Home Content Hub Why having a Plan B is more important than ever

Why having a Plan B is more important than ever.

17 March 2026 6 min read Blog Post
Table of Contents
  1. The moment of truth
  2. The day the cloud became a battlefield
  3. The European reality: Data centres in the crosshairs
  4. The true cost: Reputational and financial damage
  5. What Plan B should look like now
  6. Don't wait for the next major incident to find out your Plan B doesn't work

The March 2026 drone strikes on AWS data centres redefined business continuity – and European enterprises must pay attention.

The moment of truth

In the early hours of March 1, 2026, the rules of digital warfare changed when drones struck multiple AWS data centres in the UAE and Bahrain. These weren't random acts of sabotage – they were a deliberate strategy in the escalating Middle East conflict. For the first time in history, a major hyperscaler was taken offline by military action.

For years, Business Continuity and Disaster Recovery (BCDR) planning was often viewed as a costly IT compliance tick box, and a safeguard against accidental outages or natural disasters. But recent events have delivered a stark reality check: data centres are now military targets, and hope is not a strategy.

In this article, we look at the BCDR lessons from this and other recent incidents – and how enterprises should adapt their strategies to mitigate operational, financial and reputational risks.

The day the cloud became a battlefield

When Iranian-aligned media published lists of "legitimate targets" including American tech infrastructure, few expected the physical destruction that followed. But the drones hit precisely: in the UAE, 2 facilities were directly struck, and in Bahrain, a strike near a facility caused structural damage, disrupted power and triggered fire suppression systems that caused further water damage to critical hardware.

The immediate impact was devastating. Amazon confirmed recovery would be "prolonged" due to the physical damage, and services across the region went dark. Banking apps crashed, payment platforms froze and an estimated 300,000+ companies saw operations grind to a halt. AWS advised customers to "migrate those workloads to alternate AWS Regions".

This incident proved that in 2026, geopolitical risk is a physical threat to supply chains. If your business runs on the cloud, you need to have a Plan (B)CDR that works.

The European reality: Data centres in the crosshairs

Although the March 2026 strikes changed the rules in the Middle East, the blueprint for targeting critical infrastructure was already drawn in Europe weeks before – when an arson attack on Berlin's power grid plunged 45,000 households and 2,200 businesses into darkness for 5 days. For companies in the affected area, productivity ground to a halt, data centre dependencies were exposed and digital supply chains were disrupted. As the Berlin mayor noted, the attack caused "enormous damage".

This isn’t an isolated incident. According to Boston Consulting Group, Europe's data infrastructure remains worryingly fragile. In parts of Central and Eastern Europe, over 80% of international traffic travels through just 1 or 2 connectors. Damage to a single node could disconnect an entire country from digital services. Subsea cables are particularly exposed: at the start of 2026, 6 cables in the Baltic Sea suffered damage in 6 days.

The threats are multiplying from physical attacks, sabotage, cyber warfare and even protest actions against AI infrastructure. Beazley, the global insurer, predicts that 2026 will see the first major business suffer significant failure triggered by an outage from a cyberattack. As Tim Turner from Beazley warned: "Data centres, already critical infrastructure...are increasingly prime targets for protest and disruption".

The true cost: Reputational and financial damage

When critical business infrastructure fails, the damage extends far beyond the organisation’s IT teams.

A prolonged outage triggers a cascade of crises:

  • Financial services disruption
    Even brief outages to systems like SEPA, TARGET2 and SWIFT can delay settlements, create liquidity mismatches and trigger damaging market swings. A 1-day outage could block €25-30 billion in wholesale payments.
  • Reputational carnage
    When core business services go dark, customers lose trust. Banking apps crashing, payment platforms freezing and merchants unable to process transactions creates headlines that erode years of brand building. As Beazley noted: "A single outage can ripple far beyond the confines of IT teams, hitting revenue, reputation and resilience in real-time – and for a long time".
  • Customer exodus
    In a competitive market, customers have choices. If your business can’t serve them during a crisis, they’ll find someone that can. The AWS strikes affected 300,000+ businesses whose operations stopped through no fault of their own.
  • Regulatory and legal exposure
    Boards that fail to manage these risks face potential shareholder lawsuits over poor preparation and weak response plans.

What Plan B should look like now

A BCDR plan in 2026 must evolve far beyond backing up data to a secondary server. The AWS crisis offers 3 essential lessons for building resilience in an era where data centres are military targets:

1. Geographic redundancy is mandatory
When the drones struck, AWS' own guidance to customers was unambiguous: move workloads to other regions. If your disaster recovery site sits in the same geographic zone as your primary site (or depends on the same infrastructure), you don’t have a Plan B, you have a single point of failure.

For European businesses, this means diversifying across cloud providers or regions that are geopolitically stable and physically distant from conflict zones. Redundancy must be strategic, not symbolic.

2. Assume prolonged outage
Historically, cloud outages lasted hours, but the drone attack on AWS data centres involved rebuilding physical structures. Your BCDR strategy must now account for restoration taking days or weeks. Can your business survive that long without access to core systems? Boston Consulting Group's analysis paints a stark picture: a 1-week data outage would stall €200 billion in transactions, overwhelm emergency services and force hospitals to return to paper charts. The assumption must shift from "When will services return" to "How do we operate until they do".

3. Classify what truly matters (then place it intelligently)

The strikes disrupted everything from ride-hailing apps to national banks. A robust BCDR plan begins with rigorous data classification: What systems are truly mission-critical? Can you operate in degraded "manual mode" while your core infrastructure is down?

This naturally raises the strategic question: where should different business data types or workloads reside? Not everything belongs in the public cloud.

For business-critical assets, intellectual information property, sensitive customer data and critical national infrastructure, organisations are increasingly turning to hybrid, private or sovereign cloud solutions.

These cloud-native architectures offer:

  • Data sovereignty: Keeping data within national borders ensures GDPR compliance and meets security requirements.
  • Isolation from global conflicts: Sovereign clouds provide separation from geopolitical tensions targeting multinational hyperscalers.
  • Operational independence: Private infrastructure eliminates sole reliance on providers whose assets may become military targets.

The March 2026 attacks exposed the limits of public cloud resilience. A modern BCDR strategy builds a diversified portfolio, combining public cloud agility with the insulation of sovereign and private infrastructure. The question is no longer just what data matters most, but where it’s safest.

Don't wait for the next major incident to find out your Plan B doesn't work

Treat the attack on AWS as a harbinger, not an anomaly. If your enterprise relies on cloud infrastructure – or if you have customers depending on your digital services – you’re exposed.

The path forward isn't about perfection from Day 1, but about purposeful progress.

We recommend a 5-step approach that starts with establishing a common understanding and assessing your maturity and then proceeds with blueprinting, solutioning, implementation and validation. Importantly, BCDR isn’t “one and done” – it also requires ongoing maintenance and evolution based on changing threats and enterprise requirements, to ensure you remain in control.

At Nordcloud, we specialise in building resilient, multi-region, hybrid and sovereign cloud architectures that keep your business running when the unexpected happens.

Whether you need to assess your current business continuity risk, implement a robust disaster recovery strategy or migrate to safer shores, we're here to help.

Contact us

Alexander de JonghSenior Cloud Advisor
Related topics
BlogDigital SovereigntySecuritySovereign CloudTransformation Strategy
Related content
Share

Related content.

Get the Digital Sovereignty Roadmap
Guide • 1 min read

Get the Digital Sovereignty Roadmap

From uncertainty to control – a best-practice approach to planning your sovereignty journey.

More details
Sovereign cloud: Should you consider it (and for what use cases)?
Blog • 6 min read

Sovereign cloud: Should you consider it (and for what use cases)?

Sovereign cloud is a fast-moving area in light of the current policy environment. Get tips on when to consider it in your hybrid decision making.

More details
Hybrid cloud: How to balance risk, compliance and innovation
Blog • 6 min read

Hybrid cloud: How to balance risk, compliance and innovation

Get tips on developing a hybrid cloud approach that reduces risk, supports compliance and drives innovation.

More details
Resilience by design
Infographic • 1 min read

Resilience by design

This infographic sets out the case for integrating business continuity and disaster recovery.

More details
Scroll to top