Complying with DORA: digital transaction choreography enhances financial resilience

The DORA Regulation (Digital Operational Resilience Act) has been created with the aim of strengthening the digital operational resilience of financial firms, ensuring they can continue their critical operations even in the face of technological disruptions or cyberattacks.

T

his regulation requires financial entities to proactively manage the risks associated with technology, establishing rigorous controls over information systems and the external providers of technological services they rely on. 

DORA encourages the emergence of bold strategies that provide the confidence the financial sector needs. It is here that we must discuss secure transaction choreography. Transaction choreographers enable the seamless and secure coordination and monitoring of multiple technological operations, reducing the risk of failures and improving responses to potential incidents. These solutions are essential to ensure that companies can meet the strict demands of DORA, safeguarding operational continuity and the integrity of their digital transactions. 

Benefits of transaction choreography for DORA compliance 

• In real time. A transaction choreographer ensures that operations are executed in a coordinated and supervised manner in real time. This is essential to prevent operational failures and protect the integrity of transactions against cyber threats. Choreographers constantly monitor transaction flows, detecting and correcting any anomalies or deviations that could jeopardise the security of the operation. This significantly reduces exposure to attacks such as identity theft or unauthorised intervention, which is crucial for meeting the operational resilience requirements set forth by DORA.
• Risk reduction. Operational risk management is a central pillar of DORA, and choreographers facilitate this process by ensuring that all parties involved in a transaction operate synchronously. Human or technological errors that could compromise operations are minimised thanks to the choreographer’s ability to manage multiple technology providers and coordinate their actions. This results in greater stability and confidence in transactions, as the risk of failures due to coordination errors between systems is eliminated.
• Traceability and continuous monitoring. Another key aspect for DORA compliance is the ability to provide a complete and auditable record of all transactions. Choreographers enable detailed tracking of each operation, offering traceability that is essential for internal and external audits. This level of transparency is critical for demonstrating regulatory compliance and allows companies to respond swiftly to any requests for transaction reviews from regulatory authorities.
• Improvement in operational resilience. Operational resilience is the primary objective of DORA, and secure digital transaction choreographers directly contribute to achieving it. These systems ensure that transactions can continue without interruption, even in the face of technical issues or external attacks. If a technology provider experiences an outage, the choreographer can redirect operations to other systems or providers, ensuring continuity of service. This enhances the ability of companies to remain operational in the face of any contingency, thereby fulfilling one of the most important aspects of the DORA regulation. 

Relationships with technology service providers according to DORA 

DORA specifically addresses how financial entities should manage their relationships with external technology service providers in Article 6.9. 

Financial firms may, but are not required to, develop a strategy that utilises multiple technology providers. This means they can work with different companies that supply technological services, but they must do the following: 

• Have a comprehensive overview: They must have a strategy that encompasses all the providers they work with, meaning they should have a holistic view of all the involved technology providers.
• Demonstrate key dependencies: They must identify and explain which are the most important providers they rely on for their technological operations.
• Justify the combination of providers: The company must explain why they chose that particular mix of technology providers. This means they should provide clear reasons for selecting certain providers and how this helps improve their digital resilience. 

This is important for managing the risks that may arise from relying too heavily on one or a few technology providers, ensuring that if one fails, the company’s operations are not severely affected. 

A digital transaction choreographer with a well-defined Service Level Agreement acts as a crucial facilitator to ensure that relationships with multiple providers are managed efficiently and in a coordinated manner. The Agreement should set clear expectations regarding performance, availability, and response times for each provider, allowing the company to maintain complete control over the behaviour of each player within its digital ecosystem. 

If a provider fails to meet its obligations, the choreography system can swiftly escalate the issue and redirect operations to another available provider. This minimises interruptions and ensures operational resilience, as required by DORA. 

Management of technology provider risks 

According to the obligations established in DORA, financial entities must develop a clear risk management strategy regarding their external technology providers, especially when these services are critical or important to their operations. 

One fundamental aspect of risk management is identifying which technological functions provided by third parties are critical or important for the operation. For example, a digital onboarding solution can be considered critical, as it is essential for the security and operability of the company. A digital transaction choreographer can help manage such critical solutions by ensuring that the onboarding process is carried out securely and in a coordinated manner, maintaining control over transactions and avoiding vulnerabilities that may arise from relying on multiple providers. 

By having the choreographer manage the flow of these interactions, the company can ensure that user authentication and identity verification are carried out smoothly, even when multiple technology providers are used. 

Within the risk management strategy, DORA suggests that financial entities consider the use of alternative or backup providers to ensure service continuity in the event that the primary provider fails. For example, if a company relies on a provider for optical character recognition (OCR) or digital signatures, the choreographer can activate a backup provider in case of a failure. This ensures that transactions continue seamlessly, without impacting end users or the company’s operations. 

If one of the external providers supporting critical functions, as mentioned above, experiences an outage, the choreographer can automatically redirect transactions to a backup provider without interrupting operations or compromising data security. 

Contractual compliance according to DORA  

The DORA regulation requires financial entities to have a clear plan for managing contracts with their technology providers, ensuring they can terminate these contracts in the event of critical failures without affecting service continuity. The digital transaction choreographer offers key advantages, as it can play a crucial role in contingency planning and provider diversification. 

One of the requirements of DORA is that financial entities must have exit strategies that allow them to disengage from a provider in cases of non-compliance or serious security issues, without interrupting critical functions. A choreographer can serve as a planned alternative operator within these contingency plans, ensuring that transactions and critical services can continue smoothly, even when the primary provider fails or is withdrawn. 

In the event that a provider fails to meet the Service Level Agreements or presents failures that jeopardise the availability or integrity of data, the choreographer can redirect operations to other previously integrated systems or providers. 

Provider diversification is a key strategy for reducing risks and avoiding dependence on a single technology service provider, as mandated by DORA. For instance, in the case of video identification solutions, the choreographer can integrate and manage multiple providers, ensuring that if one fails, critical transactions can still be carried out without interruptions. 

This approach justifies the use of multiple providers for critical functions such as video identification, offering greater flexibility and protection against potential operational failures. By diversifying providers, financial entities reduce the likelihood of a single point of failure, aligning with DORA’s requirements to ensure the continuity and quality of critical services. 

Financial entities that implement choreographic solutions will be better equipped to face challenges, including compliance with new regulations like DORA, strengthening their resilience against disruptions or threats and providing more comprehensive and reliable services to the public. 

Find out how TrustCloud helps you to comply with DORA