On March 1, 2026, an unidentified object (ahem) struck an AWS availability zone — a cluster of data centers — in the United Arab Emirates, setting it on fire. The fire department cut power. A second availability zone in the same region also lost power. Across the border, a Bahrain availability zone in a separate AWS region also went down. AWS advised customers to route traffic to other regions, but for many of them, the law doesn't allow it.[1]

The cloud founding abstraction is that infrastructure is someone else’s problem. On Sunday, that abstraction met a war. Infrastructure turned out to have a street address, and someone hit it.

This is not a story about resilience engineering. AWS is built for this — multiple availability zones, cross-region replication, automated failover. The engineering works. The problem is legal, and it’s structural.

The UAE’s data protection framework — Federal Decree-Law No. 45 of 2021, reinforced by sector-specific mandates for banking and healthcare — requires certain categories of data to remain within UAE borders.[2] Saudi Arabia’s NDMO framework imposes similar constraints. Bahrain’s PDPL does the same. These laws exist for defensible reasons: sovereignty, regulatory oversight, and protection from foreign legal reach. But they share an unstated assumption — that the border is a wall. That keeping data inside your territory protects it.

The AWS strike reveals what happens when the border becomes a cage. Abu Dhabi Commercial Bank, one of the UAE’s largest financial institutions, confirmed its platforms and mobile app went down in the disruption — one of many institutions that discovered their infrastructure had a single point of failure.[3] If UAE banking data must remain in the UAE, and every UAE availability zone is degraded or offline, the multi-region redundancy that AWS engineered is legally blocked from activating. The failover exists. The law prevents it from firing. Data residency requirements designed to protect sovereign data become the mechanism that traps it in the blast radius.[4]

The Snowball Precedent

Ukraine learned this lesson four years ago and acted on it — at the last possible moment.

Before February 2022, Ukrainian law required government data to be stored on servers physically located in Ukraine. A week before the Russian invasion, parliament passed emergency legislation lifting the restriction.[5] On the day of the invasion, AWS met Ukrainian officials at the embassy in London and sketched a migration plan on the spot. By Saturday — 48 hours later — AWS Snowball devices — ruggedized hardware built to move terabytes offline — had been flown from Dublin through Poland into Ukraine.[6]

What followed was the first emergency digital evacuation of a nation-state under active military attack. Population registries, land ownership records, tax data, education records — the bureaucratic DNA of a country — moved to AWS regions beyond the reach of Russian artillery. PrivatBank, which serves 40% of Ukraine’s population, migrated 270 applications and approximately 4 petabytes of client data from 3,500 in-country servers in under 45 days.[7] By mid-2022, more than 10 petabytes — 10 million gigabytes — of sovereign data had left Ukrainian territory.[8]

Ukraine’s Vice Prime Minister Mykhailo Fedorov put it plainly: “Russian missiles can’t destroy the cloud.”[9]

He was right. But the cloud is only indestructible when data is allowed to leave.

Operation Fish, 1940

Fedorov’s logic — get the asset out before the missiles arrive — would have been instantly recognizable to a central banker in 1940. As the Wehrmacht swept through Western Europe, treasuries faced a version of the same calculation. The asset was gold, not data. The threat was tanks, not missiles. The logic was identical: physical possession of the sovereign asset matters more than legal title when the threat is kinetic.

Britain shipped as much as 1,500 metric tons of gold to Canada in an operation codenamed Fish — through U-boat-infested waters, the bullion referred to as “margarine.”[10] Norway, Belgium, Poland, and France moved their reserves to the United States and Canada. The countries that got their gold out preserved their financial capacity to fight. Belgium entrusted 200 tons to France, which surrendered it to the German Reichsbank under Vichy pressure.[11] The gold that stayed within reach of the advancing army was lost.

Ukraine’s registries are its gold. The UAE’s banking and healthcare data is its gold. The difference is that data, unlike gold, can exist in two places at once, which makes it harder to justify the legal prohibition on cross-border replication when the vault is under fire. The question data residency frameworks don’t answer — and yesterday forced into the open — is what happens when the vault itself is the vulnerability.

The Structural Finding

The standard response will be a better multi-region architecture, more availability zones, and improved physical hardening. Those are engineering problems with engineering solutions, and they’ll be addressed. The structural problem is different.

Data residency regulations across the Gulf — and across much of the world — are designed for a threat model that assumes the border protects what’s inside it. They were built for a world where the risks to data were legal (foreign government access, CLOUD Act compulsion, GDPR transfer violations) rather than physical. Could regulators issue emergency waivers? In theory. Ukraine needed a parliamentary vote under wartime pressure to create its exception, and the time between a missile strike and data loss is measured in hours, not legislative sessions. Ukraine proved that when the physical threat materializes, sovereignty requires the opposite of residency — it requires the ability to get data out, fast, to wherever is safe.

No Gulf state has a Ukrainian-style emergency migration law on the books — though reports indicate that both Saudi Arabia and the UAE have begun exploring “digital embassy” frameworks that would allow critical systems to be shifted to allied countries within minutes of a disruption.[12] As of yesterday, “exploring” may no longer be fast enough.

Sometimes the only way to save sovereign data is to surrender sovereignty over it.

Notes

[1] AWS Health Dashboard status updates, March 1-2, 2026; Reuters, “Amazon’s AWS Reports Power, Connectivity Issues in Bahrain, UAE Amid Iran Strikes,” March 2, 2026; Bloomberg, “Amazon Web Services Suffers Outage After ‘Objects’ Hit UAE Data Center,” March 2, 2026.

[2] UAE Federal Decree-Law No. 45 of 2021 (PDPL); UAE Central Bank Consumer Protection Standards (2021) requiring in-country banking data residency; Health ICT Law mandating electronic health data remain within UAE borders. Note: the PDPL’s scope is complex — it does not directly regulate government, health, or banking/credit data, which fall under sector-specific regimes with their own localization requirements. Free zones (DIFC, ADGM) maintain separate data protection frameworks. See Baker McKenzie, “Data Localization and Regulation of Non-Personal Data: UAE,” 2025, for a concise mapping.

[3] Abu Dhabi Commercial Bank (ADCB) confirmed via public statement that its platforms and mobile app were unavailable due to a “region-wide IT disruption,” March 2, 2026. ADCB did not directly attribute the outage to AWS, but the timing aligns with the ME-CENTRAL-1 disruption. Reuters, March 2, 2026.

[4] As of March 2, all three availability zones in ME-CENTRAL-1 were affected: mec1-az2 (struck by objects, power cut), mec1-az3 (separate power issue), and mec1-az1 (EC2 API errors and instance launch failures). AWS confirmed that launching new instances was not possible across the region and advised customers to activate disaster recovery plans and fail over to other AWS regions. Nearly 60 services were degraded or disrupted. The data residency trap applies specifically to the subset of data subject to strict localization mandates — healthcare records, certain banking data, government data classified as sensitive/secret/confidential — that cannot legally replicate to regions outside the UAE even when in-country infrastructure is compromised. TahawulTech, March 2, 2026; Data Center Knowledge, March 2, 2026; AWS Health Dashboard status updates.

[5] Ukrainian parliament legislation, approximately one week before the February 24, 2022 invasion, permitting government and private sector data to migrate to cloud infrastructure outside Ukraine. The urgency of the legislation — passed as Russian forces massed at the border — underscores that the prior residency requirement was recognized as a threat, not a protection, under kinetic conditions.

[6] Liam Maxwell, AWS Director of Government Digital Transformation, speaking at AWS re:Invent 2022. AWS, “Safeguarding Ukraine’s Data to Preserve Its Present and Build Its Future,” June 2022. Note: AWS is an interested party in this narrative. The operational timeline (embassy meeting Thursday, Snowballs in Poland Saturday, in Ukraine Sunday) is corroborated by Ukrainian government officials but sourced primarily from AWS and Ukrainian government statements at AWS events.

[7] Mariusz Kaczmarek, Head of IT, PrivatBank, via LinkedIn and AWS re:Invent 2023 remarks. PrivatBank serves approximately 20 million customers (40% of Ukraine’s population). The 45-day migration timeline is from Kaczmarek’s public statements.

[8] AWS, “Safeguarding Ukraine’s Data,” June 2022; updated figures from AWS re:Invent 2023 (Liam Maxwell): 161 state registries, 356 organizations, 15 petabytes. These are AWS-reported figures. Note: Estonia began backing up government data to a “data embassy” in Luxembourg in 2017 — a deliberate sovereign data replication outside national borders. Ukraine’s evacuation was distinct in scale, speed, and the presence of active kinetic threat.

[9] Mykhailo Fedorov, Vice Prime Minister and Minister of Digital Transformation of Ukraine, AWS re:Invent 2022.

[10] Operation Fish, July 1940. The convoy of July 5 alone carried $1.7 billion (approximately $39 billion in 2025 dollars). The entire operation moved an estimated 1,500 metric tons of gold and securities without a single ship lost to U-boats.

[11] Belgium evacuated roughly 400 tons to the UK, US, and Canada before the invasion. The remaining 200 tons, entrusted to the Banque de France, were transported to Dakar, then returned across the Sahara under Vichy and surrendered to the Reichsbank under pressure from Pierre Laval. The Banque Nationale de Belgique’s directors refused to sign the receipt. See National Bank of Belgium Museum, “Belgian Gold in the Hands of Foreigners.”

[12] Semafor, “Gulf AI Infrastructure Faces Its First Stress Test Amid Iran Strikes,” March 2, 2026, citing Jesse Marks, CEO of Rihla Research & Advisory. The “digital embassy” concept — contracts permitting rapid cross-border migration of critical systems — parallels Ukraine’s emergency legislation but through commercial rather than legislative mechanisms. Whether commercial frameworks can move as fast as a parliamentary emergency vote remains untested.