# Information sharing enabled by DORA

## Introduction

In light of the cyber threat landscape, European institutions have been working for a number of years on the development of new EU legislation to improve the operational and cyber resilience of the Union's financial sector. On 27<sup>th</sup> December 2022, the Official Journal of the European Union published the final text for **DORA**, a new EU Regulation on **digital operational resilience** for the financial sector _(Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector)_. This publication sets DORA to enter into application on 17<sup>th</sup> January 2025. A regulation is a legal act of the European Union that becomes immediately enforceable as law in all member states simultaneously.

DORA will apply to a very wide range of entities, including non-financial sector entities:

- Credit institutions (i.e., banks)
- Payment and electronic money institutions
- Account information service providers
- Investment firms
- Crypto-asset service providers as authorized under MiCA and issuers of asset-referenced tokens
- Central securities depositories
- Central counterparties
- Trading venues
- Trade repositories
- Managers of alternative investment funds
- Management companies
- Data reporting service providers
- Insurance and reinsurance undertakings
- Insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries
- Institutions for occupational retirement provision
- Credit rating agencies
- Administrators of critical benchmarks
- Crowdfunding service providers
- Securitisation repositories
- Critical ICT third-party service providers

## DORA provisions on information sharing

EU co-legislators have dedicated a chapter of DORA to information sharing in an effort to **reinforce the legal grounds** for information sharing arrangements on cyber threat information and intelligence. Under DORA's Art. 45:

**Art. 45(1) - Exchange of cyber threat information and intelligence**

Financial entities may exchange amongst themselves cyber threat information and intelligence, including indicators of compromise, tactics, techniques, and procedures, cyber security alerts and configuration tools, to the extent that such information and intelligence
sharing:

<ol type="a">
  <li>aims to enhance the digital operational resilience of financial entities, in particular through raising awareness in relation to cyber threats, limiting or impeding the cyber threats’ ability to spread, supporting defence capabilities, threat detection techniques, mitigation strategies or response and recovery stages;</li>
  <li>takes places within trusted communities of financial entities;</li>
  <li>is implemented through information-sharing arrangements that protect the potentially sensitive nature of the information shared, and that are governed by rules of conduct in full respect of business confidentiality, protection of personal data and guidelines on competition policy.</li>
</ol>

**Art. 45(2) - Information sharing arrangements**

For the purpose of Art. 45(1)(c), the information sharing arrangements shall define the conditions for participation and, where appropriate, shall set out the details on the involvement of public authorities and the capacity in which the latter may be associated to the information-sharing arrangements, on the involvement of ICT third-party service providers, and on operational elements, including the use of dedicated IT platforms.

**Art. 45(3) - Notification to competent authorities**

Financial entities shall notify competent authorities of their participation in the information-sharing arrangements referred to in paragraph 1, upon validation of their membership, or, as applicable, of the cessation of their membership, once the latter takes effect.

## Relationship between DORA and the NIS2 Directive

As regards the interaction of DORA with the Network and Information Security (NIS) Directive (including its revision whose final text was published simultaneously to DORA's), financial entities will have full clarity on the different rules on digital operational resilience they need to comply with, in particular for those financial entities holding several authorisations and operating in different markets within the EU. The NIS directive continues to apply. DORA builds on the NIS Directive and addresses possible overlaps via a _lex specialis_ exemption.

## References

1. [EUR-Lex: Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv%3AOJ.L_.2022.333.01.0001.01.ENG&toc=OJ%3AL%3A2022%3A333%3ATOC)
2. [French Presidency of the Council of the European Union; Digital finance: Provisional agreement reached on DORA](https://presidence-francaise.consilium.europa.eu/en/news/digital-finance-provisional-agreement-reached-on-dora/)
3. [Wikipedia article on Regulation (European Union)](https://en.wikipedia.org/wiki/Regulation_(European_Union))
4. [Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union (NIS 2 Directive)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv%3AOJ.L_.2022.333.01.0080.01.ENG&toc=OJ%3AL%3A2022%3A333%3ATOC)

## Contact and Collaboration

If you have any question or suggestion about this topic, feel free to [contact us](https://www.circl.lu/contact/). This document is a collaborative effort where external [contributors can propose changes and improvement](https://github.com/MISP/misp-compliance/tree/master/GDPR) the document.