DORA the Recorder: How EU Regulations are Making Unified Recording an Imperative for Financial Institutions

For many European financial institutions, March 2026 proved to be a particularly challenging month. Among rising prices and global trade instability, the month also heralded the deadline for the Register of Information submission, a vital requirement for the Digital Operational Resilience Act, or DORA.

DORA requires EU-based financial institutions to submit a full and accurate accounting of every third-party ICT provider, including mobile operators and telecoms partners used to connect teams and employees around the world, to strengthen the EU’s resilience in the face of rising cybercrime.

The legislation is notable for its scope: the directive recognizes the interlaced network of stakeholders that contribute to the European financial sector's digital capabilities, and extends its sights accordingly. While previous measures like MiFID target distinct financial institutions and banks, the DORA purview includes all third-party ICT providers like cloud storage providers, software, and data centers. This makes DORA a global concern, regulating networks across the globe, from traditional investment funds to crypto platforms and crowdfunding services.

DORA compliance for financial services

DORA assesses organizations’ preparedness to external compliance threats, including cyberattacks. As the number of wireless and IoT devices deployed by companies continues to grow, so does their potential attack surface, a reality reflected in the rising rate of cyberattacks on businesses. DORA provides a basic framework for EU companies to codify their cybersecurity strategy and gain a unified oversight of every third-party actor within their network.

In a deeply interconnected market like the EU, a cyberattack on any one financial body has a ripple effect, endangering the data of clients, customers, and supply chain partners. DORA is a means to improve the overall resilience of the EU trading block, establishing clear benchmarks and prioritising collective pooling of knowledge and resources.

Over a year after DORA came into force, cracks are beginning to show. A recent McKinsey report reveals that less than a third of affected companies were confident of meeting the reporting deadline. This reinforces a July 2025 report from Veeam, in which 96% of financial institutions stated they were falling behind on DORA compliance.

Instead of consolidating cybersecurity and streamlining internal operations, DORA has exposed a growing rift between financial institutions and regulators, and emphasized the dangers of stratified, piecemeal internal recording and compliance practices.

Of the surveyed companies, 46% identified the same specific regulation as the most challenging aspect of DORA compliance: the Register of Information, or ROI.

The ROI is the element of DORA that compels financial institutions to disclose the details of all third-party ICT products and providers. This year’s deadline of March 31 left many institutions rushing to account for globally-dispersed contracts across multiple suppliers and service providers.

Assembling these lists is a significant administrative effort, requiring collaboration between procurement, legal, security, and financial departments, as well as external cooperation from third parties themselves.

The widespread failure to meet DORA deadlines indicates the scale of the challenge ahead – and the need for fundamental changes in these firms’ approaches to compliance and recording.

The compliance challenge: coverage as well as capture

2026 has also seen the EU’s MiFID III communication recording directive expanded to cover “omnichannel mobile recording”. Financial bodies are now required to extend their voice, email, and SMS mobile recording capabilities to include instant messaging and video. While this reflects the increasing multi-channel nature of modern business communications, it places additional strain on compliance departments racing to fulfil their DORA requirements.

Institutions now operate across SMS, WhatsApp, Microsoft Teams, Zoom, and other collaboration tools. These channels create regulatory fragmentation, where communications fall outside existing recording architectures, directly conflicting with DORA’s requirements for holistic ICT risk management, incident traceability, and third-party oversight.

By adopting more circumspect strategies and digital-first surveillance tools, companies can turn these regulatory requirements into a competitive advantage, building a transparent, resilient digital security that can adapt to evolving threats.

The cost of non-compliance

While significant investments are usually required to meet DORA and MiFID deadlines, the cost of non-compliance is likely much greater, from an ethical, security, and financial perspective.

Regulators have the power to impose fines of up to 2% of global annual turnover or €10m ($11.6m) for non-compliance. The third-party suppliers are also liable – under DORA, these companies can be fined up to 1% of their annual turnover for every day of non-compliance past the deadline. Contracts can be cancelled and licences revoked by DORA regulators in extreme cases.

Financial organizations are investing heavily in mitigating this risk – in the same Deloitte survey, most companies allocated between two and five million Euros annually to ensuring DORA compliance, while it’s now common practice to operate dedicated sub-teams within compliance departments that focus purely on DORA.

DORA and the expanded MiFID III are encouraging organizations to reconsider their wider compliance and cybersecurity strategy and explore a more holistic approach.

Accenture identified "continuous engagement to risk control and monitoring through defined processes” as a defining trait of DORA. This long-term aspect is why flexible, multi-channel recording processes are so vital: DORA will continue to evolve, and so compliance departments must, too.

Key to streamlining DORA readiness and easing the workload on compliance teams is a unified mobile recording approach that operates across multiple communication channels and geographic coverage zones, ideally without requiring separate contracts across multiple connectivity providers and recording services.

How in-network recording solves the issue at the root

Most current mobile recording strategies operate as either:

• App-based recording: Mobile recording carried out via third-party software, installed on to user devices.

• In-network: Recording takes place within the network infrastructure, rather than being tied to a device or app.

While app-based solutions gained popularity for their simplicity of installation and use, peaking during the COVID-19 lockdowns, they remain susceptible to human intervention. By removing the process from the device level, in-network recording provides a safer, more reliable way to capture every mobile communication, across all channels, with minimal user input or effort.

Just as eSIMs have bolstered corporate communications safety by eliminating the risk of SIM loss or theft, in-network recording removes human error (or intention) from the equation. It further recognizes the growing trend of multi-device ownership, with employee mobile communications taking place across smartphones, laptops, tablets, and even wearables – many of which lack the OS requirements to run app-based recording services.

1GLOBAL in-network recording architecture captures communications at the network layer, ensuring:

• Complete capture of SMS, voice, and OTT messaging

• Elimination of user-side tampering or bypass

• Consistent policy enforcement across geographies and devices

This directly aligns with DORA’s emphasis on resilience, control, and verifiable auditability of ICT systems.

Why is an in-network recording solution now necessary?

An in-network service allows companies to bridge legacy compliance practices with modern collaboration tools. The reality of modern business is that communication channels vary among regions, device types, and individual employee preferences.

Instant-messaging apps like Microsoft Teams, Slack, and WhatsApp Business have become staples of corporate communication. International organizations also have to account for internal mobile communications among employees, as well as third-party clients and partners.

In the era of DORA and MiFID III, a multi-vendor approach to connectivity is no longer sustainable. A single-pane-of-glass solution like 1GLOBAL replaces these fragmented agreements with one single compliance layer covering all mobile communication channels:

• Native telecom channels (SMS and voice recording compliance)

• OTT apps (WhatsApp)

• Enterprise collaboration platforms (Zoom and Microsoft Teams compliance recording)

1GLOBAL Message+

Message+ is a feature of 1GLOBAL compliance that directly addresses the omnichannel nature of modern business communications. The service provides a single hub for all WhatsApp and Microsoft Teams communications within the Teams App. For employees, this provides a single hub for all instant business messaging and devices.

For employers, it lessens the risk of compliance breaches while enhancing productivity and employee satisfaction.

A unified solution addresses the global realities of the financial market. In an increasingly globalized economy, a growing number of firms are bound to separate, overlapping compliance regulations across regions and jurisdictions. Standards like MiFID II, Dodd-Frank, FDCPA, HIPAA, and GDPR are continually evolving to address technological advancements. Companies bound by these requirements risk incurring millions in administrative costs and exposing themselves, their customers, and the public to the consequences of compliance breaches that are not properly accounted for.

A worldwide partner like 1GLOBAL recognizes this reality and delivers a globally compliant recording service across 190+ countries. In the short term, this drastically reduces administrative workload and lessens the risk of fines or breaches. Long-term, it provides companies with a strategic advantage: once they know their compliance practices are globally valid, firms are free to explore expansion opportunities in new regions and react to market trends, wherever they are.

Building regulatory-compliant messaging platforms

Simplifying recording and compliance services at the administrative level was always a useful practice within financial institutions: DORA has now made this a necessity. Some firms are currently required to account for thousands of contracts, spread across markets and regions.

1GLOBAL compliance automatically records and saves all employee mobile communications, across all devices, in all countries, to a single cloud platform. This centralized recording and accounting service not only curbs bureaucratic overheads but also helps firms and their external partners to avoid penalties under the new legislation.

Simplifying regulation with unified communications compliance

Continuous improvement and reappraisal are key requirements for DORA compliance. Unlike earlier frameworks, DORA is not a static benchmark: it’s a continually-evolving framework that requires organizations to consistently show current resilience capabilities as well as future-focused strategies.

Again, in-network recording provides the solution. Forward-looking firms recognize that new regulations aren’t just box-ticking exercises, but fundamental opportunities to reshape their compliance practices and develop simple, secure, and scalable recording practices, bolstered by state-of-the-art services like 1GLOBAL Compliance.

The future

By demanding ongoing cooperation from financial institutions, DORA helps to instil sustainable, future-focused digital resilience practices that can adapt to the changing nature of cyberattacks. Info security teams are already preparing for the potential cybersecurity risks posed by developments like quantum computing and artificial intelligence. Already, AI is being used to both implement and counter cyberattacks, while a recent IBM report found that ungoverned AI cybersecurity systems are “more likely to be breached and more costly when they are.”

Fulfilling future DORA conditions while adjusting to these possible futures requires an equally flexible partner service.

1GLOBAL Compliance is a fully in-network recording solution that captures every interaction, across devices and regions, and securely stores them in the cloud. This digital-first approach is why 8 of the world’s 10 largest banks use 1GLOBAL Compliance services to meet their regulatory obligations. Find out how your company can partner with 1GLOBAL by contacting our team today.