In light of the cyber threat landscape, European institutions have been working for a number of years on the development of new EU legislation to improve the operational and cyber resilience of the Union's financial sector. On 10<sup>th</sup> November 2022, the European Parliament's plenary session voted the final proposal of **DORA**, a new EU Regulation on **digital operational resilience** for the financial sector. This vote sets DORA to enter into force around early 2023 and into application around early 2025. A regulation is a legal act of the European Union that becomes immediately enforceable as law in all member states simultaneously.
DORA will apply to a very wide range of entities, including non-financial sector entities:
- Credit institutions (i.e., banks)
- Payment and electronic money institutions
- Account information service providers
- Investment firms
- Crypto-asset service providers as authorized under MiCA and issuers of asset referenced tokens
- Central securities depositories
- Central counterparties
- Trading venues
- Trade repositories
- Managers of alternative investment funds
- Management companies
- Data reporting service providers
- Insurance and reinsurance undertakings
- Insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries
- Institutions for occupational retirement provision
- Credit rating agencies
- Administrators of critical benchmarks
- Crowdfunding service providers
- Securitisation repositories
- Critical ICT third-party service providers
## DORA provisions on information sharing
EU co-legislators have dedicated a chapter of DORA to information sharing in an effort to **reinforce the legal grounds** for information sharing arrangements on cyber threat information and intelligence. Under DORA's Art. 40:
**Art. 40(1) - Exchange of cyber threat information and intelligence**
Financial entities may exchange amongst themselves cyber threat information and intelligence, including indicators of compromise, tactics, techniques, and procedures, cyber security alerts and configuration tools, to the extent that such information and intelligence
sharing:
<oltype="a">
<li>aims at enhancing the digital operational resilience of financial entities, in particular through raising awareness in relation to cyber threats, limiting or impeding the cyber threats’ ability to spread, supporting defensive capabilities, threat detection techniques, mitigation strategies or response and recovery stages;</li>
<li>takes places within trusted communities of financial entities;</li>
<li>is implemented through information-sharing arrangements that protect the potentially sensitive nature of the information shared, and that are governed by rules of conduct in full respect of business confidentiality, protection of personal data and guidelines on competition policy.</li>
</ol>
**Art. 40(2) - Information sharing arrangements**
For the purpose of Art. 40(1)(c), the information sharing arrangements shall define the conditions for participation and, where appropriate, shall set out the details on the involvement of public authorities and the capacity in which the latter may be associated to the information-sharing arrangements, on the involvement of ICT third-party service providers, and on operational elements, including the use of dedicated IT platforms.
**Art. 40(3) - Notification to competent authorities**
Financial entities shall notify competent authorities of their participation in the information-sharing arrangements referred to in paragraph 1, upon validation of their membership, or, as applicable, of the cessation of their membership, once the latter takes effect.
## Relationship between DORA and the NIS2 Directive
As regards the interaction of DORA with the Network and Information Security (NIS) Directive (including its revision), financial entities will have full clarity on the different rules on digital operational resilience they need to comply with, in particular for those financial entities holding several authorisations and operating in different markets within the EU. The NIS directive continues to apply. DORA builds on the NIS Directive and addresses possible overlaps via a _lex specialis_ exemption.
## References
1. [EUR-Lex: Proposal for a Regulation of the European Parliament and of the Council on digital operational resilience for the financial sector](https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:52020PC0595)
2. [European Parliament's Legislative Train Schedule; Digital operational resilience for the financial sector](https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-cross-sectoral-financial-services-act-1)
3. [French Presidency of the Council of the European Union; Digital finance: Provisional agreement reached on DORA](https://presidence-francaise.consilium.europa.eu/en/news/digital-finance-provisional-agreement-reached-on-dora/)
4. [Wikipedia article on Regulation (European Union)](https://en.wikipedia.org/wiki/Regulation_(European_Union))
## Contact and Collaboration
If you have any question or suggestion about this topic, feel free to [contact us](https://www.circl.lu/contact/). This document is a collaborative effort where external [contributors can propose changes and improvement](https://github.com/MISP/misp-compliance/tree/master/GDPR) the document.
@ -16,6 +16,12 @@ Information sharing communities are enabled using tools like MISP. As a Computer
- [Document in Markdown format](./GDPR/information_sharing_and_cooperation_gdpr.md) | [PDF](./GDPR/information_sharing_and_cooperation_gdpr.pdf)
## Information sharing enabled by DORA
The Digital Operational Resilience Act (DORA) is a new EU legislation aiming at improving the operational and cyber resilience of the Union's financial sector. Set to enter into application in early 2025, DORA will apply to a very wide range of entities, which will benefit from new provisions on information sharing. Those provisions will reinforce the legal grounds for information sharing arrangements on cyber threat information and intelligence.
- [Document in Markdown format](./DORA/information_sharing_dora.md)
## MISP as supporting platform for sharing information, following ISO/IEC 27010:2015
Threat intelligence sharing comes with its own caveats and presents a few challenges. For example, organisations may end up with raw, unevaluated data, which adds an extra burden to the security team of the organisations by increasing the number of events and alerts rather than decreasing them. Moreover, some security vendors loath to share information to avoid losing the competitive edge.
Alexandre Dulaunoy
Laurent de la V