What is DORA?
The Digital Operational Resilience Act (DORA) — Regulation (EU) 2022/2554 — is the EU's dedicated framework for ICT risk management in the financial sector. Unlike NIS2, DORA is a Regulation, not a Directive. This means it applies directly and uniformly across all EU Member States without the need for national transposition.
DORA has been in full force since 17 January 2025 and covers virtually every regulated financial entity operating in the EU, as well as the ICT third-party service providers that support them. In 2026, regulators have moved from a guidance posture to active enforcement — financial entities are now expected to demonstrate real, evidence-based operational resilience, not just documented policies.
DORA's central goal is to ensure that financial institutions can withstand, respond to, and recover from ICT-related disruptions, including cyberattacks and system failures, while maintaining continuity of critical financial services.
DORA vs. NIS2: Understanding the Relationship
Both DORA and NIS2 address cybersecurity, but they serve different purposes and audiences.
NIS2 (Network and Information Systems Directive): Broad EU cybersecurity directive covering 18 essential and important sectors, including finance. Transposed into national law by each Member State.
DORA (Digital Operational Resilience Act): A sector-specific regulation focused exclusively on the financial industry. It goes deeper than NIS2 on ICT resilience, third-party risk, and resilience testing. Critically, where an organisation is subject to both DORA and NIS2, DORA takes precedence for financial sector obligations.
Who Does DORA Apply To?
DORA covers a broad range of financial entities and their ICT providers:
Financial Entities:
- Banks and credit institutions
- Payment and electronic money institutions
- Investment firms
- Insurance and reinsurance undertakings
- Pension funds and occupational pension institutions
- Crypto-asset service providers
- Central securities depositories and trading venues
- Credit rating agencies
- Crowdfunding and data reporting service providers
ICT Third-Party Service Providers:
- Cloud service providers, data centres, and software providers classified as Critical Third-Party Providers (CTPPs) — 19 providers including AWS, Microsoft, and Google Cloud were designated in November 2025.
DORA's Five Pillars
DORA is built around five core requirements:
- ICT Risk Management — Establish and maintain a robust ICT risk management framework, with regular assessments and clear governance accountability at senior management level.
- ICT Incident Management, Classification and Reporting — Detect, classify, and report major ICT incidents to regulators within strict timeframes: 4-hour initial notification, 24-hour intermediate report, and a 1-month final report.
- Digital Operational Resilience Testing — Conduct regular testing of ICT systems, including vulnerability assessments and, for significant institutions, Threat-Led Penetration Testing (TLPT).
- ICT Third-Party Risk Management — Maintain a Register of Information covering all ICT third-party arrangements, assess concentration risk, and ensure contracts include DORA-mandated clauses.
- Information and Intelligence Sharing — Participate in threat intelligence sharing arrangements to strengthen sector-wide resilience.
How 42Gears Can Help You Achieve DORA Compliance
Mobile devices are central to financial services operations — from remote banking staff accessing sensitive customer data to field teams using mobile payment systems. DORA's ICT risk management obligations extend to every device that touches your financial infrastructure. Here is how 42Gears and SureMDM map to DORA's requirements.
| DORA Requirement | 42Gears Capability | Key Functionalities |
|---|---|---|
| ICT Risk Management | Comprehensive Asset Management & Policy Enforcement | Maintain an up-to-date inventory of ICT assets and implement appropriate security controls. Gain a centralised, real-time view of all managed devices, applications, and users. Enforce security baselines such as encryption and screen lock policies to reduce ICT risk exposure across the mobile estate. |
| ICT Risk Management | Enforce MFA during Enrolment | Implement strong access controls and authentication to protect ICT systems. Protect administrator and user accounts with multi-factor authentication, reducing the risk of credential-based compromise across managed devices, directly supporting DORA's access control requirements. |
| ICT Risk Management | Enforced Encryption Policies | Enforce encryption of data at rest and in transit. Enforce full-device encryption across managed devices to protect sensitive financial data. This supports DORA's requirement to protect ICT assets with appropriate technical measures. |
| ICT Incident Management | Incident Response & Remote Management | Detect ICT-related incidents on systems and devices and support containment. Utilise remote wipe, lock, and locate capabilities to immediately contain compromised devices. Real-time compliance dashboards provide early visibility of device-level anomalies to support your incident classification workflow. |
| ICT Risk Management | Robust Reporting & Compliance Visibility | Maintain policies and evaluate the effectiveness of cybersecurity controls. Leverage compliance and audit reporting to demonstrate that security policies are applied and effective across the device fleet, providing auditable evidence for regulatory inspections. |
| ICT Risk Management | 42Gears Academy | Ensure staff with access to critical systems are trained in cybersecurity. Training courses and certifications covering secure device deployment and cybersecurity best practices, supporting DORA's requirement for ongoing staff training and awareness in ICT risk management. |
| ICT Risk Management | Compliance & Access Control Policies | Control access to sensitive data and systems. Enforce granular data access controls on managed devices. Supports DORA's requirement to limit access to critical ICT functions to authorised personnel only. |
What DORA Requires Beyond MDM
DORA is a comprehensive regulation and SureMDM addresses the device and endpoint layer. A complete DORA compliance programme will also require:
- ICT Third-Party Risk Management: The Register of Information covering all ICT third-party arrangements must be maintained in the ESA-specified format and submitted annually. This is a contractual and governance obligation — not an MDM function.
- Digital Operational Resilience Testing (TLPT): Threat-Led Penetration Testing for significant entities must be conducted by qualified external testers. MDM supports the overall security posture but does not fulfil this requirement.
- Formal Incident Reporting to Regulators: The 4-hour, 24-hour, and 1-month reporting chain to competent authorities requires a dedicated incident management process and tooling. MDM can surface device-level incidents but the reporting process itself is a separate organisational obligation.
- Business Continuity and Recovery Testing: DORA requires tested recovery plans with defined RTO and RPO objectives. Backup and recovery tooling is required alongside MDM.
DORA Minimum ICT Risk Management Measures
DORA mandates that financial entities implement the following ICT risk management controls, among others:
- An ICT risk management framework, approved and overseen by senior management.
- Continuous identification, classification, and documentation of ICT assets.
- Continuous monitoring of ICT systems and identification of vulnerabilities.
- ICT-related incident management, classification, and reporting procedures.
- Business continuity plans and ICT disaster recovery plans with tested RTO/RPO objectives.
- A Register of Information covering all ICT third-party arrangements.
- Digital operational resilience testing, including TLPT for significant entities.
- Multi-factor authentication and access control for systems holding critical or sensitive financial data.
- Data encryption at rest and in transit.
- ICT security training and awareness programmes for all relevant staff.
Conclusion
DORA enforcement is active and regulators in 2026 expect demonstrable, evidence-based compliance — not just documented intentions. SureMDM gives financial organisations a robust, auditable layer of ICT risk management across their mobile device estate: enforced encryption, access controls, real-time compliance visibility, and rapid incident containment capabilities, all aligned with DORA's core technical requirements.
Disclaimer: Achieving DORA compliance requires implementing a comprehensive set of ICT risk management, incident reporting, resilience testing, and third-party risk controls. Mobile Device Management (MDM) solutions address the device and endpoint layer and support several DORA requirements, but a complete DORA compliance programme will require additional solutions and governance processes. This document is for informational purposes only and does not constitute legal or regulatory advice. Organisations should seek qualified legal and compliance counsel for DORA implementation guidance.
