Article 40 Digital Operational Resilience Act (DORA), Information-Sharing Arrangements On Cyber Threat Information And Intelligence

Article 40 of the Digital Operational Resilience Act (DORA) addresses the crucial aspect of cyber threat information and intelligence sharing among financial entities. As cyber threats become increasingly sophisticated, collaborative efforts in sharing cyber threat information can significantly enhance the digital operational resilience of financial institutions. This article outlines the framework for such exchanges, emphasizing the importance of trusted environments and stringent safeguards to protect sensitive data. Here’s a breakdown of the key provisions under Article 40.

Exchange of Cyber Threat Information

Financial entities are authorized to exchange a wide range of cyber threat information with each other. This includes:

Goals of Information Sharing

The main objectives are to:

• Enhance Digital Operational Resilience: Sharing information aims to bolster the digital resilience of financial entities by raising awareness about potential cyber threats. This includes reducing the spread of threats and improving defensive capabilities, threat detection techniques, and strategies for mitigation, response, and recovery.

• Trusted Communities: Information must be shared within trusted communities of financial entities to ensure that all participants are reliable and have established trust.

• Protected Sharing Arrangements: The sharing must occur through arrangements that protect the sensitive nature of the information. These arrangements should adhere to rules of conduct that ensure business confidentiality, personal data protection, and compliance with competition policies.

Information-Sensitive Protection

The information-sharing arrangements must be designed to safeguard the sensitive nature of the exchanged information. This includes:

• Rules of Conduct: Ensuring that all participants comply with confidentiality and data protection guidelines.

• Competition Policy: Following regulations related to fair competition.

Conditions and Involvement of Public Authorities

For effective information sharing, the arrangements must define:

Participation Conditions

The arrangements should set out specific conditions for participation. This includes:

• Public Authority Involvement: When applicable, the details on how public authorities are involved should be clear. This includes defining their role and how they will interact with the information-sharing process.

Operational Elements

Operational details should be provided, including:

• Dedicated IT Platforms: The use of specialized IT platforms for secure information sharing.

Notification to Competent Authorities

Financial entities have a responsibility to keep competent authorities informed about their participation in information-sharing arrangements. This includes:

• Membership Notification

Entities must notify the relevant authorities once their membership in an information-sharing arrangement is validated.

• Cessation Notification

If an entity decides to cease its participation, it must inform the authorities of this change as soon as it takes effect.

Article 40 of the Digital Operational Resilience Act (DORA) sets forth a robust framework for the exchange of cyber threat information among financial entities. This article aims to bolster the digital operational resilience of financial institutions by promoting collaborative efforts within trusted communities. The exchange of cyber threat information, including indicators of compromise, tactics, techniques, and procedures, is designed to improve awareness of cyber threats and enhance defensive capabilities. The goal is to limit the spread of threats, strengthen threat detection techniques, and support mitigation strategies and recovery efforts.

The information-sharing arrangements under Article 40 must ensure the protection of sensitive data. These arrangements are governed by rules of conduct that uphold business confidentiality, safeguard personal data, and comply with competition policies. Clear conditions for participation and the involvement of public authorities, where applicable, are essential. Financial entities must notify competent authorities of their participation or cessation in these arrangements to ensure regulatory oversight.

By adhering to these guidelines, financial entities can more effectively manage and mitigate cyber threats while maintaining compliance with regulatory requirements. This collaborative approach enhances the overall resilience of the financial sector against evolving cyber threats.