Finance

What is the EU’s Digital Operational Resilience Act? DORA, explained

Published

8 months ago

August 8, 2024

Traffic_analyzer | Digitalvision Vectors | Getty Images

Financial services companies and their digital technology suppliers are under intense pressure to achieve compliance with strict new rules from the EU that require them to boost their cyber resilience.

By the start of next year, financial services firms and their technology suppliers will have to make sure that they’re in compliance with a new incoming law from the European Union known as DORA, or the Digital Operational Resilience Act.

CNBC runs through what you need to know about DORA — including what it is, why it matters, and what banks are doing to make sure they’re prepared for it.

What is DORA?

DORA requires banks, insurance companies and investment to strengthen their IT security. The EU regulation also seeks to ensure the financial services industry is resilient in the event of a severe disruption to operations.

Such disruptions could include a ransomware attack that causes a financial company’s computers to shut down, or a DDOS (distributed denial of service) attack that forces a firm’s website to go offline.

The regulation also seeks to help firms avoid major outage events, such as the historic IT meltdown last month caused by cyber firm CrowdStrike when a simple software update issued by the company forced Microsoft’s Windows operating system to crash.

Multiple banks, payment firms and investment companies — from JPMorgan Chase and Santander, to Visa and Charles Schwab — were unable to provide service due to the outage. It took these firms several hours to restore service to consumers.

In the future, such an event would fall under the type of service disruption that would face scrutiny under the EU’s incoming rules.

Mike Sleightholme, president of fintech firm Broadridge International, notes that a standout factor of DORA is that it doesn’t just focus on what banks do to ensure resiliency — it also takes a close look at firms’ tech suppliers.

CrowdStrike global outage shows companies aren't ready: Hitachi Vantara

Under DORA, banks will be required to undertake rigorous IT risk management, incident management, classification and reporting, digital operational resilience testing, information and intelligence sharing in relation to cyber threats and vulnerabilities, and measures to manage third-party risks.

Firms will be required to conduct assessments of “concentration risk” related to the outsourcing of critical or important operational functions to external companies.

These IT providers often deliver “critical digital services to customers,” said Joe Vaccaro, general manager of Cisco-owned internet quality monitoring firm ThousandEyes.

“These third-party providers must now be part of the testing and reporting process, meaning financial services companies need to adopt solutions that help them uncover and map these sometimes hidden dependencies with providers,” he told CNBC.

Banks will also have to “expand their ability to assure the delivery and performance of digital experiences across not just the infrastructure they own, but also the one they don’t,” Vaccaro added.

When does the law apply?

DORA entered into force on Jan. 16, 2023, but the rules won’t be enforced by EU member states until Jan. 17, 2025.

The EU has prioritised these reforms because of how the financial sector is increasingly dependent on technology and tech companies to deliver vital services. This has made banks and other financial services providers more vulnerable to cyberattacks and other incidents.

“There’s a lot of focus on third-party risk management” now, Sleightholme told CNBC. “Banks use third-party service providers for important parts of their technology infrastructure.”

“Enhanced recovery time objectives is an important part of it. It really is about security around technology, with a particular focus on cybersecurity recoveries from cyber events,” he added.

Many EU digital policy reforms from the last few years tend to focus on the obligations of companies themselves to make sure their systems and frameworks are robust enough to protect against damaging events like the loss of data to hackers or unauthorized individuals and entities.

The EU’s General Data Protection Regulation, or GDPR, for example, requires companies to ensure the way they process personally identifiable information is done with consent, and that it’s handled with sufficient protections to minimize the potential of such data being exposed in a breach or leak.

DORA will focus more on banks’ digital supply chain — which represents a new, potentially less comfortable legal dynamic for financial firms.

What if a firm fails to comply?

For financial firms that fall foul of the new rules, EU authorities will have the power to levy fines of up to 2% of their annual global revenues.

Individual managers can also be held responsible for breaches. Sanctions on individuals within financial entities could come in as high a 1 million euros ($1.1 million).

For IT providers, regulators can levy fines of as high as 1% of average daily global revenues in the previous business year. Firms can also be fined every day for up to six months until they achieve compliance.

Third-party IT firms deemed “critical” by EU regulators could face fines of up to 5 million euros — or, in the case of an individual manager, a maximum of 500,000 euros.

Seeing complete disconnect between EU and U.S. bank regulation, says analyst

That’s slightly less severe than a law such as GDPR, under which firms can be fined up to 10 million euros ($10.9 million), or 4% of their annual global revenues — whichever is the higher amount.

Carl Leonard, EMEA cybersecurity strategist at security software firm Proofpoint, stresses that criminal sanctions may vary from member state to member state depending on how each EU country applies the rules in their respective markets.

DORA also calls for a “principle of proportionality” when it comes to penalties in response to breaches of the legislation, Leonard added.

That means any response to legal failings would have to balance the time, effort and money firms spend on enhancing their internal processes and security technologies against how critical the service they’re offering is and what data they’re trying to protect.

Are banks and their suppliers ready?

Stephen McDermid, EMEA chief security officer for cybersecurity firm Okta, told CNBC that many financial services firms have prioritized using existing internal operational resilience and third-party risk programs to get into compliance with DORA and “identify any gaps they may have.”

“This is the intention of DORA, to create alignment of many existing governance programs under a single supervisory authority and harmonise them across the EU,” he added.

Fredrik Forslund vice president and general manager of international at data sanitization firm Blancco, warned that though banks and tech vendors have been making progress toward compliance with DORA, there’s still “work to be done.”

On a scale from one to 10 — with a value of one representing noncompliance and 10 representing full compliance — Forslund said, “We’re at 6 and we’re scrambling to get to 7.”

“We know that we have to be at a 10 by January,” he said, adding that “not everyone will be there by January.”

Finance

China’s response to U.S. tariffs will likely focus on stimulus, trade

Published

2 hours ago

April 3, 2025

Business Finance News

Chinese national flags flutter on boats near shipping containers at the Yangshan Port outside Shanghai, China, February 7, 2025.

Go Nakamura | Reuters

BEIJING — China’s reaction to new U.S. tariffs will likely focus on domestic stimulus and strengthening ties with trading partners, according to analysts based in Greater China.

Hours after U.S. President Donald Trump announced additional 34% tariffs on China, the Chinese Ministry of Commerce called on the U.S. to cancel the tariffs, and vowed unspecified countermeasures. The sweeping U.S. policy also slapped new duties on the European Union and major Asian countries.

Chinese exports to the U.S. this year had already been hit by 20% in additional tariffs, raising the total rate on shipments from China to 54%, among the highest levied by the Trump administration. The effective rate for individual product lines can vary.

But, as has been the case, the closing line of the Chinese statement was a call to negotiate.

“I think the focus of China’s response in the near term won’t be retaliatory tariffs or such measures,” said Bruce Pang, adjunct associate professor at CUHK Business School. That’s according to a CNBC translation of the Chinese-language statement.

Instead, Pang expects China to focus on improving its own economy by diversifying export destinations and products, as well as doubling down on its priority of boosting domestic consumption.

Watch for cascading tariffs as tariffs reroute trade within Asia, says economist

China, the world’s second-largest economy, has since September stepped up stimulus efforts by expanding the fiscal deficit, increasing a consumption trade-in subsidy program and calling for a halt in the real estate slump. Notably, Chinese President Xi Jinping held a rare meeting with tech entrepreneurs including Alibaba founder Jack Ma in February, in a show of support for the private sector.

The policy reversal — from regulatory tightening in recent years — reflects how Beijing has been “anticipating the coming slowdown or even crash in exports,” Macquarie’s Chief China Economist Larry Hu said in a report, ahead of Trump’s latest tariff announcement. He pointed out that the pandemic-induced export boom of 2021 enabled Beijing to “launch a massive regulatory campaign.”

“My view stays the same,” Hu said in an email Thursday. “Beijing will use domestic stimulus to offset the impact of tariffs, so that they could still achieve the growth target of ‘around 5%.'”

Instead of retaliatory tariffs, Hu also expects Beijing will focus on still using blacklists, export controls on critical minerals and probes into foreign companies in China. Hu also anticipates China will keep the yuan strong against the U.S. dollar and resist calls from retailers to cut prices — as a way to push inflationary pressure onto the U.S.

China’s top leaders in early March announced they would pursue a target of around 5% growth in gross domestic product this year, a task they emphasized would require “very arduous work” to achieve. The finance ministry also hinted it could increase fiscal support if needed.

About 20% of China’s economy relies on exports, according to Goldman Sachs. They previously estimated that new U.S. tariffs of around 60% on China would lower real GDP by around 2 percentage points. The firm still maintains a full-year forecast of 4.5% GDP growth.

Changing global trade

What’s different from the impact of tariffs under Trump’s first term is that China is not the only target, but one of a swath of countries facing hefty levies on their exports to the U.S. Some of these countries, such as Vietnam and Thailand, had served as alternate routes for Chinese goods to reach the U.S.

At the Chinese export hub of Yiwu on Thursday, businesses seemed nonchalant about the impact of the new U.S. tariffs, due to a perception their overseas competitors wouldn’t gain an advantage, said Cameron Johnson, a Shanghai-based senior partner at consulting firm Tidalwave Solutions.

He pointed out that previously, the U.S. had focused its trade measures on forcing companies to remove China from their supply chains and go to other countries. But Chinese manufacturers had expanded overseas alongside that diversification, he said.

“The reality is this [new U.S. tariff policy] essentially gives most of Asia and Africa to China, and the U.S. is not prepared,” Johnson said. He expects China won’t make things unnecessarily difficult for U.S. businesses operating in the country and instead will try harder to build other trade relationships.

Since Trump’s first four-year term ended in early 2021, China has increased its trade with Southeast Asia so much that the region is now Beijing’s largest trading partner, followed by the European Union and then the U.S.

The 10 member states of the Association of Southeast Asian Nations (ASEAN) joined China, Japan, South Korea, Australia and New Zealand in forming the world’s largest free trade bloc — the Regional Comprehensive Economic Partnership (RCEP) — which came into being in early 2022. The U.S. and India are not members of the RCEP.

“RCEP member countries will naturally deepen trade ties with one another,” Yue Su, principal economist, China, at the Economist Intelligence Unit, said in a note Thursday.

“This is also partly because China’s economy is likely to remain the most — or at least among the most—stable in relative terms, given the government’s strong commitment to its growth targets and its readiness to deploy fiscal policy measures when needed,” she said.

Uncertainties remain

The extent to which all countries will be slapped with tariffs this week remains uncertain as Trump is widely expected to use the duties as a negotiating tactic, especially with China.

He said last week the U.S. could lower its tariffs on China to help close a deal for Beijing-based ByteDance to sell TikTok’s U.S. operations.

But the level of new tariffs on China was worse than many investors expected.

“Unlike some of the optimistic market forecasts, we do not expect a US-China bilateral grand bargain,” Ting Lu, chief China economist at Nomura, said in a note Thursday.

“We expect tensions between these two mega economies to worsen significantly,” he said, “especially as China has been making large strides in high-tech sectors, including AI and robotics.”