NYT Analysis: How U.S. Tech Giants in the Gulf Became Military Targets

What's at Risk

Cloud Provider Presence

AWS (Bahrain), Azure (UAE), Google Cloud (Qatar/Saudi planned), Oracle (UAE) — billions in combined investment serving as the Gulf economy's cloud backbone.

Telecommunications

Subsea cable landing stations are critical choke points — their disruption would affect global internet routing.

Financial Dependency

Hundreds of financial institutions across MENA, Africa, and South Asia have direct or indirect dependencies.

Targeting Calculus

Iranian planning explicitly considered technology infrastructure as a target to degrade military capabilities, cause economic damage, demonstrate reach, and create political pressure.

Tech Giants as Military Targets

On March 13, 2026, the NYT analyzed how US technology companies' massive Gulf infrastructure investments (data centers, subsea cables, satellite stations) created a novel military target category. The dual-use nature — civilian services plus military support — blurred IHL protections.

The analysis documented specific companies with Gulf presence (AWS, Google, Microsoft, Oracle, Meta), the scale of investments, dual-use concerns, and strategic targeting calculations. For DORA Art. 5-6 risk assessments, this provides the intelligence foundation for evaluating Gulf cloud dependencies.

The NYT also documented diplomatic dimensions — US deterrence efforts, Gulf state security measures, and the contested legal protection of commercial data centers during armed conflict.

DORA Risk Assessment for Conflict Zones

Art. 5-6 — Intelligence-Informed Assessment

Institutions should assess strategic targeting rationale, dual-use status, diplomatic protections, and escalation scenarios for their cloud regions.

Art. 28-29 — Conflict Zone Concentration

Concentration risk must include geopolitical risk as a factor. Concentration in Gulf regions that was acceptable before conflict is no longer.

Art. 30 — Geopolitical Contract Provisions

Contracts should include enhanced notification, emergency migration support, force majeure specifics, and insurance coordination for military scenarios.

The New Risk Taxonomy

After March 2026, cloud risk taxonomy must expand beyond technical/cyber/natural disaster to include: geopolitical risks, dual-use risks, kinetic risks, regulatory conflict risks, and insurance gap risks. This extended taxonomy must be reflected across all DORA pillars.

Financial institutions should use open-source intelligence monitoring as inputs to their ongoing DORA Art. 6 risk assessment processes.