Connect with us

Finance

What is the EU’s Digital Operational Resilience Act? DORA, explained

Published

on

Traffic_analyzer | Digitalvision Vectors | Getty Images

Financial services companies and their digital technology suppliers are under intense pressure to achieve compliance with strict new rules from the EU that require them to boost their cyber resilience.

By the start of next year, financial services firms and their technology suppliers will have to make sure that they’re in compliance with a new incoming law from the European Union known as DORA, or the Digital Operational Resilience Act.

CNBC runs through what you need to know about DORA — including what it is, why it matters, and what banks are doing to make sure they’re prepared for it.

What is DORA?

DORA requires banks, insurance companies and investment to strengthen their IT security. The EU regulation also seeks to ensure the financial services industry is resilient in the event of a severe disruption to operations.

Such disruptions could include a ransomware attack that causes a financial company’s computers to shut down, or a DDOS (distributed denial of service) attack that forces a firm’s website to go offline. 

The regulation also seeks to help firms avoid major outage events, such as the historic IT meltdown last month caused by cyber firm CrowdStrike when a simple software update issued by the company forced Microsoft’s Windows operating system to crash

Multiple banks, payment firms and investment companies — from JPMorgan Chase and Santander, to Visa and Charles Schwab — were unable to provide service due to the outage. It took these firms several hours to restore service to consumers.

In the future, such an event would fall under the type of service disruption that would face scrutiny under the EU’s incoming rules.

Mike Sleightholme, president of fintech firm Broadridge International, notes that a standout factor of DORA is that it doesn’t just focus on what banks do to ensure resiliency — it also takes a close look at firms’ tech suppliers.

CrowdStrike global outage shows companies aren't ready: Hitachi Vantara

Under DORA, banks will be required to undertake rigorous IT risk management, incident management, classification and reporting, digital operational resilience testing, information and intelligence sharing in relation to cyber threats and vulnerabilities, and measures to manage third-party risks.

Firms will be required to conduct assessments of “concentration risk” related to the outsourcing of critical or important operational functions to external companies.

These IT providers often deliver “critical digital services to customers,” said Joe Vaccaro, general manager of Cisco-owned internet quality monitoring firm ThousandEyes.

“These third-party providers must now be part of the testing and reporting process, meaning financial services companies need to adopt solutions that help them uncover and map these sometimes hidden dependencies with providers,” he told CNBC.

Banks will also have to “expand their ability to assure the delivery and performance of digital experiences across not just the infrastructure they own, but also the one they don’t,” Vaccaro added.

When does the law apply?

DORA entered into force on Jan. 16, 2023, but the rules won’t be enforced by EU member states until Jan. 17, 2025.

The EU has prioritised these reforms because of how the financial sector is increasingly dependent on technology and tech companies to deliver vital services. This has made banks and other financial services providers more vulnerable to cyberattacks and other incidents.

“There’s a lot of focus on third-party risk management” now, Sleightholme told CNBC. “Banks use third-party service providers for important parts of their technology infrastructure.”

“Enhanced recovery time objectives is an important part of it. It really is about security around technology, with a particular focus on cybersecurity recoveries from cyber events,” he added.

Many EU digital policy reforms from the last few years tend to focus on the obligations of companies themselves to make sure their systems and frameworks are robust enough to protect against damaging events like the loss of data to hackers or unauthorized individuals and entities.

The EU’s General Data Protection Regulation, or GDPR, for example, requires companies to ensure the way they process personally identifiable information is done with consent, and that it’s handled with sufficient protections to minimize the potential of such data being exposed in a breach or leak.

DORA will focus more on banks’ digital supply chain — which represents a new, potentially less comfortable legal dynamic for financial firms.

What if a firm fails to comply?

For financial firms that fall foul of the new rules, EU authorities will have the power to levy fines of up to 2% of their annual global revenues.

Individual managers can also be held responsible for breaches. Sanctions on individuals within financial entities could come in as high a 1 million euros ($1.1 million).

For IT providers, regulators can levy fines of as high as 1% of average daily global revenues in the previous business year. Firms can also be fined every day for up to six months until they achieve compliance.

Third-party IT firms deemed “critical” by EU regulators could face fines of up to 5 million euros — or, in the case of an individual manager, a maximum of 500,000 euros.

Seeing complete disconnect between EU and U.S. bank regulation, says analyst

That’s slightly less severe than a law such as GDPR, under which firms can be fined up to 10 million euros ($10.9 million), or 4% of their annual global revenues — whichever is the higher amount.

Carl Leonard, EMEA cybersecurity strategist at security software firm Proofpoint, stresses that criminal sanctions may vary from member state to member state depending on how each EU country applies the rules in their respective markets.

DORA also calls for a “principle of proportionality” when it comes to penalties in response to breaches of the legislation, Leonard added.

That means any response to legal failings would have to balance the time, effort and money firms spend on enhancing their internal processes and security technologies against how critical the service they’re offering is and what data they’re trying to protect.

Are banks and their suppliers ready?

Stephen McDermid, EMEA chief security officer for cybersecurity firm Okta, told CNBC that many financial services firms have prioritized using existing internal operational resilience and third-party risk programs to get into compliance with DORA and “identify any gaps they may have.”

“This is the intention of DORA, to create alignment of many existing governance programs under a single supervisory authority and harmonise them across the EU,” he added.

Fredrik Forslund vice president and general manager of international at data sanitization firm Blancco, warned that though banks and tech vendors have been making progress toward compliance with DORA, there’s still “work to be done.”

On a scale from one to 10 — with a value of one representing noncompliance and 10 representing full compliance — Forslund said, “We’re at 6 and we’re scrambling to get to 7.”

“We know that we have to be at a 10 by January,” he said, adding that “not everyone will be there by January.”

Continue Reading

Finance

Apple iPhone assembly in India won’t cushion China tariffs: Moffett

Published

on

Street's biggest Apple bear says a production move to India is unrealistic

Leading analyst Craig Moffett suggests any plans to move U.S. iPhone assembly to India is unrealistic.

Moffett, ranked as a top analyst multiple times by Institutional Investor, sent a memo to clients on Friday after the Financial Times reported Apple was aiming to shift production toward India from China by the end of next year.

He’s questioning how a move could bring down costs tied to tariffs because the iPhone components would still be made in China.

“You have a tremendous menu of problems created by tariffs, and moving to India doesn’t solve all the problems. Now granted, it helps to some degree,” the MoffettNathanson partner and senior managing director told CNBC’s “Fast Money” on Friday. “I would question how that’s going to work.”

Moffett contends it’s not so easy to diversify to India — telling clients Apple’s supply chain would still be anchored in China and would likely face resistance.

“The bottom line is a global trade war is a two-front battle, impacting costs and sales. Moving assembly to India might (and we emphasize might) help with the former. The latter may ultimately be the bigger issue,” he wrote to clients.

Moffett cut his Apple price target on Monday to $141 from $184 a share. It implies a 33% drop from Friday’s close. The price target is also the Street low, according to FactSet.

“I don’t think of myself as the biggest Apple bear,” he said. “I think quite highly of Apple. My concern about Apple has been the valuation more than the company.”

Moffett has had a “sell” rating on Apple since Jan. 7. Since then, the company’s shares are down about 14%.

“None of this is because Apple is a bad company. They still have a great balance sheet [and] a great consumer franchise,” he said. “It’s just the reality of there are no good answers when you are a product company, and your products are going to be significantly tariffed, and you’re heading into a market that is likely to have at least some deceleration in consumer demand because of the macro economy.”

Moffett notes Apple also isn’t getting help from its carriers to cushion the blow of tariffs.

“You also have the demand destruction that’s created by potentially higher prices. Remember, you had AT&T, Verizon and T. Mobile all this week come out and say we’re not going to underwrite the additional cost of tariff [on] handsets,” he added. “The consumer is going to have to pay for that. So, you’re going to have some demand destruction that’s going to show up in even longer holding periods and slower upgrade rates — all of which probably trims estimates next year’s consensus.”

According to Moffett, the backlash against Apple in China over U.S. tariffs will also hurt iPhone sales.

“It’s a very real problem,” Moffett said. “Volumes are really going to the Huaweis and the Vivos and the local competitors in China rather than to Apple.”

Apple stock is coming off a winning week — up more than 6%. It comes ahead of the iPhone maker’s quarterly earnings report due next Thursday after the market close.

To get more personalized investment strategies, join us for our next “Fast Money” Live event on Thursday, June 5, at the Nasdaq in Times Square.

Continue Reading

Finance

Warren Buffett’s top stock picks come with 15% income bonus in new ETF

Published

on

Invest like Buffett: VistaShares CEO on new ETF that follows the investor

In a year that hasn’t been kind to many big-name stocks, Warren Buffett’s Berkshire Hathaway is standing near the top. Berkshire shares have posted a 17% return year-to-date, while the S&P 500 index is down 6%.

That performance places Berkshire among the top 10% of the U.S. market’s large-cap leaders, and the run has been getting Buffett more attention ahead of next weekend’s annual Berkshire Hathaway shareholder meeting in Omaha, Nebraska. It’s also good timing for the recently launched VistaShares Target 15 Berkshire Select Income ETF (OMAH), which holds the top 20 most heavily weighted stocks in Berkshire Hathaway, as well as shares of Berkshire Hathaway. 

Berkshire is currently the biggest holding in the ETF, at 10.6% of the fund. Other top holdings in the ETF from among the ranks of Berkshire’s biggest bets include Apple, American Express, Kroger, VeriSign, Bank of America, Citigroup, Visa and of course Coca-Cola, a long time favorite of the man known as the Oracle of Omaha.

“It’s a really well-balanced portfolio chosen by the most successful investor the world has ever seen,” Adam Patti, CEO of VistaShares, said in an appearance this week on CNBC’s “ETF Edge.”

Berkshire’s outperformance of the S&P 500 isn’t limited to 2025. Buffett’s stock has tripled the performance of the market over the past year, and its 185% return over the past five years is more than double the performance of the S&P 500.

Stock Chart IconStock chart icon

hide content

Berkshire Hathaway is one of 2025’s top performing stocks.

In addition to this long-term track record of success in the market, Berkshire Hathaway is getting a lot of attention right now for the record amount of cash Buffett is holding as he trimmed stakes in big stocks including Apple, which has proven to be a great strategy. The S&P 500 has experienced extreme short-term volatility since President Donald Trump’s inauguration on January 20. Even after a recent recovery, the S&P is still down 8% since the start of Trump’s second term.

“The market has been momentum driven for many years, the switch has flipped and we’re looking at quality in terms of exposure, and Berkshire Hathaway has performed incredibly well this year, handily outperforming the S&P 500,” said Patti.

Berkshire Hathaway famously doesn’t pay a dividend, with Buffett holding firm over many decades in the belief that he can re-invest cash to create more value for shareholders. In a letter to shareholders in February, Buffett wrote that Berkshire shareholders “can rest assured that we will forever deploy a substantial majority of their money in equities — mostly American equities.”

The lack of a dividend payment has been an issue over the years for some shareholders at Berkshire who do want income from the market, according to Patti, who added that his firm conducted research among investors in designing the ETF. “Who doesn’t want to invest like Buffett, but with income?” he said.

So, in addition to being tied to the performance of Berkshire and the stock picks of Buffett, the VistaShares Target 15 Berkshire Select Income ETF is designed to produce income of 15% annually through a strategy of selling call options and distributing monthly payments of 1.25% to shareholders. This income strategy has become more popular in the ETF space, with more asset managers launching funds to capture income opportunities and more investors adopting the approach amid market volatility.

Continue Reading

Finance

More Americans buy groceries with buy now, pay later loans

Published

on

People shop for produce at a Walmart in Rosemead, California, on April 11, 2025. 

Frederic J. Brown | Afp | Getty Images

A growing number of Americans are using buy now, pay later loans to buy groceries, and more people are paying those bills late, according to new Lending Tree data released Friday

The figures are the latest indicator that some consumers are cracking under the pressure of an uncertain economy and are having trouble affording essentials such as groceries as they contend with persistent inflation, high interest rates and concerns around tariffs

In a survey conducted April 2-3 of 2,000 U.S. consumers ages 18 to 79, around half reported having used buy now, pay later services. Of those consumers, 25% of respondents said they were using BNPL loans to buy groceries, up from 14% in 2024 and 21% in 2023, the firm said.

Meanwhile, 41% of respondents said they made a late payment on a BNPL loan in the past year, up from 34% in the year prior, the survey found.

Lending Tree’s chief consumer finance analyst, Matt Schulz, said that of those respondents who said they paid a BNPL bill late, most said it was by no more than a week or so.

“A lot of people are struggling and looking for ways to extend their budget,” Schulz said. “Inflation is still a problem. Interest rates are still really high. There’s a lot of uncertainty around tariffs and other economic issues, and it’s all going to add up to a lot of people looking for ways to extend their budget however they can.”

“For an awful lot of people, that’s going to mean leaning on buy now, pay later loans, for better or for worse,” he said. 

He stopped short of calling the results a recession indicator but said conditions are expected to decline further before they get better.  

“I do think it’s going to get worse, at least in the short term,” said Schulz. “I don’t know that there’s a whole lot of reason to expect these numbers to get better in the near term.”

The loans, which allow consumers to split up purchases into several smaller payments, are a popular alternative to credit cards because they often don’t charge interest. But consumers can see high fees if they pay late, and they can run into problems if they stack up multiple loans. In Lending Tree’s survey, 60% of BNPL users said they’ve had multiple loans at once, with nearly a fourth saying they have held three or more at once. 

“It’s just really important for people to be cautious when they use these things, because even though they can be a really good interest-free tool to help you kind of make it from one paycheck to the next, there’s also a lot of risk in mismanaging it,” said Schulz. “So people should tread lightly.” 

Lending Tree’s findings come after Billboard revealed that about 60% of general admission Coachella attendees funded their concert tickets with buy now, pay later loans, sparking a debate on the state of the economy and how consumers are using debt to keep up their lifestyles. A recent announcement from DoorDash that it would begin accepting BNPL financing from Klarna for food deliveries led to widespread mockery and jokes that Americans were struggling so much that they were now being forced to finance cheeseburgers and burritos.

Over the last few years, consumers have held up relatively well, even in the face of persistent inflation and high interest rates, because the job market was strong and wage growth had kept up with inflation — at least for some workers. 

Earlier this year, however, large companies including Walmart and Delta Airlines began warning that the dynamic had begun to shift and they were seeing cracks in demand, which was leading to worse-than-expected sales forecasts. 

Continue Reading

Trending