When the Cloud burns: What Iran’s AWS strikes mean for African fintech

On the morning of April 2, 2026, millions of Nigerians sending money, paying bills, and checking balances had no reason to look toward the Gulf. Yet their transactions often travelled through global cloud infrastructure that, weeks earlier, had come under direct attack.

On March 1, 2026, Iranian Shahed drones struck two AWS data centres in the United Arab Emirates and damaged a third facility in Bahrain. Additional disruptions followed, including a reported strike on a telecoms facility in Bahrain’s Hamala district on April 1 that affected critical AWS infrastructure, such as a Direct Connect node. Within roughly one month, AWS facilities in the Middle East experienced significant disruption on multiple occasions, with several incidents concentrated in Bahrain.

The confirmed casualties were Gulf-based. Emirates NBD and Abu Dhabi Commercial Bank reported banking platform and mobile app outages. Payment companies Alaan and Hubpay went down. Careem experienced service failures. Pakistan’s SadaPay went fully offline, its entire application knocked out because its backbone ran on the same AWS Bahrain facility.

AWS waived all usage charges for its Middle East region for the entire month of March 2026, an unprecedented move that underlined the scale of the disruption. As of early April, some disruption lingered, prompting workload migrations.

African fintech entities did not report confirmed outages from the strikes. But that is not the story. The story is what these attacks revealed about where African digital infrastructure actually lives and what happens when the server has an address a drone can find.

The 0.6% problem

Africa accounts for just 0.6% of global data centre capacity despite surging digital adoption. Nigeria’s 109 million internet users rely heavily on cloud infrastructure hosted in Europe, the United States, and South Africa. Fintech leaders such as Flutterwave and Paystack process billions of naira through systems outside Nigeria’s jurisdiction, exposing the country to geopolitical risks that could disrupt financial services, commerce, and national stability.

Flutterwave is a documented AWS customer, with a published case study on Amazon’s own platform. AWS is the dominant cloud platform across Nigerian fintech, with Paystack, Kuda, and PiggyVest all running infrastructure on it.

The AWS Africa (Cape Town) region, launched in 2020, is the only full AWS infrastructure region on the continent. While the company has invested heavily in South Africa (15.6 billion rand already deployed, with another 30.4 billion rand pledged through 2029), no additional full-scale AWS regions have been announced elsewhere in Africa. Nigeria and Kenya host edge locations and Local Zones, but these offer limited redundancy compared to a complete region.

What that means is structural. When Nigerian fintech entities route workloads through AWS, they are frequently passing through Cape Town at best and through European or US regions at worst. The Iran strikes exposed a deeper flaw in multi-availability zone assumptions.

AWS regions are built with at least three physically separate availability zones, designed to withstand power outages, natural disasters, and infrastructure failures. The design had never been tested in a conflict zone. In the Gulf, drones hit multiple availability zones within the same region simultaneously, because the conflict zone covered the entire geographic area those zones were spread across.

A popular assumption among engineers had been that it would take a meteor strike to knock out an entire AWS region. The Gulf events tested (and in parts exposed) the limits of that model in ways engineers had rarely anticipated outside extreme natural disasters.

The fintech startups in the 2023 AWS FinTech Africa Accelerator cohort built on AWS from day one. The 25 startups, 11 of them Nigerian, received up to $25,000 in AWS credits as part of their entry into the programme, essentially entering the market with their infrastructure decisions already made before they had revenue.

For a seed-stage startup, AWS credits are a subsidy that shapes every architectural decision that follows. Diversifying away from AWS later is expensive and technically disruptive, which means the dependency tends to deepen as these companies grow.

The question nobody wants to answer

The Iran strikes also forced cloud architects to confront a compliance problem that sits underneath the availability problem. Moving workloads to other regions during a crisis might restore services, but it can move sensitive data outside national borders in the process, creating immediate regulatory exposure under the Nigeria Data Protection Act and Kenya’s Data Protection Act. The architecture of resilience and the requirements of data sovereignty pull in opposite directions.

NITDA Director-General Kashifu Inuwa Abdullahi has repeatedly emphasised the need to localise critical data infrastructure, pointing to the Nigeria Data Protection Act and ongoing data centre expansion as the policy framework driving this. The architecture of Nigerian fintech, however, has not followed that policy direction.

The gap between what regulators say and where the actual servers sit remains wide, and no regulator in Nigeria or Kenya has issued guidance on cloud infrastructure diversification in the context of geopolitical conflict risk.

The broader connectivity picture makes this harder to ignore. 17 submarine cables pass through the Red Sea, carrying the majority of data traffic between Europe, Asia, and Africa. With Iran’s closure of the Strait of Hormuz and renewed Houthi threats in the Red Sea, both critical data choke points now sit in active conflict zones simultaneously.

The 2024 cuts to WACS, ACE, MainOne, EASSy, and Seacom demonstrated how quickly connectivity across West, East, and Southern Africa can collapse, leaving millions offline and critical services impaired. That was a maintenance incident. The Gulf scenario is a war.

If the scenario that played out in Bahrain in March and April happened to the Cape Town region, what would Nigerian fintech look like the next morning?

No major Nigerian fintech has publicly disclosed a multi-cloud or sovereign-cloud contingency plan. No payments regulator has asked them to. The cloud, as engineers like to say, is just someone else’s computer.

In 2026, that computer is in a war zone, and the continent building its financial future on top of AWS has not yet decided what it will do about that.

The post When the Cloud burns: What Iran’s AWS strikes mean for African fintech first appeared on Technext.