in the Gulf region increasingly fall into a gray zone. The U.S. Department of Defense's cloud strategy has progressively shifted military workloads onto commercial cloud infrastructure — AWS GovCloud, Microsoft Azure Government, and similar services. When a commercial data center in Bahrain or the UAE hosts both a bank's transaction processing system and a military logistics application, the facility's legal classification under IHL becomes ambiguous.

The Just Security analysis (March 12, 2026) argued that the dual-use nature of data centers creates novel IHL challenges. The principle of proportionality requires that even if a data center qualifies as a military objective, the expected incidental damage to civilian functions (including financial services) must not be excessive in relation to the concrete and direct military advantage anticipated. The destruction of a data center hosting financial institution workloads would cause massive civilian harm — potentially disrupting banking services for millions of customers across multiple countries.

The Financial Sector as Collateral Damage

The Tech Policy Press analysis (March 12, 2026) focused specifically on the financial sector implications. Financial institutions that placed workloads in Gulf region cloud facilities did so for legitimate business reasons — proximity to Middle Eastern markets, data sovereignty compliance, competitive latency for regional operations. None of these institutions anticipated that their cloud infrastructure would be located in a military target zone.

The concentration of financial workloads in conflict-zone data centers creates a novel category of systemic risk. If a military strike destroys or disables a cloud region hosting financial institution workloads, the impact cascades through the global financial system:

• Banks lose access to systems of record for customer accounts
• Payment processing capabilities are disrupted for institutions using the affected region
• Data recovery depends on cross-region replication — if replication was configured
• Regulatory reporting and audit trail continuity may be compromised

The Kennedys Law Insurance Analysis

The Kennedys Law analysis (March 17, 2026) examined the insurance and contractual dimensions. Standard cyber insurance policies typically exclude acts of war from coverage. If a data center is destroyed by a military strike, the financial institution's cyber insurance may not cover the resulting losses. This creates an insurance gap: the very scenario most likely to cause catastrophic data loss (military destruction of infrastructure) is the scenario least likely to be covered by standard insurance products.

Cloud service agreements also typically include force majeure clauses that exclude liability for events beyond the provider's control — and military strikes are the paradigmatic force majeure event. A financial institution whose data is destroyed when a military strike hits its cloud provider's data center may find that neither its insurance nor its cloud provider's contractual obligations provide any compensation.

When Bombs Meet Bytes

In March 2026, the escalation of military conflict between the United States and Iran introduced a scenario that no financial regulatory framework had been designed to address: the deliberate military targeting of civilian data center infrastructure in the Persian Gulf region. Legal analyses published by Just Security (March 12), Tech Policy Press (March 12), and Kennedys Law (March 17) examined the international law implications of this unprecedented convergence of kinetic warfare and digital infrastructure.

The Gulf region had become, over the preceding decade, one of the world's fastest-growing data center markets. Major cloud providers including AWS, Microsoft Azure, Google Cloud, and Oracle had established or were building significant data center presence in the UAE, Bahrain, Saudi Arabia, and Qatar. These facilities served not only the local market but also provided cloud capacity for institutions in Europe, Africa, and South Asia. The concentration of cloud infrastructure in a region that was now an active conflict zone created a novel category of operational resilience risk.

The legal analysis was sobering. Under international humanitarian law (IHL), data centers that serve dual-use purposes — supporting both civilian and military operations — could potentially be classified as legitimate military targets. The U.S. military's increasing use of commercial cloud infrastructure for intelligence, logistics, and communications functions blurred the traditional distinction between civilian and military targets. If a commercial data center in Bahrain hosts both financial institution workloads and military logistics applications, its legal status under IHL becomes ambiguous.

For financial institutions operating under DORA, this analysis introduced a risk category that existing frameworks do not explicitly address: the risk of physical destruction of cloud infrastructure due to armed conflict. DORA's third-party risk management framework (Art. 28-44) addresses vendor failures, service disruptions, and concentration risk — but the underlying assumption is that infrastructure failures are accidental or caused by cyber incidents, not that data centers might be deliberately destroyed by military action.

The Gulf data center scenario is not hypothetical. AWS officially confirmed disruptions to its Bahrain region, and multiple reports documented drone and missile activity near data center facilities. The question for financial institutions was immediate and practical: if your cloud workloads are in a region experiencing military conflict, what does your business continuity plan say?

DORA in the Context of Armed Conflict

The Gulf data center scenario tests DORA's framework against an extreme but now demonstrably real threat: the physical destruction of cloud infrastructure due to armed conflict. While DORA was not designed for wartime scenarios, its requirements provide a framework for managing the risks that arise when financial infrastructure is located in or depends on facilities in conflict zones.

Art. 5-6 — ICT Risk Management and Geopolitical Risk

DORA Art. 6(8) requires financial entities to consider the "evolving cyber threat landscape" in their risk assessments. The Gulf conflict expands this requirement beyond cyber threats to include kinetic threats — the physical destruction of infrastructure by military action. For financial institutions with cloud workloads in the Gulf region, the geopolitical risk assessment must now include the probability and impact of military strikes on data center facilities.

This is not a marginal risk. The Gulf region experienced active military operations including drone strikes, missile attacks, and naval operations within miles of major data center facilities. The probability of direct or indirect damage to data center infrastructure was not zero — and DORA's risk management framework requires institutions to assess and manage non-zero risks proportionate to their potential impact.

Art. 11 — Business Continuity for Infrastructure Destruction

DORA Art. 11 business continuity plans typically assume that infrastructure failures are temporary — systems crash, services degrade, but the underlying physical infrastructure remains intact and can be recovered. Military destruction of a data center creates a fundamentally different scenario: the infrastructure is permanently destroyed, data that was not replicated to other regions is lost, and recovery depends entirely on pre-configured cross-region redundancy.

Business continuity plans for financial institutions with Gulf region exposure must include:

• Cross-region data replication ensuring that all critical data is replicated to regions outside the conflict zone in near-real-time
• Workload portability ensuring that applications can be rapidly redeployed to alternative regions without manual reconfiguration
• Data sovereignty compliance ensuring that cross-region replication does not violate data localization requirements in the originating jurisdiction
• Recovery time objectives calibrated for total region loss, not just individual service failure

Art. 28-30 — Cloud Provider Contracts and Force Majeure

The Gulf scenario exposes a critical gap in standard cloud service agreements. Force majeure clauses in cloud contracts typically exclude the provider from liability for service disruptions caused by "acts of war, hostilities, terrorism, or government actions." If a cloud provider's data center is destroyed by a military strike, the financial institution has no contractual remedy against the provider.

DORA Art. 30 specifies key contractual provisions that must be included in agreements with ICT third-party service providers. For cloud services deployed in or near conflict zones, additional contractual provisions should address:

• Cross-region replication guarantees — contractual commitments to replicate critical data to regions outside the conflict zone
• Emergency migration support — provider obligations to assist with rapid workload migration if geopolitical conditions deteriorate
• Force majeure notification — early warning obligations when the provider's facilities are located in or near areas experiencing military activity
• Insurance coordination — clarity on which party's insurance covers losses from military action

Art. 24 — Resilience Testing for Extreme Scenarios

DORA Art. 24 requires financial entities to maintain a resilience testing programme covering "a range of scenarios." Total loss of a cloud region due to military destruction is an extreme scenario, but it is now a documented possibility. Financial institutions should include total region loss in their resilience testing, verifying that cross-region failover works, data integrity is maintained, and recovery times meet critical service requirements.

The New Geography of Digital Risk

The Gulf data center legal analysis fundamentally reshapes how financial institutions must think about geographic risk in cloud infrastructure. The traditional cloud risk calculus — latency, data sovereignty, cost — must now include geopolitical stability as a first-order consideration.

Geographic Risk as ICT Risk

Before the Gulf conflict, data center location decisions for financial institutions were driven primarily by regulatory data sovereignty requirements, network latency to end users, provider pricing and availability, and disaster recovery considerations (avoiding co-location of primary and backup in the same natural disaster zone). The Gulf conflict adds a fifth dimension: geopolitical stability. Data centers located in or near regions experiencing military conflict carry a category of risk that no amount of technical redundancy can fully mitigate. A data center with 99.999% uptime history becomes a single point of failure when it is located in a military target zone.

For DORA compliance, this means that ICT risk assessments for cloud services must include a geopolitical risk evaluation of each cloud region used. This evaluation should consider the region's political stability, its proximity to active or potential conflict zones, the presence of military facilities or dual-use infrastructure in the vicinity, and the legal status of data center facilities under international humanitarian law.

The Insurance Gap

The intersection of war exclusion clauses in cyber insurance and force majeure clauses in cloud contracts creates a coverage gap that leaves financial institutions exposed. If a data center is destroyed by military action, the institution's losses from service disruption, data loss, and recovery costs may be uninsured and uncompensated. Standard insurance products were not designed for this scenario, and the insurance market has not yet developed products that adequately address it.

Financial institutions should review their insurance portfolio to understand the war exclusion gap and explore whether specialized coverage — war risk insurance, political violence insurance — can be adapted to cover digital infrastructure losses. They should also negotiate cloud contract provisions that allocate risk more equitably for conflict zone deployments.

Recommendations for Financial Institutions

Audit cloud region geopolitical risk. Conduct a systematic review of all cloud regions hosting financial institution workloads, assessing each region's geopolitical risk profile including proximity to conflict zones, presence of military infrastructure, and political stability trajectory.

Ensure cross-region replication for conflict-exposed regions. All critical data and workloads hosted in regions with elevated geopolitical risk must have real-time or near-real-time replication to regions in politically stable jurisdictions. Replication must be verified regularly.

Develop cloud region evacuation playbooks. Pre-plan the migration of workloads from conflict-zone cloud regions to alternative regions, including data migration procedures, DNS failover, application reconfiguration, and customer communication. Test these playbooks annually.

Review insurance coverage for military scenarios. Assess whether existing cyber and business interruption insurance covers losses from military destruction of cloud infrastructure. Explore specialized products where gaps exist.

Engage with cloud providers on conflict zone policies. Request cloud providers to provide transparency about their conflict zone policies — including early warning procedures, cross-region migration support, and liability allocation for losses caused by military action affecting their facilities.

The Broader Implications

The Gulf data center scenario marks a new era in operational resilience planning. The assumption that cloud infrastructure operates in a peaceful, stable environment — subject only to technical failures, cyber incidents, and natural disasters — is no longer valid. Financial institutions must incorporate geopolitical risk into their cloud strategy, their business continuity planning, and their DORA compliance frameworks. The map of digital risk now includes the map of geopolitical risk.