17 Submarine Cables, One Strait: How the Hormuz Closure Threatens Global Financial Data
17 Submarine Cables, One Strait: How the Hormuz Closure Threatens Global Financial Data
When Iran closed the Strait of Hormuz to commercial traffic in March 2026, the immediate global reaction focused on oil. Within hours, crude prices surged above $120 per barrel. But beneath the surface — literally — a less visible but equally critical disruption was unfolding.
Seventeen submarine cables carry data through or near the Strait of Hormuz and the broader Persian Gulf region. These cables form a significant portion of the data backbone connecting Europe to the Middle East, South Asia, and East Asia. Their disruption affects not just internet traffic but the financial transaction networks, market data feeds, and interbank communication systems that the global financial system depends on.
For DORA-regulated entities, the cable disruption is a masterclass in a risk category that almost no one had properly modeled: physical infrastructure chokepoint concentration.
The Submarine Cable Map: Understanding the Chokepoint
The Persian Gulf and its approaches — the Strait of Hormuz to the east, the Red Sea and Bab-el-Mandeb to the west — represent the most concentrated corridor of submarine cable infrastructure in the world outside of the transatlantic routes.
Doug Madory, Director of Internet Analysis at Kentik, documented the real-time impact on his monitoring systems: "We observed immediate traffic rerouting as cable segments in the Gulf became inaccessible. The redundancy that operators assumed existed was based on cables that shared the same geographic chokepoint."
As Rest of World reported, the Houthi threats to Red Sea cables in 2024 had already demonstrated the vulnerability of this corridor. The 2026 Hormuz closure escalated that vulnerability from theoretical to operational.
Quantifying the Impact on Financial Data
The submarine cables through the Gulf region carry several categories of financially critical data:
| Data Category | Typical Cable Route | Impact of Disruption |
|---|---|---|
| SWIFT interbank messaging | EU-Asia via Gulf cables | Latency increase 40-200ms; some routing failures |
| Market data feeds (Bloomberg, Refinitiv) | Multi-path but Gulf-dependent segments | Delayed quotes for Gulf, South Asian markets |
| Payment processing (Visa, Mastercard) | Redundant but Gulf routes preferred | Increased settlement latency |
| Cloud provider backbone (AWS, Azure, GCP) | Direct Gulf cables for ME regions | Complete loss of Gulf cloud region connectivity |
| Regulatory reporting data | National authority connections | Cross-border reporting delays |
The latency impact alone is significant. Financial institutions that relied on Gulf cable routes for low-latency connections to Asian markets experienced immediate degradation. High-frequency trading operations, while not directly DORA-regulated, provide a canary-in-the-coal-mine indicator: several firms reported that their Gulf-routed connections became unusable within hours of the closure.
For DORA-regulated entities, the more concerning impact is on transaction processing and regulatory reporting. DORA Article 19 requires incident reporting within tight timeframes. When the communication infrastructure itself is disrupted, meeting those timeframes becomes exponentially harder.
The Red Sea Precedent: Lessons Unlearned
The 2024 Houthi campaign against commercial shipping in the Red Sea included threats — some apparently acted upon — against submarine cables. That crisis should have been a wake-up call for the financial sector's dependence on geographically concentrated cable infrastructure.
The cable systems most exposed pass through a corridor stretching from the Suez Canal through the Red Sea to the Gulf of Aden, then either east through the Arabian Sea (toward India and beyond) or northeast through the Strait of Hormuz into the Persian Gulf.
| Cable System | Route | Capacity | Gulf Exposure |
|---|---|---|---|
| Europe India Gateway (EIG) | UK to India via Mediterranean, Red Sea | 3.84 Tbps | Full Red Sea transit |
| SEA-ME-WE 5 | Singapore to France via Red Sea | 24 Tbps | Full Red Sea and Gulf approach |
| AAE-1 | East Asia to France via Red Sea | 40 Tbps | Full Red Sea transit |
| FALCON | Multiple Gulf states interconnect | 5.12 Tbps | Entirely within Gulf; Hormuz dependent |
| Gulf Bridge International | Qatar to Oman | 100 Gbps | Strait of Hormuz transit |
| IMEWE | India to France via Gulf and Red Sea | 3.84 Tbps | Gulf and Red Sea double exposure |
The 2024 Red Sea threats prompted some cable operators to explore alternative routing. But submarine cable construction takes 2-4 years from planning to operation. No alternative routes were operational by the time the 2026 Hormuz closure occurred.
DORA's Blind Spot: Physical Infrastructure Dependencies
The Digital Operational Resilience Act (Regulation (EU) 2022/2554) is primarily designed around ICT service provider risk. Its third-party risk framework focuses on cloud providers, software vendors, and managed service providers. Physical infrastructure providers — submarine cable operators, internet exchange points, DNS root servers — receive less explicit treatment.
This is not a regulatory failure but a gap in the threat model that the Gulf crisis has exposed. When Article 11 requires financial entities to implement business continuity policies and ICT response and recovery plans, it assumes that the underlying physical infrastructure is available. The Hormuz closure challenges that assumption.
The Data Routing Governance Gap
Most DORA-regulated entities have no visibility into — or contractual control over — how their data is physically routed between endpoints. A European bank sending a SWIFT message to a correspondent in Mumbai cannot specify which submarine cable carries that message. The routing is determined by the telecommunications operators and internet backbone providers, based on cost, capacity, and availability — not on the bank's risk appetite.
This creates a governance gap that DORA does not explicitly address. Article 28 requires contractual provisions for ICT third-party services, but the bank's contract is with its ISP or cloud provider, not with the submarine cable operator two layers below.
What the ESAs Must Address
The European Banking Authority and ESMA will need to address the physical infrastructure layer in their next round of regulatory technical standards. Several specific areas require attention:
- Cable route dependency mapping: Financial entities should be required to identify, at minimum, the primary and secondary cable routes used by their critical ICT services. This is analogous to the register of information requirement but extended to physical infrastructure.
- Geographic chokepoint assessment: The concentration risk framework should explicitly include physical infrastructure chokepoints — straits, landing stations, internet exchange points — as a dimension of concentration risk.
- Alternative routing requirements: For systemically important financial institutions, regulators should consider requiring demonstrable alternative data routing that avoids identified chokepoints.
Mitigation Strategies for Financial Institutions
The immediate mitigation options for financial institutions affected by the Hormuz closure are limited but not zero.
Satellite-Based Alternatives
Low-earth orbit (LEO) satellite constellations — primarily Starlink and OneWeb — offer an alternative to submarine cables for some traffic. However, satellite links have higher latency (20-40ms for LEO vs. 5-10ms for cable), lower bandwidth, and are not currently certified for the volume of financial transaction data that cable routes carry.
For disaster recovery and emergency communication, satellite links provide a viable backup. For production-grade financial transaction processing, they are not yet a substitute.
Overland Routes
Data traffic between Europe and Asia can be routed overland through Central Asia (the "Digital Silk Road") or via the Arctic cable routes that are being developed. These routes avoid the Gulf chokepoint entirely but are either incomplete or have limited capacity.
The ENISA has identified submarine cable resilience as a strategic priority for the EU, and the Gulf crisis will accelerate investment in alternative routing infrastructure.
Diversified Cloud Architecture
The most practical near-term mitigation is architectural: design systems that can function across multiple cloud regions connected by different cable routes. An active-active deployment across eu-west (Ireland), ap-south (Mumbai via overland/satellite), and us-east (Virginia via transatlantic cable) provides cable route diversity that no single region can offer.
| Mitigation Strategy | Timeline | Effectiveness | DORA Alignment |
|---|---|---|---|
| Satellite backup links | Immediate (weeks) | Limited bandwidth; emergency use | Art. 11 BCP requirement |
| Cloud region diversification | Medium (months) | High for cross-continental redundancy | Art. 29 concentration risk |
| Overland cable investment | Long (years) | High but requires state-level action | Art. 11 ICT response planning |
| Arctic cable routes | Long (years) | Complete Gulf bypass | Strategic infrastructure |
The Broader Lesson: Physical Geography Still Matters
The submarine cable crisis underscores a truth that the cloud computing revolution has obscured: physical geography still matters. Data does not float in a cloud — it travels through cables, across seabeds, through straits that can be closed by military action.
For DORA-regulated entities, this means that operational resilience planning must incorporate physical geography as a first-class risk dimension. The assessment of ICT risk must go beyond software, vendors, and cyber threats to include the physical infrastructure that connects all of them.
The 17 cables through the Strait of Hormuz are not a DORA compliance issue in isolation. They are a systemic risk to the global financial system's digital infrastructure. The fact that this risk was invisible to most institutions until the Strait closed is itself a finding — one that regulators, institutions, and infrastructure providers must address before the next chokepoint is tested.
Voir aussi: Data Centers Are Now Military Targets | U.S. Tech Giants in the Gulf | India as Plan B
Resume en francais
Dix-sept cables sous-marins transportent des donnees a travers ou a proximite du detroit d'Ormuz et du Golfe persique. Lorsque l'Iran a ferme le detroit en mars 2026, ce n'est pas seulement le commerce petrolier qui a ete perturbe — les flux de donnees financieres entre l'Europe, le Moyen-Orient et l'Asie ont ete severement affectes. Doug Madory de Kentik a documente le reroutage en temps reel du trafic alors que les segments de cables devenaient inaccessibles. L'impact touche la messagerie SWIFT, les flux de donnees de marche, le traitement des paiements et la connectivite des regions cloud. DORA presente un angle mort sur les dependances d'infrastructure physique : les entites financieres n'ont ni visibilite ni controle contractuel sur le routage physique de leurs donnees. Les strategies d'attenuation comprennent les liaisons satellite de secours, la diversification des regions cloud et l'investissement dans des routes cables alternatives. La lecon fondamentale est que la geographie physique reste un facteur de risque de premier ordre pour la resilience operationnelle.