Articles · Infrastructure & Sovereignty
Analysis  ·  Infrastructure  ·  6 May 2026

Finance Runs On Digital Infrastructure; Hence It Must Be Sovereign

The UAE identified the dependency, understood the risk, commissioned the solution, and held the ceremony. Four days later, the dependency they were still living in was hit by drones.
By Alan Wright  ·  The Haunted Lighthouse Limited  ·  Peel, Isle of Man
109 AWS services disrupted at peak
37 Still disrupted two months later
4 Days between the announcement and the strikes

On 1 March 2026, at approximately 4:30 in the morning, a drone hit a building in Dubai.

Not metaphorically. Not as a service disruption caused by a misconfigured load balancer or a failed cooling unit. A physical object struck a physical structure, created sparks, started a fire, and forced local authorities to cut power to contain the blaze. A few hours later, a second building in the same region went the same way.

The buildings were Amazon Web Services data centres. Two of the three availability zones serving AWS ME-CENTRAL-1 -- the UAE's primary cloud region -- went dark simultaneously. That is the precise failure mode the redundancy model was never designed to survive. One zone fails, the others carry the load. Two zones fail simultaneously and the third buckles under traffic it was never built to handle alone.

By the time the dust settled, 109 services were disrupted across ME-CENTRAL-1. Two months later, 37 remain so. Amazon has now confirmed that full recovery will take several more months. As consolation, they have suspended billing in the region.

The Burj Al Arab -- the sail-shaped hotel that became the global shorthand for Gulf invulnerability -- had smoke coming off its facade that same morning. The Dubai Media Office confirmed it officially, though Bellingcat's open-source analysis suggested the fire was rather more significant than the official account described, extending some 30 metres across approximately eight floors. The image of that building burning is the image of an assumption failing.

The assumption was that the cloud was somewhere other than a physical structure in a conflict zone.

It wasn't.

What followed was not just an outage. It was a stress test of every architectural decision UAE businesses had made in the preceding decade, and many of them failed it.

The AWS availability zone model is designed around independent failures -- a power fault here, a network partition there, a localised fire contained by suppression systems. The model holds for natural disasters, hardware failures, and most of what an operations team puts in a runbook. It does not hold when the threat actor is aiming at your postcode and two buildings go down in the same barrage.

The organisations that recovered quickly had made their architectural decisions months earlier. Multi-region failover, cross-region replication, tested runbooks with measured recovery times. They were not reacting better during the crisis. They had already engineered for it.

Everyone else was choosing between bad options.

For UAE financial institutions, the options were worse than most.

The Central Bank of the UAE requires licensed financial institutions to maintain their Master System of Record -- all confidential data -- continuously within UAE borders. That is not a guideline. It is a statutory requirement with regulatory teeth. When ME-CENTRAL-1 went dark, the legally compliant failover destination went dark with it. There was no option to route to eu-west-1 in Ireland or us-east-1 in Virginia without breaching data residency law.

The choice was stark: stay dark, or break the law.

There is a profound irony in data residency law designed to protect citizens' financial interests becoming the mechanism that kept banks dark longest. When the law forbids data from crossing a border, it locks the door from the inside while the building is burning.

The CBUAE issued emergency waivers -- short-term notices of non-objection allowing banks to shift data to overseas data centres. The same mechanism, officials noted, that was used during Covid in 2020. First Abu Dhabi Bank, the largest lender in the country, remained severely disrupted even after those waivers landed.

A regulator issuing emergency legal dispensation so that banks can keep functioning is not a resilience story. It is a sovereignty story with the ending missing.

25 February 2026  ·  Four days earlier

In Abu Dhabi, the Governor of the Central Bank of the UAE witnessed the signing of a partnership agreement between the CBUAE and Core42, a G42 company, to build the world's first sovereign financial cloud services infrastructure. The press release described a centralised, highly secure, dedicated and isolated environment -- built specifically, as one regional outlet noted, "unlike traditional cloud environments that often rely on third-party global providers."

"Finance runs on digital infrastructure; hence it must be sovereign."

Talal Al Kaissi, CEO Core42  ·  25 February 2026

He was not wrong. The analysis was correct. The direction was right. The partner was credible. The UAE had identified the dependency, understood the risk, commissioned the solution, and held the ceremony.

Four days later, the dependency they were still living in was hit by drones.

This is the uncomfortable lesson -- and it is not the one most post-incident analyses are drawing.

The story is not that the UAE failed to see this coming. They saw it coming. The story is that seeing it coming and being operationally ready are two different things, separated by an implementation gap. That gap has a duration. And sometimes the timeline runs out before the gap closes.

The implementation gap is where the damage lives. Not in the failure to understand the problem -- Al Kaissi understood it perfectly -- but in the distance between the press release and the migration complete.

That gap cost First Abu Dhabi Bank weeks of disruption. It contributed to a 29% collapse in UAE hotel sector revenue as booking systems, supplier chains and payment infrastructure went dark across a sector already reeling from airspace closures and cancelled flights. It cost thirty-seven AWS services two months of disruption, with several more to come.

Whether the SFCSI's architecture distributes risk across genuinely separated sites -- geographically and jurisdictionally -- is the question its designers will need to answer publicly. A sovereign cloud is not automatically safer than a hyperscaler region. It still has a physical location. Single-region dependency does not become resilient because the flag above the door is the right one. The engineering question is the same regardless of who owns the infrastructure: how many postcodes does your resilience span, and have you tested the path between them?

The easy response is to treat this as a Middle East story. Exceptional geography, exceptional conflict, not applicable elsewhere.

Run the adjacency test honestly.

Baltic states are NATO members with functioning democracies, advanced digital infrastructure, and a land border with Russia. Estonia's digital government is rightly celebrated. The physical infrastructure beneath it has geography.

Taiwan produces the majority of the world's advanced semiconductors, hosts substantial cloud infrastructure, and faces increasing pressure across the strait. Cyprus is an EU member sitting in the eastern Mediterranean, connected by subsea cables that pass through waters adjacent to Lebanon, Syria and ongoing Turkish tensions. Moldova, Georgia and Armenia all carry varying degrees of hyperscaler dependency alongside borders with active or frozen conflicts that could unfreeze.

And the threat does not require drones. It requires a neighbour whose instability spills -- through sanctions, through airspace closures, through a regional crisis that makes your cloud provider's logistics chain unreliable or their staff decide the posting is not worth it.

Every jurisdiction on that list has its own version of the UAE's assumption. The assumption that the brand is the protection. That stability is the natural condition. That the availability zone model covers the threat.

The UAE thought that too. Until 4:30 in the morning on 1 March 2026.

This is not an argument against cloud infrastructure. It is not sovereignty as ideology. It is sovereignty as engineering -- the recognition that digital infrastructure has physical geography, that physical geography has threat models, and that threat models have timelines.

Sovereignty is not a destination. It is a maintenance schedule. It is not the flag you plant; it is the generator you test every Sunday morning. The certificate on the wall and the press release in the archive mean nothing if the tested failover path does not exist before the incident that requires it.

The question every CTO, every regulator, every finance minister in a jurisdiction adjacent to instability needs to answer honestly is this: what is your implementation gap, and what happens if the timeline runs out before you close it?

Talal Al Kaissi was right.

He just needed more time.

Alan Wright is Director of The Haunted Lighthouse Limited, a Cyber Essentials-certified cybersecurity and data protection consultancy based in Peel, Isle of Man.
The Sovereign Auditor is published at haunted.lighthouse.co.im/articles

Sources: AWS Health Dashboard  ·  Reuters  ·  Khaleej Times  ·  Bellingcat  ·  N2W Software  ·  CBUAE Rulebook  ·  FWDstart  ·  BookLogic UAE Hospitality Impact Report  ·  Leading-Hoteliers.com  ·  The National  ·  Fintech Futures  ·  CBUAE Official Press Release 25 Feb 2026

The Sovereign Auditor covers digital sovereignty, cybersecurity governance, and data protection policy -- with a particular focus on Isle of Man jurisdiction and Crown Dependency issues.

Support independent analysis. Subscribe directly -- or scan on your phone.

Payments via PayPal. No Substack. No Stripe. No middlemen.