Six Months into DORA: How Regulatory Obligations
Support Operational Resilience

The Digital Operational Resilience Act (DORA) is an EU regulation that entered into force on 16 January 2023 and began to apply on 17 January 2025.

For the first time, all provisions addressing digital risk in the financial sector are set out in a single, consistent legislative framework. This closes gaps, removes inconsistencies, and introduces targeted rules in areas such as ICT risk management, incident reporting, operational resilience testing, and the monitoring of ICT third-party risk.

DORA also acknowledges the potential impact of ICT incidents, making clear that a lack of operational resilience can threaten the soundness of financial entities.

As a designated securitisation repository, European DataWarehouse (EDW) is listed amongst the financial entities subject to DORA requirements. Accordingly, EDW’s risk management framework adheres to the standards set in DORA with regards to ICT risk management, digital operational resilience testing, third-party risk management and ICT-related incidents.

The following section outlines four key areas where DORA’s requirements shape EDW’s operations as a market infrastructure.

DORA sets common standards for classifying and reporting ICT-related incidents to supervisors. In practice, this means any major ICT related incidents affecting EDW’s services are handled under a formal process with specific timelines for assessment, communication, and resolution.

EDW’s DORA obligations sit alongside existing supervisory requirements under the Securitisation Regulation delegated acts. EDW ICT risk and security management frameworks (including policies, processes, methods, and tools) have been adapted to DORA requirements and are directly supervised by the European Securities and Markets Authority (ESMA).

DORA requires regulated entities to manage ICT risks linked to third-party providers. This means that any external service providers critical to EDW operations are subject to specific contractual provisions and ongoing performance monitoring.

Operational resilience testing is at the core of DORA. This means that EDW systems are periodically assessed to confirm they can continue operating as intended, even in challenging scenarios.

DORA aims to bring consistency and resilience to the digital infrastructure underpinning the EU financial system.

EDW’s compliance with DORA reflects its existing obligations as a registered securitisation repository. It doesn’t represent a shift in direction, but rather a continuation of practices that have long prioritised transparency, resilience, and regulatory alignment.