Data centres are mostly not built to withstand hostile attack, and the Iranian drones that struck Amazon’s sites in the Gulf showed that threat is no longer hypothetical. Cybersecurity incidents are also rising, and they tend to target data centres’ power and cooling systems and their interface with the grid.
The infrastructure decisions Western allies make this summer will shape the next decade of alliance defence.
When Nato leaders meet in Ankara next Tuesday and Wednesday (7-8 July), the agenda will be dominated by Iran and Ukraine.
But AI is another timely issue for trust across the Alliance. In June, the US government ordered Anthropic, a leading American AI company, to restrict foreign access to its most capable models overnight, citing national security concerns.
It sends a clear message to Nato that Washington will treat its most powerful AI models as national security assets. Frontier general-purpose models have become indispensable to state-of-the-art cyberdefence, and Nato has started to embed AI at the core of command through a decision-support tool for commanders.
Without access to frontier models, Nato countries face a widening asymmetry in cyberdefence and broader defence intelligence capabilities across the alliance.
Only a handful of countries, perhaps only the US, will ever build AI models that remain at the frontier of most domains.
China cannot keep pace under hardened US export controls on the most advanced chips, and France’s Mistral, Europe’s most serious contender, is likely to stay only a follower to the frontier, also constrained by compute and capital.

How to secure access to the best models for defence and security becomes a fundamental question for Nato allies. The G7 has already negotiated a ‘trusted partners’ deal to guarantee like-minded countries access to US frontier models.
But access is only part of the story.
Running one of these models means sending sensitive government workloads to wherever it is served. European governments demand their data stay on home soil, and the proposed Cloud and AI Development Act hardens this by pushing for Europe’s most sensitive workloads to run only on European-operated infrastructure.
The US will make the same demand in reverse, insisting its top models run on infrastructure it can control. Even without that constraint, developers themselves need top-tier security to protect their model weights, the most sensitive intellectual property of the models, from theft.
Five security levels
RAND ranks AI security on five levels. The top level is meant to stop even a nation-state from stealing a model. This requires a facility built for security from day one, including strong physical protection, staff screening, and trusted supply chains. No developer will serve its best model from a data centre that cannot meet such a high bar.
So any ally that wants to host frontier models, whether American or a future European-built equivalent, needs a dedicated high-security site, national or shared across the alliance.
These sites are expensive to build and to certify.
Most allied members do not have such infrastructure. Nato runs air-gapped cloud for classified work, and Canada and others are building sovereign data centre capacity, but these are likely to stay too small even to serve the most computationally intensive frontier models, let alone build them.

Europe’s public-private AI gigafactories, albeit delayed, could be big enough to train models just behind the frontier, but their security classifications are not set yet. Whether access to the best models creates an asymmetry in defence, and what infrastructure it depends on, is a question that brings Nato allies to the table as allies.
Then there is the cost.
At the Hague summit, allies agreed to spend five percent of GDP, 3.5 percent on core defence and 1.5 percent on critical infrastructure and resilience. It is straightforward to argue that public money should not fund what private capital will build anyway. Global data-centre investment is on track to pass $1 trillion [€873bn] in 2026, more than any government could match.
Markets cannot deliver
Where governments are needed is the resilience the market underdelivers.
Data centres are mostly not built to withstand hostile attack, and the Iranian drones that struck Amazon’s sites in the Gulf showed that threat is no longer hypothetical. Cybersecurity incidents are also rising, and they tend to target data centres’ power and cooling systems and their interface with the grid.
Grid resilience has traditionally been a state responsibility, and if allies pursue shared, multi-country projects, that responsibility extends to protecting them.
Nato should coordinate resilience and defence investment where needed, particularly for jointly operated facilities, and adopt common best-in-class security standards.
Most data centres can be classified cleanly by who uses them. But a hardened site for a frontier model brings ambiguity.
It is expensive, may sit half-idle, and looks more like a commercial asset doing a defence job, so who controls it will matter as much as who pays.
It looks like it belongs to the 3.5 per cent core defence budget, but allies may not agree, and the civilian-defence line is not as clean as the budget split assumes.
The busy agenda in Ankara might not settle this. But the choices allies make now will shape Nato’s shared resilience and defence infrastructure for the decade ahead.
This one is to settle together, as allies, not by each capital alone.



