The Legal and Policy Fallout from Data Center Strikes in the Middle East War

On March 1, drone strikes hit three Amazon Web Services (AWS) facilities in the United Arab Emirates and Bahrain. Iran’s Islamic Revolutionary Guard Corps (IRGC) explicitly claimed responsibility for the attacks, citing the data centers' role in supporting US military and intelligence networks. The consequences for global business, and for the legal frameworks intended to govern this kind of event, are only beginning to surface.

The strikes critically impaired two out of three cloud availability zones in the UAE region (ME-CENTRAL-1) and one availability zone in the Bahrain region (ME-SOUTH-1). Because multiple zones went down simultaneously, standard redundancy models failed. AWS confirmed structural damage, power disruption, fire, and water damage from suppression systems. Outages were reported by Abu Dhabi Commercial Bank, Emirates NBD, First Abu Dhabi Bank, payments platforms Hubpay and Alaan, data cloud company Snowflake, and the massive ride-hailing platform Careem. Recovery, AWS warned, will be prolonged.

This is the first publicly confirmed military attack on a hyperscale cloud provider. Iranian state media asserted the AWS facilities were legitimate targets because the US military is using AI systems hosted on AWS—such as Anthropic’s Claude—for intelligence analysis and war simulations. Google, Microsoft, and Oracle operate data centers in the same region. While Iran also claimed to have targeted Microsoft facilities, Microsoft officially denied any hits or outages. Nevertheless, these hyperscalers are now sitting in an active war zone.

Business exposure runs far wider than most affected companies realize. Many had no meaningful Middle East presence. Their cloud workloads were simply routed through the region, invisible to them until now. Counterintuitively, Amazon's stock rallied approximately 3% following the attack. Financial analysts note that this physical vulnerability will likely force enterprises to abandon single-region deployments, effectively driving up cloud revenues as companies are forced to pay for multi-region disaster recovery and premium resilience services.

This crisis represents the latest evolution of a historical pattern: when novel private sector technology is utilized in part by state or military actors, it inevitably becomes a legitimate target in geopolitical conflicts. The attacks raise new questions about the security of the UAE's growing AI infrastructure ambitions, including the Stargate UAE campus — a 5-gigawatt AI facility in Abu Dhabi being built under a US-UAE partnership announced during President Donald Trump's May 2025 Middle East tour.. Governments are now being forced to urgently reclassify commercial data centers as critical national security infrastructure, right alongside power plants and oil fields.

A century-old precedent: private infrastructure in the crosshairs

The targeting of international communications infrastructure during wartime has deep historical roots. The global digital economy relies heavily on a vast network of submarine cables, which carry approximately 95 percent of international data traffic. These cables frequently fall victim to geopolitical tensions, such as the 2024 severing of three cables in the Red Sea amid conflicts near Yemen, or similar disruptions near Taiwan in 2023 and 2025 and the Norwegian Arctic in 2021.

Navigating liability for such disruptions requires a nuanced understanding of international law. In maritime domains, instruments like the United Nations Convention on the Law of the Sea (UNCLOS) complicate enforcement by restricting jurisdiction primarily to flag states. While the Enrica Lexie arbitration—which stemmed from the killing of two Indian fishermen by Italian military marines aboard an oil tanker—opened a narrow window, suggesting that intentional acts causing damage are not protected as a mere "incident of navigation,” practical enforcement against states remains elusive.

When a sovereign state deliberately destroys private infrastructure during wartime, the historical legal precedent is even bleaker. To understand the legal complexities surrounding the AWS strikes, it is instructive to examine the Cuba Submarine Telegraph Company, Ltd. (Great Britain) v. United States arbitration of 1923.

During the Spanish-American War of 1898, US naval forces deliberately severed submarine telegraph cables operated by a British company to disrupt Spanish military communications. The company sought compensation for its destroyed property. The tribunal ruled in favor of the United States, establishing a pivotal principle: during armed conflicts, actions taken by a state as legitimate acts of war override private property rights without an obligation to compensate affected entities. Because the private telegraph company was contractually required by Spanish concessions to transmit official government correspondence, its operations were deeply intertwined with enemy military interests.

Today, hyperscale data centers host civilian commercial applications alongside sensitive government services, dual-use infrastructure, and defense workloads. Under the century-old Cuba Submarine precedent, any claims by the private sector against state belligerents for damages from the 2026 strikes are highly unlikely to succeed. The cloud has become the modern telegraph cable.

The data localization trap

If operating in the Gulf Cooperation Council (GCC) carries such immense physical risk, why do hyperscalers and enterprises concentrate so much critical infrastructure there? The answer lies in the proliferation of sovereign data localization mandates.

Increasingly, governments require that certain government services and sensitive public sector data be physically hosted within their borders to ensure digital sovereignty. Consequently, data center providers have limited geographic options if they wish to operate in these lucrative markets; they must build physical facilities locally.

This mandate travels aggressively down the supply chain. Other government tenderers, including defense contractors, civil accounting firms, logistics providers, and IT vendors, must also host their data locally to be eligible to bid for government contracts. By intertwining civilian enterprise data with sovereign government workloads in localized server farms, policymakers and tech platforms inadvertently elevate these facilities to high-value military targets.

The liability trap: obligations of result

With claims against state belligerents practically impossible, who bears the financial cost of unfulfilled service-level agreements, lost data, and destroyed infrastructure? Technology service providers typically reach for force majeure clauses, arguing that acts of war are unforeseeable events that absolve them from liability and from refunding clients.

However, regional civil law frameworks place strict boundaries on the use of force majeure during active conflicts. A landmark triad of Dubai Court judgments; Primary, Appeal, and Cassation, issued in 2017 offers definitive guidance on how regional courts allocate risk. Adjudicating a private aviation dispute over a canceled charter flight caused by the sudden closure of Saudi airspace during the 2015 Yemen War, the courts ruled decisively against the service provider.

The courts clarified that providing a contracted service is an "obligation to achieve a result," not merely an "obligation to exercise care." Because the operator failed to deliver the result, they were in breach. Crucially, the courts dismantled the force majeure defense based on foreseeability: entering a contract during an active regional war means that military disruptions are expected operational risks.

The Dubai Court of Cassation anchored its decision on the absolute doctrine of impossibility and automatic rescission. When sovereign military intervention renders execution impossible, the contract is dissolved, and the burden of risk falls entirely on the "debtor of the obligation,” the service provider.

Applied to the 2026 Iran War, this jurisprudence is a stark warning. If a cloud facility is disabled by a strike, regional courts are likely to view the event as a foreseeable risk of operating in a conflict zone. Without bespoke, explicitly drafted military disruption clauses that shift the financial risk onto the client, tech providers will be legally required to absorb upstream sunk costs and refund their clients entirely.

Navigating the fallout: insurance, migration, and risk protocols

Faced with severe liabilities and virtually no recourse against state attackers, private companies must rapidly pivot their operational and defensive strategies.

First, standard commercial property and business interruption insurance policies frequently exclude acts of war. Companies must aggressively scrutinize their insurance coverage and secure specialized war risk policies to ensure they are protected from geopolitical violence, though such policies are complex and heavily contested by underwriters.

Second, the technical and legal reality of data migration presents a severe bottleneck. Moving workloads out of a structurally damaged facility where physical servers are destroyed and power is cut is practically impossible. If a company's disaster recovery backups are localized within the same targeted region due to compliance laws, that data may be permanently lost. Furthermore, cross-border emergency migrations may violate the very laws that forced the localization in the first place.

Finally, these strikes necessitate an overhaul of data center risk assessment protocols. Procurement teams traditionally evaluate a location's risk profile based on power grid stability, tax incentives, and natural disasters. Moving forward, the location and risk profile of a data center must heavily prioritize geopolitical threat vectors, the defensive posture of the host nation, and the dual-use nature of co-tenants within the facility.

Conclusion: the orbital horizon

The unprecedented attacks on AWS facilities in the GCC represent a watershed moment for technology policy, yet they follow a clear historical continuum. As demonstrated over 100 years ago with submarine telegraph cables, novel private sector technology is inevitably attacked when it is utilized for partial military use.

This evolution will not stop at the Earth’s surface. We can expect the same dynamic to be reflected in private space apparatus. The US Federal Communications Commission (FCC) recently approved 7,500 Starlink satellites, while China has applied for 200,000 satellites with the International Telecommunication Union (ITU). As drone and missile technology becomes more closely operated in low Earth orbit, these vast commercial constellations will face the exact same dual-use vulnerabilities as terrestrial data centers.

The militarization of civilian technology is expanding. Whether at the bottom of the sea, in the deserts of the Middle East, or in the vacuum of space, policymakers and the private sector must prepare for a future where commercial infrastructure is a permanent fixture on the battlefield.