chesky - stock.adobe.com
Can data sovereignty become a liability in war?
The recent Middle East conflict shows the contradictions inherent in modern data systems and the need to focus less on who controls data and more on how to protect the infrastructure
Modern societies do not just use data. They depend on it. Banking systems, hospitals, logistics networks, and governments all rely on continuous access to digital infrastructure. Yet recent attacks on datacentres in the Middle East point to a growing vulnerability. The systems that sustain everyday life are not only digital, but physical, and increasingly exposed to conflict.
Policy debates have largely focused on who controls data. Advocates of data sovereignty argue that keeping data within national borders strengthens legal authority and reduces reliance on foreign actors. Others emphasise the advantages of globally-distributed cloud infrastructure, including efficiency, scalability, and redundancy.
But both approaches overlook a more fundamental issue. In conflict, control over data matters less than whether it remains accessible at all. Data sovereignty, on its own, does not guarantee protection.
In fact, it can create new vulnerabilities. When critical systems – financial services, healthcare records, government databases – are concentrated within national borders, they may become single points of failure. In a conflict scenario, targeted disruption could disable essential services. Keeping data “at home” may strengthen legal control, but it can also make it easier to disrupt.
Sovereign a bunched target; cloud beyond national control
At the same time, reliance on global cloud providers introduces a different kind of risk.
Infrastructure operated by companies such as Amazon or Microsoft offers resilience through distribution, but it places critical data beyond full national control. During crises, access to data stored across jurisdictions may be shaped by foreign laws, corporate decisions, or geopolitical pressures. What appears resilient in technical terms may prove uncertain in political ones.
Both models are largely optimised for peacetime. They prioritise efficiency, scale, and control, but not resilience under conditions of disruption.
A more useful starting point is to shift the focus from control to resilience. The question is not simply where data is stored or who governs it, but whether systems can continue to function when infrastructure is degraded, fragmented, or under attack.
Read more about data sovereignty
- Is cloud data sovereignty all just a case of ‘Trust me, bro’? Hyperscaler cloud is inherently global. Does that make data sovereignty unattainable – especially given the powers US courts hold? We grilled the hyperscalers in an attempt to find out.
- Breaking the stranglehold: Responses to data sovereignty risk. We look at the political and government responses to risks around data sovereignty and massive dependence on the three US hyperscalers – AWS, Azure and GCP – in the UK and Europe.
Many systems are “dual use”
One proposed approach is to separate military and civilian data systems. This aligns with long-standing principles under the Geneva Conventions, which seek to limit harm to civilian infrastructure. Clear separation could, in theory, reduce the likelihood that civilian datacentres are treated as legitimate targets.
However, this distinction is difficult to sustain in practice. Digital systems are deeply interconnected. Civilian infrastructure supports logistics, communication, and other functions with military relevance. Many systems are therefore “dual use”, making them difficult to classify and potentially vulnerable regardless of formal designation.
There is also a legal gap. Existing international humanitarian law was developed in a context where infrastructure could be more clearly categorised as civilian or military. Datacentres do not fit easily into this framework, particularly when they are privately operated and globally integrated.
As a result, the systems that underpin hospitals, financial networks, and public services occupy a grey zone – essential to civilian life, but not clearly protected as such. The rise of AI will only deepen this ambiguity. Systems that power everyday services – routing deliveries, managing traffic, analysing data – can be repurposed in real time for military logistics or strategic decision-making.
A hybrid approach for developing countries?
These challenges are especially pronounced for smaller and developing countries. In many such contexts, digital systems are already constrained by limited infrastructure and institutional capacity. Full data localisation may be impractical, while complete reliance on external providers creates exposure to external disruptions. Here, resilience is less about asserting control over data location and more about ensuring continuity under stress.
A more feasible approach is diversification: maintaining limited domestic capacity for essential services, while securing reliable backup arrangements across trusted partners. In this context, sovereignty is not defined solely by where data resides, but by whether access can be maintained when it is most needed.
Private technology companies also play a central role. As operators of critical infrastructure, they are increasingly part of national resilience. This raises questions about their responsibilities in ensuring continuity, transparency, and equitable access during crises, particularly when their operations span multiple jurisdictions.
A source of strength; a source of weakness
From a technical perspective, strengthening resilience requires rethinking system design. While the internet was originally built with redundancy in mind, contemporary cloud architectures often prioritise efficiency and centralisation. Highly interconnected systems can amplify failures rather than contain them.
Building resilience means distributing infrastructure across diverse locations, reducing hidden dependencies, and enabling systems to operate in degraded conditions when necessary.
The implications extend beyond data policy. As dependence on digital systems grows, decisions about data storage, infrastructure providers, and jurisdictional control increasingly intersect with foreign policy, trade, and security strategy.
Data governance is no longer only about regulation – it is part of how states manage risk. When the internet first developed, security and privacy were treated as secondary concerns, addressed gradually as new risks emerged. A similar lag is now visible in how we govern data infrastructure in conflict.
Data systems are now as critical – and as vulnerable – as physical supply chains. The central question is no longer simply who controls data, but whether societies can still function when access to it is disrupted. In the end, data that cannot be accessed is data that cannot be governed.
Read more on Datacentre disaster recovery and security
-
![]()
AI-driven surveillance growth reshapes data infrastructure in UAE
By: Andrea Benito
-
![]()
Data residency becomes the GCC’s next AI battleground
By: Andrea Benito
-
![]()
The illusion of digital sovereignty and the reality of control
-
![]()
Middle East CIOs move from cloud-first to sovereign-first in a high-risk digital era
By: Andrea Benito
