DIGITAL OPERATIONAL RESILIENCE ACT

The Digital Operational Resilience Act (DORA) is an EU regulation that entered into force on 16 January 2023 and started to apply on 17 January 2025.

DORA aims to strengthen the information and communication technology (ICT) security of financial entities to make sure that the financial sector in Europe is able to stay resilient in the event of a severe operational digital disruption. DORA brings harmonisation of the rules relating to digital operational resilience for the financial sector applying to 21 different types of financial entities, including securitisation repositories.

What does DORA mean for European DataWarehouse?

As a securitisation repository, European DataWarehouse is listed amongst the subject to the DORA requirements. Primarily this means that European DataWarehouse risk management framework needs to adhere to the standards set by DORA in the following areas:

  • ICT risk management;
  • Digital operational resilience testing;
  • ICT third-party risk management;
  • ICT-related incidents.

How does European DataWarehouse comply with DORA?

European DataWarehouse’s ICT governance and risk management framework meets the DORA requirements through:

  1. An appropriate governance structure, policies, procedures, and IT processes in line with DORA requirements;
  2. An adequate ICT risk management framework;
  3. Proper contractual arrangements in place with ICT third-party service providers and a suitable ICT third-party risk management framework;
  4. Internal ICT resilience and security awareness-raising programmes.

As a customer of European DataWarehouse, is my contract affected by DORA?

The steps to be taken depends on the type of services that you have engaged with European DataWarehouse. 

If you are a data owner or a data provider reporting securitisation transactions, as well as a data user accessing securitisation information, you do not need to take any action. European DataWarehouse, as a securitisation repository, will comply with the DORA requirements and will be directly supervised by ESMA in this matter. Please see question 2999 – DORA030:

“[…] In the case that financial entities provide ICT services to other financial entities in connection to their financial services, the receiving financial entities should assess whether i) the services constitute an ICT service under DORA, and ii) whether the providing financial entities and the financial services they provide are regulated under Union law or any national legislation of a Member State or of a third country. In case both tests are positive, then the related ICT service should be considered to predominantly be a financial service and should not be treated as an ICT service within the meaning of DORA Article 3(21). […]”

If you are a data owner or data provider reporting other types of deals (e.g., covered bonds, pools of additional credit claims, portfolios of non-performing loans, etc.) the contract with European DataWarehouse will be affected. Please contact us at DORAcompliance@eurodw.eu

If you have agreed with European DataWarehouse any customised services, please contact us at  DORAcompliance@eurodw.eu for further guidance.

For further information regarding European DataWarehouse’s compliance with DORA, including EDW policies, please contact us below