The Digital Operational Resilience Act has applied since 17 January 2025. Anyone who has read it will recognise the register. It sets out requirements for ICT risk management, operational resilience, third-party risk and incident reporting in the measured, principle-based language the EU uses when it wants to fix an outcome and leave the method to the firm.
That leaves a practical question unanswered on the page: what does DORA mean for the finance manager logging in from a spare room, or the solicitor working from a serviced office? The Act does not obviously say. This has led many organisations to assume DORA is silent on the home network, the hotel and the coworking space, the places staff actually connect from. It is an understandable assumption, and it is incorrect. Those environments are addressed. The detail simply sits one layer below the Act, where the binding obligations live.
The detail is one floor down
DORA is the top layer. Beneath it sits a set of binding technical standards, and the relevant one here is Commission Delegated Regulation (EU) 2024/1774, the regulatory technical standard on ICT risk management tools, methods, processes and policies. It is not guidance. It is directly applicable law, and it is considerably more specific than the Act above it.
Most readers stop at the Act. That is where the misreading begins. To understand what a financial entity has to be able to demonstrate about the network edge, the technical standard is the document that matters, and it names the edge explicitly. In two places.
Teleworking is a named obligation
Article 11 of the standard requires firms to implement measures to ensure that teleworking and the use of private endpoint devices do not adversely affect their ICT security. A parallel provision in the simplified framework, which applies to smaller firms, appears at Article 35 in almost identical terms. This is not confined to large institutions. It applies across the sector, and it is framed as an outcome the firm has to be able to evidence.
Domestic networks are named as well
Article 13 covers network security, and it is the most directly relevant provision in the standard. Among other requirements, it calls for the encryption of network connections passing over corporate networks, public networks, domestic networks, third-party networks and wireless networks. The employee’s home broadband is named, in an EU regulation, as somewhere the firm’s obligations continue to apply.
The same article goes further. It requires network access controls that prevent and detect connections from unauthorised devices, or from any endpoint that does not meet the firm’s security requirements. It requires a secure configuration baseline for network components. It requires the ability to isolate affected devices. None of this assumes the firm controls the network the device is connected to, and all of it applies whether that device is in the office or on a kitchen table.
So the position is not that DORA overlooks the edge. Read in full, DORA legislates the edge, one layer down, in a document most organisations never open.
What this looks like in practice
The obligations are abstract. The situations they describe are not.
- Home access. A finance manager signs into internal systems from home while other devices on the same network stream, game and browse. The router has not been updated in years, and an infected laptop may already be on the network. The firm’s traffic now shares a path with unknown devices, on infrastructure the firm has never seen.
- Serviced office. A solicitor works from a shared building’s connection, managed by the building rather than the firm, configured to whatever standard the building chose. The firm carries an obligation to secure the connection and has no ability to touch the equipment carrying it.
- Hotel Wi-Fi. A manager reviews dashboards over a hotel network shared with hundreds of other guests and maintained by no one in particular. Every other device on that network sits inside the same boundary.
In each case, a VPN client secures the traffic and does nothing about the network beneath it. Endpoint protection secures the device and not the environment it connects through. Both are necessary. Neither addresses what Article 13 is concerned with, which is the network itself.
What smaller firms are often told incorrectly
Two myths tend to circulate. The first is that DORA lands on every small firm at full weight. The second is that it does not apply at all to firms outside the EU. Both are worth correcting, because the accurate position is more useful than either.
DORA is proportionate. The smallest firms, microenterprises and various small intermediaries, are either out of scope or fall under a lighter, simplified framework. That framework is genuinely lighter, but it does not drop the edge. The teleworking obligation appears in the simplified version, at Article 35, in almost the same words as the full framework. A small firm does not avoid the home-network question. It meets it with less surrounding machinery.
On the non-EU point: DORA applies to the financial entities it lists. Where the position becomes more involved is in the supply chain. An ICT provider serving EU financial entities is reached by DORA through the contracts those entities are now obliged to hold with their providers, rather than by being directly in scope. That is a real and manageable effect, but it is a contractual mechanism rather than a border, and it is worth understanding which of the two applies before a customer’s compliance team sets it out.
Where Loxada fits, and where it does not
Loxada is a managed secure router system. Each device runs Loxada’s own firmware and creates a known, controlled network wherever it is deployed, logically separated from the local network around it. The device is centrally managed, its firmware is kept current automatically, and it can be revoked centrally if it is lost or a user leaves. In effect, it converts a home network the firm cannot see into a managed connection the firm can.
Measured against the technical standard, that speaks directly to several requirements: the teleworking measures in Articles 11 and 35, the encryption and unauthorised-device controls in Article 13, and the firmware and patching expectations that a consumer router bought by an employee cannot meet. It converts a dependency the firm cannot contract with, audit or update into one it can.
Loxada is not a route to DORA compliance. There is no such thing, no certification to point to, and any claim otherwise should be treated with caution. DORA also covers incident reporting, resilience testing, business continuity and third-party risk management, none of which a router has visibility of. Loxada addresses one layer, the network staff connect through, and is built to sit alongside identity, endpoint and VPN tooling rather than replace any of it.
Agencies including the NSA, CISA and GCHQ have increasingly highlighted edge devices and unmanaged infrastructure as a priority area. The technical standards beneath DORA point, in their own more procedural way, at the same exposure. Where staff connect to sensitive systems from networks the organisation cannot see, that is now a documented obligation rather than an oversight, and it is worth knowing precisely what the standard asks before deciding how to answer it.