What Happened
On Monday 28th April 2025, a massive power outage struck Spain and Portugal, plunging millions across the Iberian Peninsula into darkness and disrupting critical infrastructure. The blackout, described as the worst in the region’s history, began around 12:30 pm local time in Spain (11:30 am in Portugal), and featured a total collapse of the electrical system.
Spain’s National Cybersecurity Office suggested potential cyber involvement; however, electricity providers and EU officials, including the President of the European Council, found no evidence of a deliberate attack. Notably, two pro-Russian hacker groups, Dark Storm Team and NoName057, claimed responsibility, but their statements remain unverified. Spain’s High Court has launched an investigation into potential cyber-sabotage, which remains ongoing.
Economic ‘Shut Down’
The economic fallout from the Iberian blackout was severe, disrupting businesses, transportation, and financial services across Spain and Portugal, which together have a combined population of approximately 60 million. The outage halted operations at major refineries, closed retailers like Lidl and IKEA, and stopped production at industrial sites.
Financial services were particularly hard-hit, with ATMs and card payment systems offline, preventing cash withdrawals and transactions. Investment bank RBC estimated the economic cost at €2.25 billion to €4.5 billion, reflecting losses from disrupted commerce, manufacturing and services.
According to Cloudflare Radar, internet traffic dropped by 37% in Spain and 30% in Portugal, which severely impacted online banking, digital services and payment processors which struggled to maintain operations without power, highlighting vulnerabilities in digital infrastructure.
Recovery and Restoration
Full restoration took approximately 11 hours, from 12:30 pm on 28 April to 11:30 pm, with power plants requiring to be restarted and reconnected to the electrical grid. The Iberian recovery was aided by interconnections with France and Morocco, which supplied emergency power, though the initial disconnection from France complicated efforts.
Internet connectivity and financial services gradually recovered as power returned, with banks resuming online operations by Tuesday morning.
Resilience and Preparation
Firms within the financial services sector, particularly those in regulated sectors, must adopt robust measures to prepare for and mitigate the impact of large-scale power outages. The Iberian blackout exposed vulnerabilities in digital and operational infrastructure, retendering ATMs, payment systems, and online services inoperative.
To strengthen operational resilience, firms should consider:
- Installing uninterruptible power supplies (UPS) and backup generators to keep critical systems such as servers and transaction platforms online during outages;
- Adopting cloud-based disaster recovery solutions to ensure the rapid restoration of digital services;
- Distributing data centres across multiple geographic regions to reduce reliance on a single energy grid;
- Conducting regular stress testing of IT systems and business continuity plans under blackout conditions to uncover hidden vulnerabilities;
- Diversifying energy sources for data centres, including solar or battery backups, to offset grid instability;
- Training staff in crisis protocols, including manual transaction processing, to maintain continuity when digital systems fail;
- Engaging cybersecurity experts to monitor and defend against potential cyberattacks—highlighted by the unverified claims made;
- Maintaining a robust risk management framework in compliance with FCA requirements, ensuring preparedness for regulatory scrutiny;
- Establishing emergency response protocols, including collaboration with local authorities and energy providers, to prioritise power restoration for essential services.
Investing in these measures not only protects operations but also safeguards customer trust and regulatory standing.
Could This Happen in the UK?
While the likelihood of a blackout of similar scale in the UK is relatively low, it is not implausible. The UK’s energy grid is interconnected with Europe, and similar vulnerabilities exist. The UK experienced a significant outage in August 2019, affecting 1 million people for 45 minutes due to a lightning strike and generator failures, indicating potential weaknesses.
Cyberattack risks are also on the rise. The National Cyber Security Centre’s Annual Review 2024 reported a 60% year-on-year increase in serious cyber incidents, with 1,957 reports and 89 deemed nationally significant. April 2025 saw notable breaches affecting UK retailers including Marks & Spencer and Co-op.
Firms should remain proactive by:
- Conducting regular grid failure simulations;
- Investing in intrusion detection systems and cyber defences;
- Maintaining off-grid power capabilities for essential operations;
- Aligning with National Grid contingency plans and the FCA’s operational resilience framework (PS21/3);
- Complying with FCA Handbook provisions such as SYSC 15A, which outlines rules on operational resilience for important business services;
- Reporting on risks through submissions like the REP018 Operational and Security Risk Report, under SUP 16.14.
It is worth noting that the FCA deadline for full compliance with PS21/3 by the 31st March 2025, marked the end of a three-year transitional period. By now, firms should have in place a robust operational resilience framework. By prioritising redundancy, training, and regulatory engagement, firms can mitigate the risk of a large-scale disruption and maintain continuity.
How Complyport Can Help
Complyport offers tailored compliance and resilience services to help firms address operational risks, meet regulatory expectations, and strengthen continuity planning. Our offerings include:
- Operational Resilience Assessments: to identify and fortify critical services;
- IT and Cybersecurity Audits: to uncover and mitigate digital vulnerabilities;
- REP018 Reporting Support: to help meet FCA operational risk submission requirements;
- SOC 2 Audit Preparation: to verify service organisation control standards;
- DORA (Digital Operational Resilience Act) Implementation Reviews: for EU-regulated entities.
Book a meeting with one of our Subject Matter Experts to ensure you remain compliant and well-positioned in the evolving UK regulatory landscape.
Ask ViCA, your Virtual Compliance Assistant. Claim your complimentary 20 queries today! Register here: https://vica.chat
