Policybazaar UAE Seeks Data Hosting Exemption After AWS Drone-Strike Outage

{getToc} $title={Table of Contents}

Policybazaar UAE races to recover after AWS strike, seeking flexible data-hosting approvals.

Drone strikes on 2 March 2026 damaged two AWS data centres in the UAE and one in Bahrain, impairing two of three availability zones in the me-central-1 region.
Policybazaar UAE reported 60-70% of operations restored by 6 March 2026, with full recovery expected within 48 hours subject to AWS progress.
The company is seeking CBUAE approval to temporarily host insurance data outside the UAE to improve disaster recovery resilience.
The Insurance Brokers Regulation 2024 mandates that personal insurance data be stored in the UAE and backed up within the country for at least ten years.
The Regulation prohibits outsourcing insurance broker activities to external parties outside the UAE without prior CBUAE non-objection.
The incident exposes concentration risk for Gulf fintechs and brokers relying on single-region AWS infrastructure.

CBUAE Outsourcing Controls and Cloud Resilience Collide

The AWS drone-strike outage of 2 March 2026 has placed the UAE's data residency framework under the spotlight, forcing digital insurance brokers to confront a direct tension between operational resilience and CBUAE Insurance Brokers Regulation 2024 requirements. Policybazaar UAE, the UAE arm of India's major online insurance marketplace, disclosed that its operations were among those disrupted when drone strikes damaged two AWS data centres in the UAE and one facility in Bahrain. With two of three availability zones in the AWS me-central-1 region impaired, the company activated business continuity plans while simultaneously seeking regulatory approval to temporarily migrate data offshore.

The episode arrives as digital insurers and brokers in the Gulf assess their exposure to single-region cloud concentration risk. Under the Insurance Brokers Regulation 2024, which came into effect on 15 February 2025, UAE-licensed brokers must store personal data within the UAE and maintain a secure backup within the country. Policybazaar UAE's request for a time-limited exemption - to host data outside the UAE purely for disaster recovery - will test how the CBUAE applies proportionality under a framework designed before geopolitical conflict compromised regional cloud infrastructure.

What Happened: The AWS Outage on 2 March 2026

On 2 March 2026, Amazon Web Services (AWS) confirmed that drone strikes had damaged three of its facilities in the Middle East - two data centres in the UAE and one in Bahrain. The attacks caused fires and activated sprinkler systems, impairing equipment across multiple availability zones. AWS stated that the strikes occurred against the backdrop of escalating regional tensions following military operations involving Iran and subsequent retaliatory activity across the Gulf.

With two of three availability zones in the me-central-1 UAE region impaired, AWS acknowledged that services including Amazon S3 storage and DynamoDB faced high failure rates for data ingest and egress. AWS strongly advised customers to back up data and migrate workloads to alternate regions outside the Middle East. The company warned that recovery would be gradual, given the physical nature of the infrastructure damage involved.

Regional financial institutions felt the impact immediately. Abu Dhabi Commercial Bank reported that its platforms and mobile application were inaccessible due to a regional IT disruption. Payment and mobility services including Careem, Alaan, and Hubpay also suffered outages linked to the AWS issues, according to Reuters.

Policybazaar UAE: Recovery Status

Policybazaar UAE confirmed to Reuters that the AWS incidents in the UAE and Bahrain had disrupted its local infrastructure and customer-facing systems. By 6 March 2026, approximately 60-70% of its UAE operations had been restored, and the company expected full recovery within 48 hours. Progress remained contingent on AWS stabilising regional services alongside Policybazaar UAE's own remediation efforts.

The company said it was working closely with AWS to reroute workloads and rebuild affected components, while activating manual workarounds to maintain service for customers and insurance partners. Policybazaar UAE also indicated its intention to temporarily migrate insurance-related data and workloads to AWS regions outside the Middle East to improve resilience against further regional infrastructure disruption.

The Data Residency Constraint

The temporary offshore migration plan requires regulatory approval. Policybazaar UAE told Reuters that it was in discussions with the CBUAE and expressed confidence that a time-limited non-objection or exemption would be granted. The CBUAE currently mandates that insurance-related personal data must be stored locally, which directly restricts the ability of digital brokers to fail over to foreign data centres during emergencies.

Under the Insurance Brokers Regulation 2024, brokers must store personal data in the UAE and keep a secure backup at a separate location within the country, retaining records for at least ten years. The Regulation also explicitly prohibits brokers from outsourcing activities outside the UAE to external parties without prior CBUAE non-objection - a requirement that applies directly to any proposal to host data abroad, even on a temporary basis.

Insurance Brokers Regulation 2024: ICT and Resilience Obligations

The Insurance Brokers Regulation 2024, which came into force on 15 February 2025, sets out detailed obligations for information and communications technology (ICT) governance across all UAE-licensed insurance brokers. Brokers must implement electronic systems adequate to support all brokerage activities and maintain cyber incident response and management plans. The Regulation requires brokers to apply risk governance processes covering cyber security risks - including scenarios such as large-scale cloud outages and physical infrastructure attacks.

On outsourcing, the Regulation introduces a structured regime requiring brokers to obtain CBUAE non-objection before outsourcing material business activities. Submissions must cover risk assessment, materiality analysis, due diligence, and internal approvals. Any cloud or electronic systems used must comply with CBUAE laws and permit audit, access, and supervisory oversight.

The CBUAE has signalled a proportionate, objectives-based approach to enforcement, taking into account each broker's size and business model. Industry commentary notes that this proportionality principle may be relevant as the regulator considers Policybazaar UAE's request for a temporary exemption from data residency requirements.

Implications for Digital Brokers and Cloud Architecture

The incident exposes a concentration risk for fintechs, insurers, and brokers in the Gulf that have built their platforms on single-region AWS infrastructure. AWS itself acknowledged that services such as S3 are designed to withstand the loss of one availability zone, not multiple zones simultaneously - prompting calls for customers to adopt multi-region and multi-cloud strategies. For Gulf-based financial services firms, the advice to re-architect workloads now carries additional urgency given the regional security environment.

However, any re-architecture must be reconciled with CBUAE's strict onshore data residency rules and outsourcing prohibitions. Brokers may need to seek targeted exemptions or design models - such as maintaining encrypted data replicas offshore solely for disaster recovery - that satisfy both resilience and regulatory requirements. The outcome of Policybazaar UAE's discussions with the CBUAE may set a practical precedent for how the sector approaches this challenge.

The CBUAE has previously demonstrated its willingness to act against brokers with weak compliance frameworks, including ICT and cyber security controls. Policybazaar UAE's proactive engagement with both AWS and the regulator will be closely watched as an early test of how digital brokers navigate the tension between operational resilience and regulatory compliance under the UAE's evolving framework.

What Clients are Asking their Advisors

What are the CBUAE data storage rules for UAE insurance brokers?

Under the Insurance Brokers Regulation 2024, UAE-licensed insurance brokers must store all personal data within the UAE and maintain a secure backup at a separate location inside the country, with records retained for at least ten years. Any cloud or electronic systems used must comply with CBUAE laws and remain accessible to the regulator for audit and oversight. These requirements apply to all onshore brokers and cannot be waived without formal regulatory approval.

How can a UAE insurance broker get approval to host data outside the UAE temporarily?

A broker must seek a formal non-objection or time-limited exemption from the CBUAE before migrating insurance-related data to a foreign cloud region. The Regulation requires prior regulatory approval for material outsourcing arrangements, even temporary ones, with submissions covering risk assessment, due diligence, and internal approvals. The CBUAE applies proportionality and may accommodate case-by-case requests where its regulatory objectives - including data access and audit rights - are still met.

Was the AWS outage on 2 March 2026 different from a typical cloud failure?

Yes - the outage was caused by physical drone strikes that simultaneously damaged two of three availability zones in the AWS me-central-1 UAE region, rather than a software or hardware fault within a single zone. AWS acknowledges that its redundancy architecture is designed to survive the loss of one zone, not multiple zones at once. The physical and geopolitical nature of the attack represents a risk scenario that most business continuity plans do not explicitly address.

What should UAE insurance brokers do now to reduce cloud outage risk?

Brokers should review whether their business continuity and disaster recovery plans explicitly address multi-zone and multi-region failures, including scenarios involving physical infrastructure damage. Any plans to use offshore cloud regions for failover should be assessed against the Insurance Brokers Regulation 2024 data residency and outsourcing rules, with CBUAE approval sought in advance. Proactive engagement with the regulator before a crisis is likely to be viewed more favourably than reactive requests during one.