Article 45, Information-Sharing Arrangements On Cyber Threat Information And Intelligence, Digital Operational Resilience Act (DORA)

Overview

1. Financial entities may exchange amongst themselves cyber threat information and intelligence, including indicators of compromise, tactics, techniques, and procedures, cyber security alerts and configuration tools, to the extent that such information and intelligence sharing:

(a) aims to enhance the digital operational resilience of financial entities, in particular through raising awareness in relation to cyber threats, limiting or impeding the cyber threats’ ability to spread, supporting defence capabilities, threat detection techniques, mitigation strategies or response and recovery stages;

(b) takes places within trusted communities of financial entities;

(c) is implemented through information-sharing arrangements that protect the potentially sensitive nature of the information shared, and that are governed by rules of conduct in full respect of business confidentiality, protection of personal data in accordance with Regulation (EU) 2016/679 and guidelines on competition policy.

2. For the purpose of paragraph 1, point (c), the information-sharing arrangements shall define the conditions for participation and, where appropriate, shall set out the details on the involvement of public authorities and the capacity in which they may be associated to the information-sharing arrangements, on the involvement of ICT third-party service providers, and on operational elements, including the use of dedicated IT platforms.

3. Financial entities shall notify competent authorities of their participation in the information-sharing arrangements referred to in paragraph 1, upon validation of their membership, or, as applicable, of the cessation of their membership, once it takes effect.

Summary Of Article 45

Article 45 of the Digital Operational Resilience Act (DORA) focuses on establishing information-sharing arrangements for cyber threat intelligence among financial entities. These arrangements allow entities to exchange critical cyber threat data, including indicators of compromise and cybersecurity alerts. The primary goal is to enhance the operational resilience of financial institutions, support defense capabilities, and improve threat detection and mitigation strategies.

The article emphasizes the importance of these exchanges happening within trusted communities to protect sensitive information. It also stipulates that the sharing process must respect business confidentiality, personal data protection laws, and competition policy. Information-sharing frameworks must define participation conditions, detail the involvement of public authorities and ICT third-party service providers, and specify the use of secure IT platforms for these exchanges.

Additionally, financial entities must notify competent authorities upon joining or leaving these information-sharing arrangements. This ensures that authorities maintain an accurate record of participating institutions, enhancing the overall security landscape.