Within hours of U.S. and Israeli strikes launching Operation Epic Fury on February 28, 2026, eight countries had closed their airspace simultaneously. The Gulf mega-hubs (Dubai, Doha, Abu Dhabi) – the very backbone of East-West long-haul travel were dark, struck, or suspended. Tens of thousands of travellers were stranded mid-journey with no clear path forward.
For those who have spent careers building corporate travel risk programmes, it wasn’t just a geopolitical crisis. It was a report card. And a lot of organisations didn’t pass.
A Hole in the Sky
The scale of the aviation collapse was staggering and it happened fast.
At least eight states declared airspace closures within hours of the opening strikes. Emirates dropped to roughly 60% of pre-war flight activity. Etihad cancelled over 450 flights in the first weeks of March, operating at just ~15% of normal capacity. Qatar Airways sent widebody aircraft into storage in Spain as Hamad International Airport suspended most passenger operations. Lufthansa Group’s suspensions to most Gulf destinations now stretch to October 2026.
Globally, airlines including Air France, British Airways, KLM, Cathay Pacific, Japan Airlines, Turkish Airlines, and dozens more suspended or rerouted regional services. When that bridge between Europe and Asia collapsed, the traffic funnelled into narrow northern and southern corridors, creating cascading congestion, crew mispositionings, and knock-on delays from Bali to Birmingham.
One aviation security director described it well: “An aircraft that’s currently sitting in London — in the system the airline might have anticipated that being in Singapore or Brisbane. You could be anywhere around the world, and you will likely be affected.”
There were stranded travellers in Indonesia, Kenya, and Germany that morning. None of them were anywhere near the Middle East.
As of May 2026, EASA’s Conflict Zone Information Bulletin continues to warn operators away from the airspace of Bahrain, Iran, Iraq, Israel, Jordan, Kuwait, Lebanon, Qatar, UAE, Oman, and Saudi Arabia — with only narrow high-altitude exceptions. The sky is still not fully open.
Hormuz Chokepoint: When the Sea Stopped Moving
Aviation gets the headlines. But what happened on the water may define the long-term corporate risk story of this conflict.
On March 2, IRGC officials confirmed the Strait of Hormuz was closed. The International Energy Agency called it the largest oil supply disruption in market history — bigger than the 1970s shocks.
Before the conflict, roughly 3,000 vessels transited Hormuz monthly. By April, just 191 crossings were recorded — about 5% of the pre-war average. Brent crude surged past $126 per barrel at its peak. U.S. gasoline prices climbed over 50%. Major shipping lines — Maersk, CMA CGM, Hapag-Lloyd — suspended transits entirely. The Houthis reopened Red Sea hostilities on March 28, forcing Suez Canal traffic around the Cape of Good Hope and adding weeks to shipping times.
For corporate risk managers, the implications go far beyond “ships can’t get through.”
Think about what this means for your people on the ground in the Gulf. Energy sector employees watching their employer’s supply chain seize up. Procurement teams unable to move goods. Expat workers at offshore facilities cut off from resupply lines, watching fuel prices spike, with colleagues asking whether their company had a plan — and discovering, in some cases, that the answer was no.
The Pentagon has said mine-clearing operations in Hormuz could take six months after the conflict ends. As one insurance CEO put it: “If the situation changes by the hour, the risk becomes almost impossible to price responsibly.” Routine Hormuz transit is unlikely to resume for the remainder of 2026.
Hub Dependency Is a Single Point of Failure
We built our global travel programmes around Gulf mega-hubs because they were efficient, well-connected, and cost-effective. That logic still holds until the moment it catastrophically doesn’t.
Dubai International and Zayed International were directly struck by Iranian attacks. A drone strike near Dubai International hit fuel storage, caused a large fire, and forced a temporary suspension with at least 65 diversions in a single day. Hamad International in Doha was targeted multiple times, with missile intercepts occurring over the airfield injuring passengers.
What went wrong: Organisations that had no alternative routing protocols scrambled to rebook thousands of travellers through already-congested alternate hubs in Cairo, Riyadh, and Larnaca. Travel managers were fielding calls with no pre-approved alternatives, no pre-negotiated agreements with alternate carriers, and no clear decision authority. Days were lost. In some cases, critical business travel — medical teams, crisis responders, executives — was delayed by a week or more.
The fix: Map every itinerary that touches a Gulf hub. Build pre-approved alternate routings. Test them before the next crisis.
Travel Advisories Needs to Updated
Foreign embassies began issuing departure advisories for Iran as early as February 23 — five days before the strikes. The U.S. Pentagon had quietly evacuated several regional bases in the days prior, citing exposure to Iranian short-range missiles. The signals were not subtle.
What went wrong: Most corporate travel risk programmes are built around government advisory levels. Level 3. Level 4. The problem is those designations are political, slow-moving, and almost always trailing events. Organisations monitoring only official advisories were five days behind. By the time alerts escalated, their travellers were already in terminals that were about to close.
The fix: Focus on investing in real-time geopolitical intelligence. Monitoring negotiation breakdowns, military movement reporting, and diplomatic signal tracking will help massively.
Airspace Risk Is a Duty of Care Issue
Partial closures, temporary reopenings, and narrow exemption corridors create dangerous grey zones. Some commercial flights continued operating near active missile and drone intercept areas in the early days of the conflict. A ballistic missile launched from Iran on March 4 was intercepted over southern Turkey by NATO air defences — on a flight path that commercial aircraft had been using.
What went wrong: Some organisations had no policy for “airspace risk” as a category distinct from “destination risk.” Their approach was binary: if the destination wasn’t under a high-level advisory, the flight was approved. The routing through conflict-adjacent airspace was invisible to their risk framework.
The fix: Organisations need explicit go/no-go criteria for routing — not just destination. Real-time airspace intelligence feeds, like those provided by Safe Airspace and NOTAM monitoring services, should be standard inputs to travel approval workflows, not optional extras.
Maritime Risk Has Been the Blind Spot
Most of the corporate duty-of-care are built around aviation. This conflict demonstrated that maritime disruption can strand employees just as effectively, and with far less playbook to draw from.
What went wrong: Over 15,000 passengers were stranded on at least six major cruise ships in the Persian Gulf as the strait closed beneath them. Energy sector employees at offshore facilities watched resupply timelines stretch from days to weeks. Companies with staff in Bahrain, Kuwait, and UAE port cities had no maritime evacuation protocol, no alternative supply agreements, and no communication to employees about what the plan was.
The psychological dimension matters here. Employees who feel forgotten — who can see the news, who can’t get answers from HR — don’t just feel scared. They lose trust. And that trust is very hard to rebuild after the crisis passes.
Cyber Warfare Are Now a Travel Risk Issue
Electronic warfare during this conflict disrupted GPS and AIS signals affecting over 1,100 ships in the Gulf region. Iran’s internet connectivity dropped to 1-4% of normal levels for over 60 hours. Employees relying on standard mapping, navigation apps, or digital communication tools in conflict-adjacent zones found them unreliable or spoofed.
What went wrong: Travellers and logistics operators who had no backup navigation or communication protocols — no satellite phone, no offline maps, no pre-agreed check-in cadence – went dark. For ground-level employees in Kuwait, Bahrain, or UAE during the most intense periods, basic digital infrastructure could not be relied upon.
Cyber resilience is no longer purely an IT function. It belongs in the travel risk brief.
What Good Looked Like
Not every organisation struggled. The ones that handled this well had several things in common.
They had Pre-approved Alternate Routing Matrices
When Gulf hubs closed, their travel managers didn’t start from scratch. They executed. Approved alternates through Istanbul, Nairobi, and Mumbai were already in the system.
They Were Monitoring, Not Waiting
The best-prepared security teams had been tracking the pre-conflict intelligence for weeks. When the strikes came, they had already proactively communicated with all travellers in the region, issued voluntary departure guidance, and pre-positioned emergency contacts. They weren’t reacting to the news. They were ahead of it.
They Communicated With Their people Like Humans, Not Policy Documents
The organisations that retained employee trust during this crisis were the ones whose people heard from someone — a real person, a direct manager, a security professional — not just an auto-generated advisory email. A simple message: “We know what’s happening. Here’s what we’re doing. Here’s how to reach us. You are not forgotten.” That goes a very long way at 2am in a closed terminal.
They had already tested their crisis protocols. They’d run tabletops. They knew where their playbook broke down. They had decision trees for “what if Dubai closes?” already stress-tested before it was a live question.
The gap between these organisations and the ones that struggled wasn’t budget. It was preparation culture.
Insurance, Legal Exposure, and What “Duty of Care” Actually Means Now
If the crisis clarified one thing legally, it’s this: duty of care is not a soft HR concept. It is an enforceable employer obligation and this conflict created real exposure.
Employers who sent people into the region in the days before February 28 without acting on the available intelligence signals are now having difficult conversations with legal counsel. The question being asked in boardrooms is: “What did we know, and when did we know it?” That is not a comfortable question when the answer is “enough, and early enough.”
War risk exclusions in standard travel insurance policies created significant gaps for employees stranded in conflict zones. Organisations that had not explicitly reviewed their war risk riders, emergency medical evacuation coverage, and political evacuation provisions found themselves navigating coverage disputes while also managing traumatised travellers. Some found their policies excluded not just active conflict zones but any airspace designated as conflict-adjacent by EASA — meaning their coverage voided precisely when it was most needed.
The legal principle is simple: if a reasonable employer would have known the risk and taken steps to mitigate it, and you didn’t, you are exposed. “We were monitoring government advisories” is a weaker defence than it used to be especially when the intelligence was publicly available five days earlier.
Review your policies now. With your legal team. Before the next event.
What’s Still Unresolved — May 2026
A fragile U.S.-Iran ceasefire agreed on April 7-8 has not restored normalcy. Talks collapsed on April 12-13. The Strait of Hormuz remains effectively closed to most commercial shipping. About 800+ vessels remain in the Persian Gulf. Pentagon officials have testified that mine-clearing could take six months after the conflict ends and the conflict has not ended.
EASA’s Conflict Zone Information Bulletin covering eleven Middle Eastern countries’ airspace remains in force and has been repeatedly extended. Lufthansa’s Gulf suspensions run to October. Most international carriers have not returned to Gulf hubs.
For travel risk managers: the operational environment is still live. The risk assessment needs to be updated continuously as the situation has changed rapidly.
