DORA: Information-Sharing Arrangements
Information-Sharing Arrangements [Art 45]
Rule: Financial entities may voluntarily exchange cyber threat intelligence within trusted communities to enhance digital operational resilience, subject to strict confidentiality, data protection, and competition law safeguards.
Permissible Sharing [Art 45(1)]
Financial entities may exchange:
| Information Type | Examples |
|---|---|
| Indicators of compromise (IoCs) | Malicious IPs, domains, file hashes, signatures |
| Tactics, techniques, procedures (TTPs) | Attack methodologies, threat actor behaviors |
| Cybersecurity alerts | Emerging threat warnings, vulnerability disclosures |
| Configuration tools | Defensive configurations, security settings |
Conditions for Sharing [Art 45(1)]
Sharing must meet ALL three conditions:
(a) Purpose: Enhanced Digital Resilience
Sharing must aim to:
- Raise awareness of cyber threats
- Limit or impede threats’ ability to spread
- Support defense capabilities and threat detection
- Improve mitigation strategies
- Enhance response and recovery capabilities
(b) Trusted Communities
Sharing must occur within trusted communities of financial entities.
Characteristics of trusted communities:
- Known, vetted participants
- Shared understanding of threat landscape
- Mutual benefit from intelligence sharing
- Aligned security posture and maturity
(c) Protective Arrangements
Sharing arrangements must:
| Requirement | Description |
|---|---|
| Protect sensitive information | Safeguards for confidential, competitive, or privileged data |
| Rules of conduct | Governance framework for appropriate use and disclosure |
| Business confidentiality | Protection of commercial information and trade secrets |
| Data protection | Full compliance with GDPR (Regulation (EU) 2016/679) |
| Competition law | Adherence to antitrust and competition policy guidelines |
Arrangement Structure [Art 45(2)]
Information-sharing arrangements must define:
Participation Conditions
- Eligibility criteria — Who can join (entity types, sectors, jurisdictions)
- Onboarding process — Verification, validation, agreements
- Code of conduct — Behavioral standards, acceptable use
Public Authority Involvement (where appropriate)
- Authority roles — Which competent authorities may participate
- Capacity — Observer, contributor, coordinator, regulator
- Information flow — What authorities receive, how they contribute
ICT Third-Party Service Provider Involvement
- Provider eligibility — Critical ICT third-party service providers under DORA Art 31
- Access level — What information they may receive or contribute
- Obligations — Confidentiality, use restrictions, data protection
Operational Elements
- IT platforms — Use of dedicated secure platforms (e.g., Traffic Light Protocol, STIX/TAXII)
- Communication protocols — Encryption, authentication, authorization
- Information classification — Labeling schemes (TLP, sensitivity levels)
- Retention and deletion — Data lifecycle management
Notification Obligation [Art 45(3)]
Financial entities must notify competent authorities:
| Event | Timing | Content |
|---|---|---|
| Join arrangement | Upon membership validation | Arrangement name, participants, scope |
| Leave arrangement | When cessation takes effect | Arrangement name, effective date |
Important: Notification is required but participation itself is voluntary.
Practical Implications
What This Enables
✅ Participation in industry ISACs (Information Sharing and Analysis Centers) ✅ Cross-border threat intelligence sharing within EU financial sector ✅ Collaboration on incident response and threat mitigation ✅ Shared defensive capabilities (e.g., collective blocklists, threat feeds)
What This Prohibits
❌ Sharing customer data or transaction details unless GDPR-compliant ❌ Sharing competitively sensitive business information (pricing, strategy) ❌ Coordination on market conduct or anti-competitive behavior ❌ Sharing without proper confidentiality and data protection safeguards
Integration with Other DORA Provisions
| Provision | Relationship |
|---|---|
| Art 6-16 (ICT risk management) | Threat intelligence feeds inform risk assessments |
| Art 19 (Incident reporting) | Shared incidents (anonymized) improve sector awareness |
| Art 28-30 (Third-party risk) | ICT providers may participate in sharing arrangements |
| Art 49 (Cross-sector exercises) | Information sharing supports coordinated testing |
Comparison with Other Frameworks
| Framework | Sharing Mechanism |
|---|---|
| NIS2 Directive (Art 29-30) | Voluntary cybersecurity information sharing for essential/important entities |
| GDPR (Art 6(1)(f)) | Legitimate interest basis for threat intelligence sharing (subject to balancing test) |
| EU Cybersecurity Act (Regulation 2019/881) | ENISA facilitates information sharing at EU level |
| PSD2 (Directive 2015/2366) | Payment sector-specific information sharing mechanisms |
Compliance Checklist
For financial entities considering information-sharing arrangements:
- Assess whether participation aligns with ICT risk management strategy (Art 6)
- Verify arrangement meets Art 45(1) conditions (purpose, trusted community, protections)
- Review arrangement’s participation conditions and governance (Art 45(2))
- Conduct data protection impact assessment (DPIA) if processing personal data
- Obtain legal advice on competition law compliance
- Prepare notification to competent authority with required details
- Establish internal policies for what information may be shared and received
- Train staff on confidentiality, data protection, and appropriate use of shared intelligence
- Document membership validation date for notification timing
- Monitor ongoing compliance with arrangement’s rules of conduct
Sources: