Finance
What is the EU’s Digital Operational Resilience Act? DORA, explained
Traffic_analyzer | Digitalvision Vectors | Getty Images
Financial services companies and their digital technology suppliers are under intense pressure to achieve compliance with strict new rules from the EU that require them to boost their cyber resilience.
By the start of next year, financial services firms and their technology suppliers will have to make sure that they’re in compliance with a new incoming law from the European Union known as DORA, or the Digital Operational Resilience Act.
CNBC runs through what you need to know about DORA — including what it is, why it matters, and what banks are doing to make sure they’re prepared for it.
What is DORA?
DORA requires banks, insurance companies and investment to strengthen their IT security. The EU regulation also seeks to ensure the financial services industry is resilient in the event of a severe disruption to operations.
Such disruptions could include a ransomware attack that causes a financial company’s computers to shut down, or a DDOS (distributed denial of service) attack that forces a firm’s website to go offline.
The regulation also seeks to help firms avoid major outage events, such as the historic IT meltdown last month caused by cyber firm CrowdStrike when a simple software update issued by the company forced Microsoft’s Windows operating system to crash.
Multiple banks, payment firms and investment companies — from JPMorgan Chase and Santander, to Visa and Charles Schwab — were unable to provide service due to the outage. It took these firms several hours to restore service to consumers.
In the future, such an event would fall under the type of service disruption that would face scrutiny under the EU’s incoming rules.
Mike Sleightholme, president of fintech firm Broadridge International, notes that a standout factor of DORA is that it doesn’t just focus on what banks do to ensure resiliency — it also takes a close look at firms’ tech suppliers.
Under DORA, banks will be required to undertake rigorous IT risk management, incident management, classification and reporting, digital operational resilience testing, information and intelligence sharing in relation to cyber threats and vulnerabilities, and measures to manage third-party risks.
Firms will be required to conduct assessments of “concentration risk” related to the outsourcing of critical or important operational functions to external companies.
These IT providers often deliver “critical digital services to customers,” said Joe Vaccaro, general manager of Cisco-owned internet quality monitoring firm ThousandEyes.
“These third-party providers must now be part of the testing and reporting process, meaning financial services companies need to adopt solutions that help them uncover and map these sometimes hidden dependencies with providers,” he told CNBC.
Banks will also have to “expand their ability to assure the delivery and performance of digital experiences across not just the infrastructure they own, but also the one they don’t,” Vaccaro added.
When does the law apply?
DORA entered into force on Jan. 16, 2023, but the rules won’t be enforced by EU member states until Jan. 17, 2025.
The EU has prioritised these reforms because of how the financial sector is increasingly dependent on technology and tech companies to deliver vital services. This has made banks and other financial services providers more vulnerable to cyberattacks and other incidents.
“There’s a lot of focus on third-party risk management” now, Sleightholme told CNBC. “Banks use third-party service providers for important parts of their technology infrastructure.”
“Enhanced recovery time objectives is an important part of it. It really is about security around technology, with a particular focus on cybersecurity recoveries from cyber events,” he added.
Many EU digital policy reforms from the last few years tend to focus on the obligations of companies themselves to make sure their systems and frameworks are robust enough to protect against damaging events like the loss of data to hackers or unauthorized individuals and entities.
The EU’s General Data Protection Regulation, or GDPR, for example, requires companies to ensure the way they process personally identifiable information is done with consent, and that it’s handled with sufficient protections to minimize the potential of such data being exposed in a breach or leak.
DORA will focus more on banks’ digital supply chain — which represents a new, potentially less comfortable legal dynamic for financial firms.
What if a firm fails to comply?
For financial firms that fall foul of the new rules, EU authorities will have the power to levy fines of up to 2% of their annual global revenues.
Individual managers can also be held responsible for breaches. Sanctions on individuals within financial entities could come in as high a 1 million euros ($1.1 million).
For IT providers, regulators can levy fines of as high as 1% of average daily global revenues in the previous business year. Firms can also be fined every day for up to six months until they achieve compliance.
Third-party IT firms deemed “critical” by EU regulators could face fines of up to 5 million euros — or, in the case of an individual manager, a maximum of 500,000 euros.
That’s slightly less severe than a law such as GDPR, under which firms can be fined up to 10 million euros ($10.9 million), or 4% of their annual global revenues — whichever is the higher amount.
Carl Leonard, EMEA cybersecurity strategist at security software firm Proofpoint, stresses that criminal sanctions may vary from member state to member state depending on how each EU country applies the rules in their respective markets.
DORA also calls for a “principle of proportionality” when it comes to penalties in response to breaches of the legislation, Leonard added.
That means any response to legal failings would have to balance the time, effort and money firms spend on enhancing their internal processes and security technologies against how critical the service they’re offering is and what data they’re trying to protect.
Are banks and their suppliers ready?
Stephen McDermid, EMEA chief security officer for cybersecurity firm Okta, told CNBC that many financial services firms have prioritized using existing internal operational resilience and third-party risk programs to get into compliance with DORA and “identify any gaps they may have.”
“This is the intention of DORA, to create alignment of many existing governance programs under a single supervisory authority and harmonise them across the EU,” he added.
Fredrik Forslund vice president and general manager of international at data sanitization firm Blancco, warned that though banks and tech vendors have been making progress toward compliance with DORA, there’s still “work to be done.”
On a scale from one to 10 — with a value of one representing noncompliance and 10 representing full compliance — Forslund said, “We’re at 6 and we’re scrambling to get to 7.”
“We know that we have to be at a 10 by January,” he said, adding that “not everyone will be there by January.”
The Exchange Square Complex, which houses the Hong Kong Stock Exchange, on Feb. 26, 2025.
Bloomberg | Bloomberg | Getty Images
BEIJING — Chinese companies are jumping at a window of opportunity to go public in Hong Kong as global investors start to return to the region, following the news of DeepSeek’s artificial intelligence breakthrough in late January.
It’s a level of excitement that has not been felt for more than three years, despite the overhang of U.S. trade tensions. Initial public offerings are a lucrative way for early investors in startups to exit and reap a return.
“Everyone is working so perfectly together. IPO candidates, the investor and the regulators,” said George Chan, global IPO leader at EY. “All these three parties are working so perfectly at this moment to actually cultivate a healthy Hong Kong IPO market.”
“The U.S. long-term fund has returned. It shows investors are getting more confident [about] China,” he said, adding that post-IPO performance has also been encouraging.
Chinese bubble tea giant Mixue went public on March 3 in a highly oversubscribed Hong Kong listing. And in a sign of more to come, Chinese battery giant Contemporary Amperex Technology (CATL) filed in February for what could be Hong Kong’s largest IPO since 2021, when short-video company Kuaishou listed.
News of China-based DeepSeek’s claims to rival OpenAI’s ChatGPT in reasoning capabilities at a lower cost — despite U.S. restrictions on Chinese access to advanced chips for training AI models — hit global tech stocks in late January, while spurring a rally in China. Hong Kong’s Hang Seng index surged to three-year highs.
Chinese President Xi Jinping also held a rare meeting with tech entrepreneurs in February, and Beijing has signaled greater support for the private sector, after taking a more restrictive stance in recent years.
Six initial public offerings in Hong Kong raised more than 1 billion Hong Kong dollars ($130 million) in the first quarter — a jump from just one listing of that size in the year-ago period — according to KPMG.
In all, the consultancy said, Hong Kong saw 15 IPOs in all of the first quarter which raised 17.7 billion HKD — the best start to a year since 2021.
There’s still a long way to go before recovering to that level. Hong Kong saw 32 IPOs in the first quarter of 2021 that raised a whopping 132.7 billion HKD, according to KPMG.
The Hong Kong stock exchange has adjusted its listing rules in the interim, including ones that support companies already listed in mainland China to offer shares in Hong Kong.
In addition to CATL, other companies listed in mainland China — Hengrui Pharmaceuticals, Mabwell, Haitian Flavoring and Food, Fortior Tech and Sanhua Intelligent Controls — are “actively seeking Hong Kong listings,” said Tiger Brokers, an underwriter of many Chinese companies’ IPOs in the U.S. and Hong Kong.
“Chinese regulators are encouraging companies to list in Hong Kong to broaden financing channels and support the outbound merger and acquisition needs of Chinese enterprises,” the firm said.
Still not out of the woods
Back in the summer of 2021, the fallout over Chinese ride-hailing company Didi’s IPO in the U.S. prompted both countries’ regulators to scrutinize what was then a wave of Chinese companies listing in New York.
The major issues have since been resolved and Beijing has clarified rules for Chinese companies wanting to list outside the mainland. But the Trump administration indicated in its “America First Investment Policy” that it could increase scrutiny on U.S. capital flowing to China, on top of heightened tariffs.
The U.S. and China have yet to indicate when their two leaders might meet in an attempt to forge a deal. A surge of interest in AI and tech are also not yet enough to speed up a recovery in China’s economy.
“At this point in time, all we can see is the good indicators,” EY’s Chan said. But “there could be one single incident happening which could pretty much reverse the trend.”
“Things tend to have a pattern,” he said. “If things can keep on for three months, four months, it will likely continue for the rest of the year.”
Finance
Treasury Secretary Bessent says market woes are more about tech stock sell-off than Trump’s tariffs
Treasury Secretary Scott Bessent speaks to reporters outside the West Wing after doing a television interview on the North Lawn of the White House on March 13, 2025 in Washington, DC.
Andrew Harnik | Getty Images
Treasury Secretary Scott Bessent said Wednesday the sell-off in the stock market is due more to a sharp pullback in the biggest technology stocks instead of the protectionist policies coming from the Trump administration.
“I’m trying to be Secretary of Treasury, not a market commentator. What I would point out is that especially the Nasdaq peaked on DeepSeek day so that’s a Mag 7 problem, not a MAGA problem,” Bessent said on Bloomberg TV Wednesday evening.
Bessent was referring to Chinese AI startup DeepSeek, whose new language models sparked a rout in U.S. technology stocks in late January. The emergence of DeepSeek’s highly competitive and potentially much cheaper models stoked doubts about the billions that the big U.S. tech companies are spending on AI.
The so-called Magnificent 7 stocks — Apple, Amazon, Tesla, Alphabet, Microsoft, Meta and Nvidia — started selling off drastically, pulling the tech-heavy Nasdaq Composite into correction territory. The tech-heavy benchmark is down about 13% from its record high reached on December 16.
However, the secretary downplayed the impact from President Donald Trump’s steep tariffs, which caught many investors off guard and fueled fears of a re-acceleration in inflation, slower economic growth and even a recession. Many investors have blamed the tariff rollout for driving the S&P 500 briefly into correction territory from its record reached in late February. Wall Street defines a correction as a drop of 10% from a recent high.
S&P 500, YTD
Trump signed an aggressive “reciprocal tariff” policy at the White House Wednesday evening, slapping duties of at least 10% and even higher for some countries. The actions sparked a huge sell-off in the stock market overnight, with the S&P 500 futures declining nearly 4% and the blue-chip Dow Jones Industrial Average shedding 1,100 points. The losses will likely but the S&P 500 back into correction territory in Thursday’s session.
“It’s going to be fine if we put the best economic conditions in place,” Bessent said in a separate interview on Fox Wednesday evening. “If you go back and look, the stock market actually peaked on the [DeepSeek] Chinese AI announcement. So a lot of what we have seen has been just an idiosyncratic tech sell-off.”
Trump will ‘buckle under pressure’ if Europe bands together over tariffs: German economy minister
The Trump train slows
How did the U.S. arrive at its tariff figures?
New 2023 K-1 instructions stir the CAMT pot for partnerships and corporations
The Essential Practice of Bank and Credit Card Statement Reconciliation
Are American progressives making themselves sad?
-
Economics7 days agoYoung Americans are losing confidence in economy, and it shows online
-
Personal Finance1 week agoStudent loans could be managed by the Small Business Administration
-
Economics6 days agoPCE inflation February 2025:
-
Economics1 week agoWhite House denials over the Signal snafu ring hollow
-
Accounting6 days agoIRS sets new initiative with banks to uncover fraud
-
Economics7 days agoTexas troopers are in more and more lethal car chases
-
Economics6 days agoConsumer sentiment worsens as inflation fears grow, University of Michigan survey shows
-
Personal Finance1 week agoMillions of student loan borrowers past-due after bills restarted: Fed