Information-sharing arrangements on cyber threat information and intelligence

Article 45 establishes the legal framework for financial entities to share cyber threat intelligence among themselves — a capability that many in the industry had called for but that was previously hindered by uncertainty about data protection and competition law implications. DORA removes this uncertainty by explicitly authorizing and encouraging such sharing, subject to appropriate safeguards.

The sharing arrangements must operate within trusted communities where participants have been vetted and agree to common rules for handling shared information. The information exchanged should include indicators of compromise (IOCs), tactics, techniques and procedures (TTPs) used by threat actors, security alerts, and configuration tools, to the extent this is actionable and relevant to improving the cyber resilience of participants.

Data protection compliance is non-negotiable. Entities must ensure that personal data is not shared except where strictly necessary and in compliance with GDPR. Similarly, sharing must not be used as a vehicle for anti-competitive behavior — the focus must be on security-relevant information, not commercial intelligence.

Financial entities must notify their competent authorities of their participation in information-sharing arrangements. This transparency requirement allows supervisors to monitor the quality and effectiveness of sharing arrangements and to contribute their own intelligence where appropriate.