The Digital Operational Resilience Act (DORA) came into force on 17 January 2025. It applies to EU financial institutions and to ICT service providers that support them. DORA requires that digital resilience must extend to every point that staff or contractors use to access systems, including connections from outside central IT.
That includes the uncontrolled network edge, the environments IT does not control such as homes, hotels, serviced offices and client sites. These are precisely where risks lie and where DORA’s requirements are often overlooked.
What DORA Requires and What It Misses at the Edge
DORA focuses on operational resilience, including:
- ICT risk management
- Secure network access
- Incident reporting and recovery
- Third-party ICT risk controls
- Network segmentation and resilience testing
These requirements are built on sound security principles. However, they assume organisations control the edge environments, which is rarely the case. Staff logging in from home or from neighbourhood hot desks are using networks beyond IT’s direct oversight, creating weak entry points.
The Uncontrolled Network Edge Under the DORA Lens
DORA emphasises risk control and resilience for all parts of digital operations. But a compromised home router, a misconfigured Wi-Fi in a serviced office or a spoofed hotel hotspot can undermine everything, even if devices use endpoint protection or VPNs.
The uncontrolled network edge is the point where resilient design often breaks down in practice. These networks are unmanaged, frequently outdated and easily exploited. They become the starting point for incidents that DORA is intended to prevent.
Real-World Examples of Risk
The dangers of ignoring the uncontrolled edge are easy to imagine:
- Home access: A finance manager logs into company systems from their kitchen table while their teenager streams games. The home router has not been updated in years, and the child’s laptop is already infected with malware. Company traffic now shares a pathway with compromised devices.
- Hotel Wi-Fi: A project manager travelling for work checks dashboards from their hotel room. The hotel’s router is shared by hundreds of guests and has never been patched. Attackers monitoring the same network can exploit flaws before traffic even reaches the VPN tunnel.
- Serviced office: A solicitor uses a shared office connection to access sensitive case files. The router is managed by the provider, not the law firm, and has weak security settings. An attacker scanning the internet for exposed routers can gain access remotely.
- Client site: A consultant logs into internal systems while visiting a client. The company has no oversight of that network, yet its own sensitive systems are being accessed through it.
In each case, DORA’s principles of risk management, resilience and control are undermined because the uncontrolled network edge has not been addressed.
How Loxada Delivers Compliance in Practice
Loxada turns theoretical compliance into practical defence. We provide managed routers that create a secure on-ramp, addressing all the key concerns that DORA raises:
- A dedicated, hardened device replaces unknown local networks
- All configurations and firmware are centrally enforced and automatically updated
- Business traffic is isolated from local devices, even if the local network is compromised
- Access can be revoked instantly via subscription controls
This means organisations can demonstrate resilience, network access control, segmentation and third-party management, even when staff operate from the uncontrolled edge.
Making DORA Real for SMEs and Non-EU Firms
For smaller firms or those with partial EU presence, compliance can feel overwhelming. Yet DORA is not optional. Accessing or serving EU financial entities brings it into scope.
Loxada’s out-of-the-box solution delivers secure, centrally managed edge access without complex internal infrastructure changes. It simplifies implementation of:
- Risk assessments across remote access
- Secure access policies without costly rollouts
- Resilience in case of technology or infrastructure failure
This approach allows businesses to comply in a scalable and proportionate way, turning DORA from a regulatory burden into a strength.
Why This Matters
Attackers increasingly target weak points at the edge. Outdated home routers, misconfigured serviced office equipment and hotel Wi-Fi hotspots are easy to find and exploit. Once compromised, attackers can move laterally into company systems and cause significant disruption.
Agencies such as the NSA, GCHQ and CISA have issued repeated warnings about the risks of insecure edge devices. Their advice is clear: bring the edge under central management with hardened, automatically updated infrastructure.
By following this approach, organisations meet both the letter and the spirit of DORA.
The Bottom Line
DORA demands operational resilience across the entire ICT perimeter, including access points outside IT’s direct control. The uncontrolled network edge is often where security fails first.
Loxada brings that edge under control. Our managed routers create secure, centrally managed on-ramps from wherever staff connect. That ensures you not only comply with DORA but enforce it, making every connection secure, auditable and resilient.
In a financial sector where regulation is increasing and threats are constant, turning the uncontrolled edge into a controlled entry point is not just good practice. It is now essential for compliance, resilience and long-term trust.