Key considerations when migrating from AWS Middle East region to EU region — from data protection, contractual, and tax perspectives
This page has been translated by machine translation. View original
I am Shiga from Berlin. Recently, I returned to Japan and came back to Germany along with the arrival of the pollen season.
On March 1, 2026, due to escalating tensions in the Middle East, AWS Middle East (UAE) Region (ME-CENTRAL-1) and Middle East (Bahrain) Region (ME-SOUTH-1) data centers suffered physical damage. AWS strongly recommends affected customers to migrate to other regions.
This article outlines the often-overlooked issues that service providers for the Middle East, Africa, and Turkey face when migrating to AWS European regions (Milan eu-south-1, Frankfurt eu-central-1, etc.). I'll explain why it's not just about "moving servers" from regulatory, contractual, and tax perspectives.
What Happened?
In the early hours of March 1, 2026 (PST), AWS data centers in UAE and Bahrain suffered physical damage from drone attacks due to military conflicts in the Middle East region. Structural damage, power outages, and water damage from firefighting efforts have been reported.
AWS officially announced the following response:
- Prioritizing the recovery of tools that support data backup and migration from affected regions
- Recommending customers to execute DR plans and switch traffic to other regions
- Suggesting alternative regions in the US, Europe, and Asia Pacific
This incident has made real what was previously considered a theoretical risk: cloud infrastructure being exposed to physical geopolitical risks.
Three Key Considerations When Migrating to European Regions
For services targeting the Middle East and Africa including Turkey, Milan (eu-south-1) or Frankfurt (eu-central-1) are reasonable choices from a latency perspective. Milan is particularly noteworthy as most submarine cables from Africa make landfall in Italy. However, placing infrastructure within the EU has legal and practical implications beyond simply relocating servers.
GDPR Scope — Is "It doesn't matter if there are no EU resident users" really true?
The scope of GDPR (General Data Protection Regulation) is determined by the location of data subjects and the targeting of services (Article 3), not the physical storage location of data.
In other words, even if you store data in the Milan region, GDPR Article 3(2) requirements are not met if data subjects are not located within the EU. This is generally a correct understanding for services targeting only Middle East and African users.
However, there are three important points to consider:
Point 1: Risk of EU residents "mixing in"
The assumption that "there are no EU residents among target users" is often a service design premise rather than a technically guaranteed fact. Even for services targeting the MENA (Middle East and North Africa) region, there's a significant possibility that users from these regions who are studying, working, or living in the EU may access the service. Germany has a Muslim community of about 5 million people, mainly of Turkish origin, while France has about 6 million people mainly of North African origin, and it's not uncommon for them to regularly use online services targeting their countries of origin from within the EU.
Unless you implement geo-blocking, you're not technically excluding access from within the EU. In this case, you may unintentionally become subject to GDPR Article 3(2).
Point 2: Strict enforcement stance of the Italian authority (Garante)
Choosing the Milan region means conducting data processing within the jurisdiction of Italy's data protection authority, Garante per la protezione dei dati personali. Garante has been one of the most active enforcement authorities in the EU, including finding GDPR violations in Google Analytics usage in 2022 and temporarily banning ChatGPT in 2023.
Even if GDPR doesn't directly apply, the possibility of inquiries from Garante in case of incidents occurring on EU-based infrastructure cannot be ruled out. It's reasonable from a risk management perspective to establish contact points and procedures for such inquiries in advance.
Point 3: ePrivacy Directive
For web-based services, there's another regulatory axis: the ePrivacy Directive. This operates independently but in conjunction with GDPR and establishes consent requirements for placing cookies on devices. For websites accessible from within the EU, cookie consent management may be required regardless of users' nationality or the service's target region.
Reading this far, you might think "maybe GDPR isn't relevant after all," but what's important is not whether the risk is zero, but how it compares to the cost of responding if the risk materializes. If the cost of preventive measures is relatively low, taking precautionary action is a rational business decision.
Operational Structure Within the EU — Is Just Having Infrastructure There Enough?
When using AWS European regions, Amazon Web Services EMEA SARL (Luxembourg entity)'s GDPR-compliant Data Processing Addendum (DPA) is standardly applied, ensuring contractual protection for AWS's data processing.
However, AWS only covers its responsibilities as an infrastructure layer (Processor). Service providers must fulfill their own responsibilities as Controllers - such as making notifications to authorities in case of incidents, responding to data subject inquiries, and determining when to conduct DPIAs.
The practical challenge here is whether businesses without operational touchpoints in the EU can engage in timely dialogue with EU regulatory authorities and users.
Time Zone and Language Barriers
EU data protection authorities strictly enforce notification deadlines (GDPR Article 33: notification to authorities within 72 hours). If an incident occurs during European business hours, offices in Asia or the Middle East may waste the majority of those 72 hours before even beginning to respond the next business day. Having a system that can initiate response actions in EU time zones makes a substantial compliance difference.
GDPR Article 27 — Obligation to Designate an EU Representative
If subject to GDPR Article 3(2) (if the "mixing in" risk materializes), businesses without an establishment in the EU must designate a representative within the EU under GDPR Article 27. Failure to designate an EU representative is itself a separate violation, so if you determine that "the possibility of GDPR application is not zero," preemptively appointing a representative is a cost-effective measure.
Preparation for Future Regulatory Strengthening
With the implementation of the Data Act (Regulation 2023/2854) in the EU, freedom to switch cloud services and data access rights are being strengthened. Discussions on the European Cybersecurity Certification Scheme (EUCS) are also progressing, with certification requirements for cloud services within the EU moving toward stricter standards. While this benefits cloud service users, maintaining EU-based expertise to track such regulatory trends in real-time and assess their impact on your company is effective for long-term risk management.
VAT and Tax Processing
When using AWS regions within the EU, value-added tax (VAT) processing is required.
When businesses outside the EU contract directly with AWS EMEA SARL, the Reverse Charge Mechanism is expected to apply as a B2B transaction, but depending on the usage pattern, EU VAT registration obligations may arise. Particularly when providing services to end-users within the EU (B2C), it may be necessary to comply with the VAT One Stop Shop (OSS) system.
While AWS's own invoicing often completes the VAT processing for AWS usage fees, the tax implications of your own services within the EU need separate consideration. Consulting with partners knowledgeable about EU taxation in advance can prevent unexpected tax risks from emerging later.
Beware of "Reverse Application" of Third Country Transfers
An often-overlooked issue is access from outside the EU to data stored within the EU.
For example, if offices outside the EU remotely access databases placed in the Milan region for management or analysis purposes, this could constitute "data transfer from within the EU to a third country" under GDPR.
Japan has received an adequacy decision from the European Commission, so transfers are legal, but adequacy decisions are conditional on compliance with supplementary rules and don't automatically permit everything. For access from countries without adequacy decisions, such as Turkey or Egypt, separate Standard Contractual Clauses (SCCs) would be required. In either case, records of transfers and documentation of appropriate safeguards are required.
Conclusion: Migration Doesn't End with "Infrastructure Relocation"
This AWS Middle East region incident is the first case where geopolitical risks to cloud infrastructure have materialized. Precisely because the situation is urgent, when selecting migration destinations, a comprehensive judgment including regulatory, contractual, and tax perspectives—not just technical latency—is required.
To summarize, issues to consider when migrating to EU regions include:
- GDPR scope verification: Assessment of EU resident user mixing risk, implementation of geo-blocking
- ePrivacy compliance: Cookie consent management for web services accessible from within the EU
- EU operational structure: Initial incident response, authority notification, assessment of EU representative (Art. 27) requirements
- Third country transfers: Transfer records and documentation for remote access from outside the EU (adequacy decisions, SCC requirements)
- VAT processing: EU VAT registration requirements, consideration of simplification through resellers
Classmethod Europe GmbH (CME), based in Berlin, Germany, provides AWS environment construction and operational support, as well as compliance with European regulations such as GDPR and ePrivacy. We cover practical needs for businesses with infrastructure in the EU, including EU representative services, cookie consent management (Cookiebot) implementation support, and initial incident response in EU time zones. Please feel free to contact us for consultation.
