By Marcus Venn | Digital Rule Book | March 2026 TL;DR — Key Points The EU Digital Omnibus Package, proposed 19 November 2025, is the most significant change to EU digital regulation since the AI Act itself. It proposes to simplify GDPR, delay the AI Act's high-risk deadlines by up to 16 months, merge cybersecurity reporting into a single entry point, and modernise cookie rules. For most EU businesses, the Omnibus will reduce compliance burden — but it has not been passed into law yet, and current deadlines still apply. The Digital Omnibus is not a weakening of the AI Act. It is a restructuring of the rollout to align with the actual readiness of the compliance ecosystem. This article explains every major proposal in plain English, so you know what is changing, when, and what it means for your business. DISCLAIMER: This article is for informational purposes only. The Digital Omnibus Package is a legislative proposal subject to amendment and rejection. Information ...
Is Your EU Business Data Safe When Middle East Infrastructure Fails?
By Marcus Venn | Digital Rule Book | March 12, 2026
On Saturday February 28, 2026, dramatic footage began emerging on social media showing something most frequent travellers had never seen: people running through smoke-filled corridors at Dubai International Airport — the world's busiest international aviation hub — as emergency response teams deployed across the terminal.
An Iranian drone had struck one of the airport's concourses. Four staff members were injured. The airport was evacuating.
By the time Sunday's second wave of Iranian strikes arrived, Dubai International Airport had suspended all arrivals and departures 'until further notice.' Emirates — the world's biggest long-haul airline — suspended all flights. Etihad suspended all flights from Abu Dhabi. Qatar Airways suspended all flights from Doha. Bahrain, Kuwait, and Oman closed their airspace. Over 1,800 flights were cancelled. At least 145 aircraft already in the air were diverted to Athens, Istanbul, Rome, and other airports.
For most Europeans, this is a travel disruption story. For European businesses, it is something more significant. Dubai is not just an airport. It is a global hub for digital infrastructure — and some of your business data may be sitting in a data centre within range of Iranian drone strikes right now.
Why Dubai Matters to European Digital Infrastructure
The UAE — and Dubai specifically — has become one of the world's most significant digital infrastructure hubs over the past decade. Its geographic position at the intersection of European, Asian, and African submarine cable routes makes it a natural landing point for undersea internet cables that carry a significant portion of the world's digital traffic.
Major technology companies have built substantial UAE infrastructure specifically because of its role as an East-West digital bridge:
Microsoft Azure operates data centres in the UAE, including its UAE North and UAE South regions in Dubai and Abu Dhabi respectively.
Amazon Web Services launched its first Middle East region in Bahrain in 2019 and has UAE infrastructure serving both regional and transit traffic.
Google Cloud has UAE Points of Presence and uses the region as a content delivery and caching location for European and Asian traffic.
Multiple global submarine cable systems land in the UAE, including the AAE-1, SEA-ME-WE-5, and EIG cables that carry significant European internet traffic.
Dozens of European companies — particularly in finance, logistics, and e-commerce — have UAE-based operations or use UAE-hosted services as part of their global infrastructure.
The GDPR Dimension: What Middle East Disruptions Mean for EU Data Protection
GDPR's Article 32 requires data controllers to implement measures ensuring 'a level of security appropriate to the risk.' Article 25 requires data protection by design and by default. Article 33 requires notification of personal data breaches within 72 hours.
Here is where the Dubai situation creates specific GDPR obligations for EU businesses:
Scenario 1: Your Cloud Provider Has UAE Infrastructure
If you use a cloud service that stores or routes data through UAE infrastructure, and that infrastructure experienced disruption this weekend — even temporary unavailability of services — you have a potential Article 32 obligation to assess whether the disruption constituted a breach of data security. Unavailability of personal data for more than 72 hours is considered a personal data breach under GDPR. You may need to notify your data protection authority.
Scenario 2: Your Email Marketing Provider Uses Gulf Servers
Many US-headquartered email marketing platforms (Mailchimp, Klaviyo, ActiveCampaign) have distributed infrastructure with nodes in the Middle East for performance purposes. If you have EU customers whose email data is processed through Gulf-region infrastructure, check whether your data processing agreement covers this geographic distribution and whether alternative routing is in place.
Scenario 3: Your Business Uses UAE-Based Services
If your business directly uses UAE-hosted services for CRM, payment processing, or customer data storage — common for businesses with UAE or Gulf operations — review your business continuity arrangements. GDPR requires that you have assessed the security and resilience of your data processors. A drone strike shutting down a UAE data centre was probably not in your original risk assessment.
The Data Sovereignty Argument — Why This Crisis Changes the Conversation
The EU has been building a data sovereignty framework for years — the push to keep European data in Europe, or at minimum in jurisdictions with equivalent legal protections. This effort has often been characterised as protectionist or unnecessarily complex. This weekend's events make the strongest possible practical argument for data sovereignty.
Consider: EU businesses whose data was processed through Gulf infrastructure this weekend had no way to predict that Dubai International Airport would be hit by a drone strike and that major cloud providers would be managing business continuity scenarios in active conflict zones. This is not an edge case or a theoretical risk. It happened. It is happening now.
The EU's cloud sovereignty initiatives — including GAIA-X, the EU Data Act, and the push for EU-certified cloud providers — suddenly look less like regulatory imperialism and more like basic risk management. A business whose data lives entirely within EU jurisdiction — in Frankfurt, Amsterdam, or Dublin data centres — is not exposed to Middle East conflict disruption. A business whose data routes through Dubai is exposed, even if that was never an intentional choice.
Practical Steps: Checking and Securing Your Data Geography
Most business owners do not know where their data actually lives. This is the moment to find out. Here is how:
Step 1 — Check your cloud provider's infrastructure page. AWS, Google Cloud, and Microsoft Azure all publish detailed maps of their global infrastructure. Search for 'AWS data centre locations' or '[your provider] infrastructure map.' Identify whether any of your data regions or service endpoints are in the UAE, Bahrain, Qatar, or Kuwait.
Step 2 — Review your data processing agreements. Every GDPR-compliant service should have a DPA that lists the geographic locations where data is processed. Open your DPA with your main providers and check the 'sub-processors' or 'data locations' section. If Gulf countries appear, note it.
Step 3 — Contact your cloud provider directly. Send a brief email to your provider's support or data protection contact: 'Can you confirm whether any personal data I have stored with you is processed through infrastructure located in the UAE, Bahrain, Qatar, or Kuwait? Were any of these locations affected by operational disruptions between February 28 and March 1, 2026?' Document their response.
Step 4 — Assess whether any disruption constituted a GDPR incident. If your provider confirms any service disruption affecting your personal data, consult GDPR Article 33. If the disruption affected the availability, integrity, or confidentiality of personal data, you have 72 hours from becoming aware of the breach to notify your national data protection authority.
Step 5 — Review your business continuity plan. If you do not have a documented plan for what happens to your business data when a major infrastructure provider experiences disruption, write one this week. It does not need to be complex. It needs to answer: where is my data? Who is responsible for it? What happens if it becomes unavailable? Who do I call?
The Bigger Picture: What EU Data Sovereignty Really Means
The EU's data sovereignty agenda has been criticised as ideological — an attempt to protect European cloud providers from American competition under the guise of privacy protection. This characterisation has always been unfair. Data sovereignty is fundamentally about resilience — ensuring that European digital infrastructure cannot be disrupted by events outside European control.
A war in the Middle East is precisely the category of event that EU data sovereignty regulations are designed to insulate European businesses from. When Iranian missiles strike Dubai, European businesses with EU-only data should not feel the impact. European businesses with Gulf-region data dependencies should feel it — and are feeling it this weekend.
The EU Data Act, GAIA-X, the EU Cloud Certification Scheme — these are not just regulatory frameworks. They are the architectural blueprints for a European digital economy that can absorb shocks like the ones occurring right now without catastrophic disruption. The businesses that align with EU data sovereignty principles today are building the resilience that the current crisis demonstrates is essential.
Frequently Asked Questions
Q: Is my business at GDPR risk if my cloud provider's UAE infrastructure was disrupted?
A: Potentially yes, if personal data was affected. The key question is whether the disruption caused unavailability, corruption, or unauthorised access to personal data. If yes, and the disruption lasted more than 72 hours or affected a significant number of records, you may have a GDPR notification obligation. Consult your data protection officer or a GDPR specialist.
Q: Does Dubai airport closure affect data centres as well as flights?
A: The airport closure and data centre operations are separate, though both are in the same conflict zone. Dubai's major data centres have independent power supplies and security and are not located at the airport. However, the same Iranian strikes that hit the airport also hit the Jebel Ali Port area and other Dubai locations. Physical infrastructure damage to telecommunications facilities in the broader UAE conflict zone is possible.
Q: What is GAIA-X and should my business use it?
A: GAIA-X is a European initiative to create a federated, sovereign digital infrastructure ecosystem in Europe. It is not a single cloud provider — it is a framework for EU-compliant cloud services that meet data sovereignty, interoperability, and security standards. For EU businesses concerned about data sovereignty, GAIA-X certified providers are worth evaluating as alternatives to or supplements to US-headquartered cloud services.
Q: How do I know if my data is stored in the EU?
A: Ask your provider explicitly and check your DPA. Under GDPR, your processor must tell you where they process your data. 'EU-based data storage' should be confirmed in writing, not assumed. Some providers offer EU-only data residency as a premium option — this may be worth the additional cost given current events.
Dubai International Airport is one of the world's most extraordinary infrastructure achievements — a city that handles 90 million passengers a year, built in a desert, connecting the world. Watching it go dark this weekend is a reminder that no infrastructure is permanent, no geography is safe, and the digital foundations of the modern economy are more fragile than they appear in normal times.
For EU businesses, the lesson is practical: know where your data lives, understand your GDPR obligations when that data is at risk, and build toward the data sovereignty that the EU's regulatory framework is actively creating. The regulations that sometimes feel like bureaucratic burden exist precisely for moments like this one.