Open your cloud contract. Find the force majeure section. Every major hyperscaler — AWS, Azure, Google Cloud — includes language that releases them from SLA commitments during events including (but not limited to) wars, hostilities, acts of terrorism, government actions, epidemics, and natural disasters. The March 1 drone strikes and the Hormuz Strait closure qualify under multiple categories simultaneously.

What this means in practice: your 99.99% uptime guarantee does not apply during exactly the kind of events that are now occurring. Credit-based SLAs — where your compensation for downtime is service credits, not actual damages — become worthless when the provider can invoke force majeure. You are not buying resilience. You are buying a promise that expires precisely when you need it most.

The uncomfortable follow-up question: when was the last time your legal team reviewed these clauses with your architecture team present?

Do now: Pull the force majeure section from every cloud contract your organisation holds. Share it with your enterprise architecture team. Ask: "Which of our production workloads are protected by nothing more than this clause right now?"

Sources: AWS Customer Agreement — Section 11 · Microsoft Azure Service Terms

The Strait of Hormuz carries approximately 20% of global oil shipments. But the semiconductor angle is where European enterprise leaders should be paying attention. Qatar supplies 30% of the world's helium — a gas with no substitute in chip fabrication, used to cool silicon wafers during manufacturing. South Korea imported 64.7% of its helium from Qatar in 2025. SK hynix, the world's second-largest memory chip manufacturer, is already being forced to diversify suppliers.

TSMC — which manufactures over 90% of the world's most advanced semiconductors — consumes 9% of Taiwan's total electricity. Taiwan imports 33.7% of its liquefied natural gas through the Strait of Hormuz via Qatar. The industry is facing what analysts describe as a "two-to-three month minimum" recovery window once helium production restarts, followed by four to six months before the supply chain normalises.

Your cloud provider does not manufacture its own servers. It buys them from companies that buy chips from fabs that depend on energy and materials flowing through a strait that has been closed for two weeks. This is a dependency chain that no cloud SLA maps, no DR runbook tests, and no procurement team audits.

Do now: Ask your cloud account team: "What is your hardware refresh timeline if the current supply chain disruption extends beyond 90 days? What is your buffer stock?"

Sources: Tom's Hardware — Hormuz Blockage Semiconductor Impact · Carnegie — Iran-Korea Semiconductor Problem · TrendForce — TSMC Power Use and Bromine

The Digital Operational Resilience Act is not just about cyber resilience. Article 28 requires financial entities to assess and manage ICT third-party concentration risk. Article 29 obliges them to maintain registers of all outsourcing arrangements with ICT service providers, including risk assessments that cover "the degree of substitutability of the ICT services." The European Supervisory Authorities have published Regulatory Technical Standards that specifically require institutions to consider supply chain dependencies within their critical ICT service provider relationships.

Most financial institutions have mapped their direct cloud provider relationships. Very few have mapped the supply chain beneath those providers — the semiconductor manufacturers, the energy suppliers, the logistics networks that keep cloud infrastructure physically operational. The Hormuz disruption is the first real-world test of whether concentration risk assessments extend deep enough.

If you are a regulated financial entity and your DORA concentration risk register does not include the hardware supply chain dependencies of your cloud providers, you have a gap. Not a theoretical gap — a gap that a regulator reviewing your operational resilience framework could identify today.

Do now: Review your DORA ICT third-party risk register. For each critical cloud provider, add a row documenting their primary hardware suppliers and the geographic concentration of those suppliers' manufacturing and logistics.

Sources: DORA — Article 28: ICT Third-Party Risk · EBA RTS on ICT Third-Party Service Providers

The European Chips Act, adopted in September 2023, targets €43 billion in public and private investment to bring semiconductor manufacturing capacity to Europe. Intel's Magdeburg fab, TSMC's potential Dresden facility, and GlobalFoundries' expansion in Dresden are the headline projects. The problem: none of these facilities will be producing at scale before 2028 at the earliest.

For the next two years, European enterprises remain fully dependent on semiconductor supply chains running through East Asia and the Middle East. The EU Chips Act addresses the long-term structural dependency, but it provides zero short-term resilience against the supply disruption currently unfolding. European chip production as a share of global output stands at roughly 8-10% — a number the Act aims to raise to 20% by 2030. That is an aspiration, not a buffer.

The strategic takeaway for enterprise leaders is this: do not confuse the existence of a policy response with the existence of actual supply chain resilience. The EU Chips Act is a decade-long project. The Hormuz closure is a now problem.

Do now: In your next board risk update, distinguish between near-term supply chain exposure (fully dependent on current routes) and long-term mitigation (EU Chips Act timeline). Do not let the existence of a plan mask the absence of current protection.

Sources: European Commission — European Chips Act · Bloomberg — Iran War Chokepoints Cast Doubt on Chip Supply

Before March 1, cyber insurance policies for cloud-dependent enterprises were priced primarily around data breach, ransomware, and business interruption from software failures. Kinetic attacks on cloud infrastructure were not a standard underwriting scenario. That is changing. Lloyd's of London introduced war exclusion clauses for cyber policies in 2023, and insurers are now actively reassessing whether cloud infrastructure in conflict-adjacent regions triggers those exclusions.

For enterprise risk teams, the question is no longer "are we insured against a cloud outage?" but "does our insurance cover an outage caused by a military conflict that disrupts our provider's supply chain?" The answer, for most policies written before March 2026, is probably no.

Do now: Share this edition's analysis with your risk and insurance teams. Ask your broker: "Does our cyber/business interruption policy cover losses from a cloud provider outage caused by a geopolitical event that triggers the provider's force majeure clause?"

The European sovereignty debate has focused on jurisdiction — where data sits, which government can access it, whether the CLOUD Act reaches into Frankfurt. The Hormuz disruption adds a physical dimension: it does not matter where your data is stored if the infrastructure it runs on cannot be maintained because replacement hardware is stuck in a broken supply chain.

European sovereign cloud providers — Hetzner, Scaleway, STACKIT, OVHcloud — face the same semiconductor dependency as the hyperscalers. The difference is scale: hyperscalers operate buffer inventories measured in months or quarters of server capacity. Smaller European providers may have weeks. Sovereignty without supply chain resilience is an incomplete proposition.

The organisations that will navigate this best are those treating sovereignty as a multi-layered risk question: jurisdictional sovereignty (who can access the data), operational sovereignty (who controls the infrastructure), and supply chain sovereignty (where the hardware comes from and how reliably it arrives).

Do now: Add "supply chain resilience" as a weighted criterion in your cloud provider evaluation framework, alongside data residency, compliance certifications, and pricing. Ask every provider — hyperscaler and sovereign — about their hardware inventory buffer and diversification of component suppliers.

Builder Spotlight

Profiling teams building for the European AI reality.

The company: Exein, Rome, Italy What they do: Runtime firmware security platform that protects IoT and embedded devices — including the BMC (Baseboard Management Controller) firmware inside data centre servers Why now: When the supply chain discussion extends to server hardware, firmware integrity becomes the invisible attack surface that connects physical supply chain risk to cybersecurity risk.

Exein was founded in Rome in 2018 with a focus that seemed niche at the time: securing the firmware layer that sits below the operating system in embedded devices and server hardware. Every server in every cloud data centre runs BMC firmware that manages hardware operations independently of the main OS. This firmware is a well-documented attack vector — and when servers are manufactured across global supply chains with limited visibility into component provenance, the risk compounds.

The company raised a €7 million Series A in 2024, backed by United Ventures and 360 Capital. Their runtime protection agent, Pulsar, monitors firmware behaviour in real time and flags anomalous execution patterns that could indicate supply chain compromise. In a world where enterprises are now being asked to map their cloud provider's hardware supply chain dependencies, the question "who manufactured this server, and what firmware is it running?" takes on new operational urgency.

For enterprise teams doing the supply chain mapping we recommended in The Brief and Deep Dive — Exein represents the kind of security layer that sits at the intersection of hardware provenance, firmware integrity, and operational resilience. If your DORA assessment asks "can we verify the integrity of the hardware running our critical workloads?" — Exein is building the tooling to answer that question.

Learn more: exein.io

Deep Dive

The cloud industry has operated on a risk model optimised for the failures it has already experienced: power outages, network partitions, software bugs, and natural disasters. The March 1 drone strikes and the Hormuz Strait closure are forcing a recalibration. The new risk model must account for three layers of dependency that traditional cloud risk assessments largely ignore.

Cloud SLAs are structured as credit-based compensation mechanisms. If your provider fails to meet its uptime guarantee, you receive service credits — typically a percentage of your monthly bill, capped at the amount you paid. For a €500,000 annual cloud spend, a month of total downtime might entitle you to €40,000 in credits. Not cash. Credits against future bills with the same provider whose infrastructure just failed.

Force majeure clauses sit above this structure like an override switch. When triggered, the credit mechanism itself is suspended. The provider's obligation to meet the SLA is paused for the duration of the qualifying event — and the definition of "qualifying event" is broad enough to encompass every scenario currently playing out in the Middle East.

This is not a design flaw. It is the design. Cloud providers are infrastructure operators, not insurers. They cannot and do not guarantee availability against state-level military actions. The problem is not that force majeure clauses exist — it is that most enterprise buyers have never modelled what happens to their operations when these clauses activate.

So what? Stop treating your cloud SLA as a guarantee of availability. It is a financial credit mechanism with a kill switch. Model your actual exposure: if your primary provider invokes force majeure for 30, 60, or 90 days, what is your business impact? That number — not the SLA percentage — is your real risk metric.

A cloud region is not an abstraction. It is a building full of servers, each containing processors, memory, storage devices, and networking equipment manufactured in specific factories, from specific materials, shipped along specific routes. When any link in that chain breaks, the provider's ability to maintain, expand, or repair its infrastructure degrades.

The Hormuz closure has exposed three critical material dependencies:

Helium. No viable substitute exists for cooling silicon wafers during semiconductor fabrication. Qatar produces roughly 30% of global supply. South Korea — home to Samsung and SK hynix, which together produce the majority of the world's memory chips — imported 64.7% of its helium from Qatar in 2025. SK hynix has already been forced to begin emergency supplier diversification. Tom's Hardware reports the industry faces a "minimum two-to-three month" shutdown of helium production, with four to six months before the supply chain normalises.

LNG. Taiwan imports 33.7% of its liquefied natural gas through the Strait of Hormuz. TSMC consumes 9% of Taiwan's total electricity. Energy price spikes directly translate into higher chip production costs — costs that eventually flow through to server pricing and, ultimately, to cloud service rates. CNBC reports that memory chip prices have already begun to rise.

Bromine. Used in flame retardants essential for printed circuit boards and server chassis. Israel and Jordan are major producers, and supply routes intersect with the current conflict zone. TrendForce has flagged bromine supply disruption as an emerging risk for DRAM production.

So what? Your cloud provider's infrastructure resilience is downstream of a semiconductor supply chain that currently has three chokepoints under stress simultaneously. Ask your provider about their hardware buffer inventory. If they cannot give you a straight answer, that is your answer.

European financial regulators have spent three years building an oversight framework for cloud concentration risk. DORA's Regulatory Technical Standards on ICT third-party risk management require institutions to maintain a detailed register of outsourcing arrangements, assess substitutability, and conduct scenario testing. The ESAs' guidance on cloud outsourcing specifically references the need to assess "operational dependencies that may not be immediately visible."

The Hormuz disruption is the first event that tests whether these frameworks extend deep enough. A regulator reviewing a financial institution's operational resilience framework could reasonably ask: "You have mapped your cloud provider concentration. Have you mapped the concentration risk within your cloud provider's own supply chain? Do you know where the servers in your primary cloud region are manufactured? Do you know what materials are required, and which shipping routes they travel?"

Most institutions cannot answer these questions today. The organisations that begin building this visibility now will be ahead of the regulatory curve. Those that wait for explicit supervisory guidance will be scrambling to comply after the next incident triggers enforcement attention.

So what? Start building a supply chain risk layer into your DORA concentration risk assessment. You do not need to map every bolt in every server. You need to know: who makes the hardware, where are the fabs, and what chokepoints sit between those fabs and your cloud region. This is the information that will distinguish a passing operational resilience assessment from a failing one.

Qatar's helium production facilities have been taken offline as a consequence of the Hormuz Strait closure, removing approximately 30% of global helium supply from the market. SK hynix, the world's second-largest memory chip manufacturer, has been forced to begin emergency diversification of helium suppliers after relying on Qatar for the majority of its supply. Industry analysts estimate a minimum two-to-three month production shutdown, with four to six months before the helium supply chain returns to normal. Memory chip prices are already rising in response.

Why it matters: Helium has no viable substitute in semiconductor manufacturing. Every server in every cloud data centre contains memory chips that required helium to produce. If the supply disruption extends beyond current estimates, hardware refresh cycles across the industry will lengthen — and cloud capacity expansion will slow.

Anthropic filed two federal lawsuits against the Trump administration after the Pentagon designated the company a "supply chain risk," effectively blacklisting Claude from all defence contractor work. The trigger: CEO Dario Amodei's refusal to allow Claude to be used for autonomous weapons or domestic surveillance. The lawsuits allege First Amendment violations. The #QuitGPT movement saw 2.5 million users leave ChatGPT after OpenAI signed its Pentagon deployment contract, pushing Claude to number one on the US App Store.

Why it matters: The AI industry is splitting along an ethical fault line. For European enterprises evaluating AI providers, the question of who controls model deployment policies — and under what political pressure — is now a procurement consideration. Anthropic's principled stance aligns more closely with European values on AI governance, but the US government's ability to designate companies as supply chain risks creates jurisdictional uncertainty for any enterprise relying on American AI providers.

Oracle is reportedly cutting up to 30,000 jobs to free $8-10 billion for AI data centre expansion, driven by commitments including a $156 billion OpenAI deal requiring 3 million GPUs over five years. US banks have pulled back from financing, doubling Oracle's borrowing costs. The company is considering selling Cerner and plans $45-50 billion in debt and equity raises this year.

Why it matters: The AI infrastructure arms race is consuming companies from the inside. If your organisation runs Oracle workloads — particularly Cerner in healthcare — watch for service quality degradation as restructuring hits engineering and support teams. Oracle's financing difficulties also signal broader market scepticism about the sustainability of current AI infrastructure investment levels.

The supply chain risk model we've outlined in this edition is something I'm building into a structured assessment framework. If your organisation is re-evaluating its cloud resilience posture post-Hormuz, reply to this email — I'm running tabletop exercises for enterprise architecture teams that map exactly these dependency chains.

Until next Thursday, João

OnAbout.AI delivers strategic AI analysis to enterprise technology leaders. European governance lens. Vendor-agnostic. Actionable.

If this landed in your inbox from a forward — subscribe here to get the full picture every week.