The 2025 Iberian Blackout: DORA's First Real-World Stress Test

What Happened to Financial Services

The impact on the financial system was immediate and comprehensive. When the power went out, so did the entire digital payment infrastructure.

According to data published by the European Central Bank in its June 2025 Economic Bulletin, card payment spending dropped 41-42% in the affected areas compared to unaffected regions. National e-commerce spending collapsed by approximately 54%. These are not estimates or projections — they are observed transaction data from one of the world's most digitized payment ecosystems going offline in the middle of a business day.

ATMs went dark. Point-of-sale terminals became inert plastic. Mobile banking applications could not connect to servers. Card networks lost connectivity to their authorization systems. Bizum — Spain's dominant peer-to-peer payment platform, deeply integrated into daily commerce — was completely inoperable. In a country where digital payments had become the default mode of transaction, every digital channel failed simultaneously.

The only payment method that continued to function was cash. The ECB, in its subsequent analysis, described physical currency as "a spare tire for the payment system" — a characterization that carries significant weight coming from the institution responsible for euro monetary policy. A pre-existing ECB survey had found that 39% of Spaniards kept cash reserves at home, a habit that proved prescient.

The recovery timeline revealed the depth of the dependency. By approximately 3:30 PM local time — roughly three hours after the blackout began — national and cross-border payment systems resumed operation. However, full restoration of POS terminals and ATM networks did not occur until the following morning, meaning that for an entire business afternoon and evening, millions of consumers and businesses operated in a cash-only economy.

The economic toll was substantial. GDP losses were estimated at EUR 400 million to EUR 1.6 billion for the direct impact period, with broader economic consequences — including supply chain disruptions, productivity losses, and business interruption costs — pushing the total estimated impact to EUR 2-3 billion.

The Three-Month Test

On January 17, 2025, the Digital Operational Resilience Act became applicable across the European Union. Financial institutions had spent two years preparing: mapping ICT dependencies, drafting business continuity plans, establishing incident reporting procedures, and building resilience testing programmes. The regulatory framework was in place. The question was whether the preparation was sufficient.

Three months and eleven days later, on April 28, 2025, the answer arrived — not as a cyberattack, not as a software failure, but as a physical infrastructure collapse on a continental scale. At approximately 12:33 PM local time, a cascading voltage surge ripped through the Iberian power grid. Within five seconds, 15 GW of generating capacity disconnected — roughly 60% of Spain's electricity demand at that moment. The grid, unable to absorb the oscillations, collapsed. Spain and Portugal went dark.

60 million people lost power simultaneously. The blackout lasted approximately ten hours, with Portugal achieving full restoration by the early hours of April 29. The cause, as identified by the ENTSO-E investigation and subsequent expert analysis, was a combination of technical, structural, and managerial factors: oscillations that the grid's protection systems could not dampen, gaps in voltage and reactive power control, and a cascade of rapid generator disconnections that overwhelmed the system's ability to self-correct.

This was not a scenario that appeared in most financial institutions' ICT risk registers. Power grids are treated as utilities — reliable, invisible, and someone else's problem. The Iberian blackout demonstrated that this assumption is a critical vulnerability, and that DORA's requirements for identifying and managing dependencies on physical infrastructure are not theoretical exercises.

The event was, in effect, the first real-world stress test of DORA's operational resilience requirements — and it tested dimensions that many institutions had not prioritized.

What DORA Would Have Required

The Iberian blackout maps directly onto multiple DORA articles, exposing gaps that the regulation was explicitly designed to prevent.

Pillar I: ICT Risk Management Framework (Art. 5-6, 9, 11-12)

Art. 5-6 — ICT risk management framework: DORA requires financial entities to identify, classify, and manage all ICT risks. Power dependency is an ICT risk — without electricity, no ICT system operates. The question for every affected institution is whether their ICT risk register explicitly identified total power grid failure as a scenario, or whether it was implicitly assumed away as "someone else's infrastructure."

Art. 9 — Protection and prevention: DORA mandates that financial entities implement measures to ensure the resilience and continuity of ICT systems. This includes redundancy and backup power for critical systems. Were backup generators in place at data centers and payment processing facilities? Were they tested under load? Did they cover the full scope of payment processing infrastructure, or only core servers while network equipment and external connectivity went unprotected?

Art. 11 — Response and recovery: Business continuity plans must cover the scenario of external infrastructure failure. The blackout was not an ICT incident in the traditional sense — it was a physical infrastructure event that rendered ICT systems inoperable. Recovery plans that assume power availability as a given are incomplete under DORA.

Art. 12 — Backup policies and restoration procedures: Backup power is not just about data protection — it is about service continuity. The fact that payment system restoration required until the following morning suggests that backup and restoration procedures were either inadequate for a total power loss scenario or had not been tested under realistic conditions.

Pillar II: Incident Management and Reporting (Art. 17-19)

Art. 17-19 — Incident classification and NCA notification: A blackout affecting the entire payment infrastructure of two EU member states is, by any reasonable classification, a major ICT-related incident. Financial institutions were required to classify this event, determine its severity, and notify their national competent authorities within the prescribed timelines. The question is whether institutions had pre-defined classification criteria for infrastructure-level events, or whether the novelty of the scenario created delays in the reporting chain.

Pillar III: Digital Operational Resilience Testing (Art. 24-25)

Art. 24-25 — Resilience testing programme: This is perhaps the most pointed lesson of the blackout. DORA requires financial entities to maintain a resilience testing programme that covers a range of scenarios, including severe but plausible events. A total power loss affecting an entire country is not hypothetical — it happened. It should now appear in every financial institution's resilience testing programme in the EU, and the question for supervisors is whether it was there before April 28, 2025.

Resilience testing that covers only cyber incidents, software failures, and cloud provider outages is incomplete. The Iberian blackout demonstrates that physical infrastructure scenarios — power loss, telecommunications failure, cascading utility collapse — must be tested with the same rigor as digital scenarios.

Pillar IV: Third-Party Risk Management (Art. 28-29)

Art. 28-29 — ICT third-party risk and concentration: The power grid and telecommunications infrastructure are, functionally, ICT third-party dependencies. Every bank in the Iberian Peninsula depended on the same electrical grid. Every digital payment provider depended on the same telecommunications infrastructure. This is concentration risk in its purest form.

Unlike cloud service providers, where diversification is at least theoretically possible, the power grid is a natural monopoly. Financial institutions cannot diversify their electricity supplier in the way they might diversify cloud regions. This raises a fundamental question for DORA implementation: how should concentration risk frameworks address dependencies on monopolistic infrastructure providers? The regulation's exit strategy requirements (Art. 28) and substitutability assessments (Art. 29) need adaptation for infrastructure dependencies where substitution is not commercially feasible.

The Concentration Risk Question

The Iberian blackout raises what may be the most challenging structural question for DORA implementation: how do you manage concentration risk when the dependency is a natural monopoly?

Every bank in Spain depended on the same power grid operated by Red Electrica (now Redeia). Every bank in Portugal depended on the same grid operated by REN. Every digital payment provider depended on the same telecommunications infrastructure. There was no alternative supplier to switch to, no multi-provider strategy to invoke, no exit plan that could be activated during the event.

This is fundamentally different from cloud concentration risk, where an institution can theoretically distribute workloads across AWS, Azure, and GCP. Power grid infrastructure admits no such diversification at the delivery point. An institution can install backup generators, deploy UPS systems, and contract for redundant feeds — but all of these are compensating controls for the same underlying single-point-of-failure dependency.

DORA Art. 29 requires financial entities to assess concentration risk and evaluate substitutability. For power and telecommunications infrastructure, the honest answer to the substitutability question is "no" — these are not substitutable in any commercially meaningful timeframe. This does not mean the risk is unmanageable, but it does mean that the management strategy must focus on compensating controls (backup power, geographic distribution, degraded-mode operations) rather than supplier diversification.

The blackout also exposed a second-order concentration risk: the concentration of payment processing capability in digital channels. When every payment method except cash depends on the same electrical and telecommunications infrastructure, the failure of that infrastructure creates a systemic payment crisis — not because any individual institution failed, but because the entire ecosystem shared the same physical dependency.

Lessons for Financial Institutions

Resilience testing must include non-cyber scenarios. The dominant resilience testing paradigm in financial services focuses on cyber incidents, software failures, and cloud outages. The Iberian blackout demonstrates that physical infrastructure failure — power, telecommunications, physical site access — can be equally or more disruptive. Every institution's resilience testing programme under DORA Art. 24-25 should include a total power loss scenario, tested under realistic conditions including duration and geographic scope.

Cash infrastructure remains a critical backup. The ECB's characterization of cash as "a spare tire for the payment system" should inform institutions' business continuity planning. Maintaining functional cash distribution and acceptance capability is not nostalgia — it is resilience. The 39% of Spaniards who kept cash reserves at home were, in resilience terms, better prepared than many financial institutions.

Recovery time objectives must account for external infrastructure dependencies. RTOs that assume power availability are not RTOs — they are aspirations. Realistic recovery planning must include scenarios where external infrastructure is unavailable for 10+ hours and where recovery depends on third parties (grid operators, telecom providers) whose timelines the institution cannot control.

Geographic distribution of processing reduces single-point-of-failure risk. Institutions with payment processing distributed across multiple geographic regions — including regions outside the affected power grid — would have maintained partial service capability. Geographic redundancy is not just about disaster recovery for local events; it is about resilience against regional infrastructure failure.

The three-month gap between DORA application and this event highlights the urgency of implementation. DORA became applicable on January 17, 2025. The blackout struck on April 28, 2025. For any institution that treated DORA compliance as a paper exercise to be completed gradually, this event was a stark reminder that operational resilience is not a compliance checkbox — it is the ability to maintain critical services when reality deviates from expectations. The regulation's requirements are not theoretical; they are the minimum standard for surviving events that will occur.