NIS2: Information Sharing
Cybersecurity Information-Sharing Arrangements [Art 29]
Rule: Member States must enable essential and important entities to voluntarily exchange cybersecurity threat intelligence within trusted communities, with ENISA support for establishing such arrangements.
Permissible Voluntary Sharing [Art 29(1)]
Member States shall ensure that entities (and relevant non-covered entities) can voluntarily exchange:
| Information Type | Examples |
|---|---|
| Cyber threats | Ongoing attacks, threat campaigns, malware families |
| Near misses | Attempted attacks, close calls, security incidents narrowly avoided |
| Vulnerabilities | CVEs, zero-days, misconfigurations, weaknesses |
| Techniques and procedures | Attack methodologies, TTPs, exploitation techniques |
| Indicators of compromise (IoCs) | Malicious IPs, domains, file hashes, behavioral signatures |
| Adversarial tactics | Threat actor strategies, campaign patterns, targeting behaviors |
| Threat-actor-specific information | Attribution data, adversary profiles, APT groups |
| Cybersecurity alerts | Warnings from vendors, CSIRTs, national authorities |
| Configuration recommendations | Defensive tool settings, hardening guidelines, detection rules |
Trusted Communities [Art 29(2)]
Information exchange takes place within communities of:
- Essential and important entities (core membership)
- Their suppliers (where relevant to supply chain security)
- Their service providers (where relevant to service delivery security)
Implementation via arrangements:
- Governed arrangements (not ad hoc sharing)
- Respect for sensitive nature of shared information
- Confidentiality and trust requirements
Member State Facilitation [Art 29(3)]
Member States shall facilitate establishment of sharing arrangements by:
- Providing guidance on legal and operational aspects
- Supporting coordination and trust-building
- Enabling cross-sector and cross-border participation
- Removing regulatory barriers to information sharing
Arrangement Specifications [Art 29(3)]
Arrangements may specify operational elements:
| Element | Description |
|---|---|
| Dedicated ICT platforms | Secure portals, threat intelligence platforms (TIP), MISP, STIX/TAXII |
| Automation tools | Automated indicator feeds, machine-readable threat intelligence |
| Content scope | What types of information are shared, sensitivity classification |
| Conditions | Eligibility, confidentiality, use restrictions, data protection |
ENISA Role [Art 29(5)]
ENISA shall assist establishment of arrangements by:
- Exchanging best practices — Documenting successful models across Member States
- Providing guidance — Technical and legal guidance on operationalizing sharing
Data Protection and Confidentiality [Art 29(4)]
Arrangements must respect:
- GDPR compliance — Personal data protection under Regulation (EU) 2016/679
- Confidentiality — Business-sensitive information protection
- Need-to-know — Information distributed only to relevant participants
- Handling markings — TLP (Traffic Light Protocol) or similar classification
Voluntary Notification to Authorities [Art 30]
Rule: In addition to mandatory incident reporting (Art 23), entities may voluntarily notify CSIRTs or competent authorities of relevant information.
Voluntary Notifications [Art 30(1)]
Entities may submit beyond mandatory notifications:
- Early-stage threats or suspicious activity
- Near misses that didn’t meet significant incident threshold
- Threat intelligence relevant to sector
- Vulnerabilities discovered in products or services
- Best practices and lessons learned
Processing [Art 30(2)]
Procedure
Voluntary notifications processed same as Art 23 (incident reporting procedure):
- Acknowledged by CSIRT or competent authority
- Analyzed for threat patterns
- May trigger coordination or advisories
Prioritization
Member States may prioritize mandatory over voluntary:
- Significant incidents (Art 23) get first attention
- Voluntary notifications processed when capacity allows
- No penalty for providing voluntary information
Information Sharing with SPOCs
CSIRTs and competent authorities shall inform single points of contact (SPOCs) about voluntary notifications:
- When necessary for coordination or cross-border awareness
- With confidentiality and appropriate protection of notifying entity’s information
- Balancing transparency with trust in voluntary reporting
Practical Implications
Why Voluntary Notification Matters
✅ Builds early warning capability for emerging threats ✅ Reduces stigma around reporting by offering low-stakes channel ✅ Enables sharing of intelligence that falls below incident threshold ✅ Improves sector-wide threat visibility
Protections for Notifiers
✅ No additional compliance burden (same procedure as Art 23) ✅ Confidentiality protections maintained ✅ Prioritization ensures mandatory obligations met first ✅ No expectation of immediate action on voluntary notifications
Comparison: NIS2 vs. DORA Information Sharing
| Aspect | NIS2 (Art 29-30) | DORA (Art 45) |
|---|---|---|
| Scope | Essential & important entities (18 sectors) | Financial entities only |
| Mandatory? | Voluntary (must be enabled) | Voluntary (may participate) |
| Communities | Essential/important + suppliers/providers | Trusted financial communities |
| State role | Facilitate, Member States | Minimal state role |
| ENISA role | Assist, guidance | No ENISA involvement |
| Notification | To CSIRTs/authorities (Art 30) | To competent authorities (participation only) |
| Legal basis | Directive (transposed to national law) | Regulation (directly applicable) |
Compliance Checklist
For essential and important entities considering information-sharing arrangements:
Article 29 (Sharing Arrangements)
- Identify relevant communities (sector ISACs, regional forums, vendor groups)
- Assess arrangement’s governance (eligibility, confidentiality, data protection)
- Verify arrangement complies with GDPR for any personal data sharing
- Establish internal policies on what information may be shared and received
- Train relevant staff on confidentiality, classification (TLP), and appropriate use
- Document participation for audit trail and governance records
- Monitor ongoing compliance with arrangement’s terms and conditions
Article 30 (Voluntary Notification)
- Establish internal process for voluntary notifications to CSIRT/authority
- Define criteria for what should be voluntarily notified (near misses, early threats, trends)
- Designate point of contact for voluntary notification submissions
- Document voluntary notifications internally for lessons learned
- Do not delay mandatory notifications (Art 23) in favor of voluntary reporting
- Understand no obligation to act on voluntary notifications immediately
Sources: