12.8.5 — Financial Sector Sovereign Continuity — maturity: live

Stock Exchange Disaster Recovery

Providing satellite-based emergency connectivity and synchronised timing to restore exchange matching engines and settlement systems when terrestrial infrastructure fails.

Auto-drafted reference page — content reviewed for shape, individual references not yet link-checked.

A national stock exchange is a single point of systemic risk. When a submarine cable severs, a power grid collapses, or a cyberattack severs the exchange's terrestrial backbone, the cascade is immediate: order books freeze, clearing houses lose connectivity, and investor confidence craters within minutes. Regulatory frameworks in the EU, UK, and APAC now mandate defined recovery time objectives (RTOs) of two hours or less for trading venues, but almost every existing disaster recovery plan still assumes terrestrial fallback links that share the same physical vulnerabilities as the primary path.

A sovereign satellite layer closes that vulnerability cleanly. A small constellation of LEO communications microsatellites, paired with a GNSS-disciplined timing signal, gives the exchange an out-of-band path that no terrestrial event can sever simultaneously. The matching engine at the primary data centre connects to the recovery site over a dedicated VSAT or direct inter-satellite link; atomic-clock-derived timestamps keep trade sequencing legally defensible even when the primary NTP chain is down. Payload throughput of 200–500 Mbps per beam is sufficient for equities and derivatives order-flow even at peak volatility.

The operational outcome is a measurable and auditable RTO. Regulators receive a credible continuity certificate backed by live telemetry rather than a paper promise. The exchange avoids the reputational and legal exposure of a prolonged halt, and the central bank retains the ability to intervene in markets during a crisis—the exact moment sovereign control over the communications layer matters most.

What matters

EU MiFID II and IOSCO Principles for Financial Market Infrastructures require trading venues to demonstrate sub-two-hour recovery capability with documented, tested fallback paths.
A shared terrestrial dark-fibre failover route between primary and DR sites fails under the same regional disaster that triggers the outage in the first place.
Satellite-derived timing must be traceable to UTC within 100 nanoseconds for legally valid trade timestamps under MiFID II RTS 25; a sovereign GNSS or timing payload delivers this without dependency on a foreign provider.
Foreign-owned satellite capacity can be deprioritised, rate-limited, or suspended under the operator's terms of service during a geopolitical event—precisely when domestic markets need it most.

Sovereignty score: 9/10 — A nation that cannot independently restore its own stock exchange during a terrestrial crisis has surrendered macroeconomic stabilisation authority at the moment it is most needed.

Foreign satellite operators can deprioritise or suspend capacity under contractual force-majeure or government direction during the exact geopolitical stress event that may have triggered the domestic market crisis.
Regulatory mandates (MiFID II, IOSCO PFMI) require exchanges to demonstrate sovereign-grade continuity; outsourcing the recovery path to a commercial provider creates an auditable compliance gap and an uninsurable liability.
Timing signals derived from a foreign GNSS constellation or a third-party NTP chain can be degraded or spoofed, invalidating the legal timestamp record for every trade executed during the recovery window.
Central banks and finance ministries require secure, out-of-band command channels to trading venues during a crisis; a sovereign satellite layer provides that channel without routing through infrastructure potentially compromised by the same incident.

Reference architecture

Payload: Ka-band phased-array communications payload, 200–500 Mbps aggregate throughput per beam, plus GNSS-disciplined timing beacon traceable to UTC within 100 ns; inter-satellite optical link (ISL) capability for mesh continuity without ground-station dependency
Bus class: ESPA-class microsat, 150–200 kg, 800W total power, 600W available to payload; radiation-hardened power conditioning to support continuous high-duty-cycle comms
Orbit: LEO sun-synchronous at 550–600 km; 6-satellite walker constellation providing guaranteed simultaneous dual-satellite visibility over the sovereign territory for link redundancy; 90-minute orbital period, sub-5-minute contact gaps bridged by ISL mesh
Ground segment: Hardened national teleport co-located with the central bank data centre (Ka-band, 2.4 m dish, N+1 redundancy); secondary teleport at geographically separated exchange DR site; SatNOGS-compatible S-band TT&C backup; air-gapped TT&C for command integrity
Software & data
Latency
Cost band
Lead time

References

IOSCO Principles for Financial Market Infrastructures (PFMI) — Business Continuity — IOSCO PFMI Principle 17 requires systemically important financial market infrastructures to set a recovery time objective of two hours for critical functions and to be capable of same-day recovery. The principles explicitly require that business continuity plans account for wide-scale disasters affecting primary and secondary sites simultaneously.
European Securities and Markets Authority — MiFID II RTS 25: Clock Synchronisation — ESMA's RTS 25 mandates that trading venues and their members synchronise business clocks to UTC with granularity and accuracy requirements as tight as 100 microseconds for high-frequency gateways. Traceability to a national or international time standard is legally required for audit purposes.
Bank for International Settlements — Guidance on Cyber Resilience for Financial Market Infrastructures — The BIS CPMI-IOSCO guidance instructs financial market infrastructures to identify and address single points of failure in their communication and technology infrastructure, including dependencies on shared external networks. It specifically calls out the risk of correlated failures across primary and secondary sites.
ITU-T Recommendation G.8272 — Timing Characteristics of Primary Reference Time Clocks — ITU-T G.8272 specifies the performance requirements for primary reference time clocks traceable to UTC, the international standard underpinning financial trade timestamping. Satellite-disciplined clocks compliant with this recommendation provide the legal traceability chain required by MiFID II RTS 25 even during terrestrial network outages.
World Federation of Exchanges — Exchange Resilience and Business Continuity Survey — The WFE survey of member exchanges found that the majority rely on terrestrial fibre or leased-line circuits as their primary disaster recovery path, with fewer than 20% maintaining an independent satellite fallback. The report identifies correlated infrastructure risk as the leading unaddressed continuity gap.