On 1 March 2026, Iranian drone strikes physically damaged three Amazon Web Services data centres — two in the United Arab Emirates and one in Bahrain. The attacks caused service outages across banking, payments, delivery platforms and enterprise software throughout the region. Iran’s Islamic Revolutionary Guard Corps claimed responsibility, stating the strikes targeted these facilities for their role in supporting military and intelligence operations.
This was not a cyber attack. It was a kinetic strike on cloud infrastructure. And it has fundamentally changed the risk calculus for every investor, operator and enterprise customer with a stake in Gulf-based digital infrastructure.
Prior to this conflict, the Gulf was on track to become one of the world’s most important hubs for AI and cloud computing. More than $300 billion in planned data centre, chip and AI investments were in the pipeline. OpenAI’s Stargate campus in the UAE, Microsoft’s $15 billion UAE commitment, and builds from Google, Oracle and numerous other hyperscalers were all premised on a single assumption: that the region was stable enough to host critical digital infrastructure at scale. That assumption is no longer viable without serious qualification.
The New Risk Category
Analysts at the Center for Strategic and International Studies have noted that data centres may now be considered legitimate military targets in modern armed conflict. This is a paradigm shift. Until March 2026, the threat model for data centres was overwhelmingly cyber — state-sponsored groups exploiting software vulnerabilities, ransomware, denial-of-service attacks. The physical security conversation centred on natural disasters, power resilience and cooling. Nobody was stress-testing for drone strikes.
The implications ripple far beyond the three facilities that were hit. If data centres are military targets, then every geopolitical risk assessment for digital infrastructure needs to be rewritten. Site selection, insurance, business continuity planning, contractual force majeure provisions, and — critically — the investment theses underpinning billions of dollars of committed capital all need to be revisited.
The Dual Chokepoint Problem
The physical strikes are only half the story. Seventeen submarine cables pass through the Red Sea, carrying the majority of data traffic between Europe, Asia and Africa. With Iran’s closure of the Strait of Hormuz and renewed Houthi attacks in the Red Sea, both critical data chokepoints are now in active conflict zones simultaneously. Both physical and data corridors compromised at the same time — an unprecedented situation.
For any business dependent on low-latency connectivity between Europe and Asia — which includes financial services, SaaS platforms, e-commerce and media — this represents a material operational risk. Rerouting data traffic adds latency, reduces capacity, and introduces single points of failure on alternative paths that were never designed to carry this volume.
What This Means for TMT Investors
For PE and VC funds with cloud-dependent portfolio companies: Verify disaster recovery and multi-region replication arrangements for any portfolio company with infrastructure hosted in Gulf cloud regions. If any portfolio company provides SaaS products to customers in the Middle East, model the revenue impact of sustained outages — not as a tail risk, but as a scenario that has now actually occurred. Check whether customer contracts contain force majeure provisions that cover military action, and whether your portfolio company or its cloud provider bears the risk.
For TMT-focused funds evaluating AI infrastructure investments: The thesis that the Gulf would become the next frontier for AI compute needs fundamental reassessment. The capital, energy availability and sovereign ambition remain — but the security risk is now priced differently. Expect a shift in where the next wave of capacity gets built. Northern Europe, India, Southeast Asia and secondary US locations are the likely beneficiaries. Deals premised on Gulf-based capacity expansion should have geopolitical scenario analysis in the first section of the investment committee paper, not buried in an appendix.
For acquirers of data centre and digital infrastructure assets: Valuation multiples for Gulf-based assets will compress until the security environment stabilises. Conversely, assets in politically stable jurisdictions with reliable power and connectivity are repricing upward. If you are evaluating data centre acquisitions, the diligence scope now needs to include physical security hardening costs, war risk insurance availability and pricing, and contractual exposure to sovereign data localisation mandates.
For enterprise technology buyers and CIOs: Multi-cloud and multi-region redundancy has moved from best practice to operational imperative. Any enterprise with critical workloads in a single Gulf cloud region needs an immediate migration or replication plan. The cost of redundancy is now demonstrably lower than the cost of a sustained outage caused by military action.
The Investment Implications
The Gulf’s $300 billion AI infrastructure ambition is not dead. Strategic capital with sovereign backing will continue to flow. But the risk-adjusted return expectations for private capital in the region have changed materially, and the insurance, security and redundancy costs that were previously theoretical are now real line items.
The firms and investors that move first to reweight their digital infrastructure exposure — building optionality into site selection, demanding multi-region architectures from cloud providers, and pricing physical security risk into acquisition models — will be better positioned than those waiting for the situation to resolve itself.
The cloud was never as abstract as the name suggested. It runs on buildings, with addresses, connected by cables that pass through some of the most contested waters on earth. This conflict has made that tangible in a way that no risk committee presentation ever could.
Aethon Ventures provides management consulting to PE/VC funds, mid-market businesses and corporate development teams across Growth, Profitability, M&A and Transformation. London-based with consulting partnerships in India and Malaysia.
If this resonates, we should talk.