Information Sharing Under DORA Article 45: From Obligation to Strategic Advantage
The Least Understood Pillar of DORA
DORA's five pillars receive unequal attention. Pillar I (ICT risk management) and Pillar IV (third-party risk) dominate compliance budgets and board agendas. Pillar II (incident management) and Pillar III (resilience testing) receive operational focus. Pillar V — information sharing — is frequently treated as an afterthought.
This is a strategic mistake.
Article 45 of DORA establishes the framework for voluntary cyber threat intelligence sharing among financial entities. Unlike the other four pillars, which impose mandatory requirements, Article 45 frames information sharing as an encouragement — "financial entities may exchange amongst themselves cyber threat information and intelligence." The word "may" has led many compliance teams to deprioritize it.
But the regulatory trajectory is unmistakable. The European Systemic Risk Board's 2024 recommendation on systemic cyber risk explicitly called for enhanced cross-border information sharing. The ECB's cyber stress test framework evaluates institutions' ability to receive, process, and act on threat intelligence. And national competent authorities across the EU are increasingly asking, during supervisory reviews, what information sharing arrangements each institution participates in.
The institutions that treat Article 45 as a checkbox — or ignore it entirely — are missing both the regulatory signal and the operational advantage. With 96% of Europe's top 100 banks impacted by third-party breaches and DDoS campaigns escalating against European financial infrastructure, collective intelligence is no longer optional.
What Article 45 Actually Requires
Article 45(1) establishes the scope: financial entities may share "cyber threat information and intelligence" including "indicators of compromise, tactics, techniques and procedures, cybersecurity alerts and configuration tools." The range of shareable intelligence is deliberately broad, covering both tactical indicators (IP addresses, malware hashes, phishing domains) and strategic intelligence (threat actor profiles, campaign analyses, vulnerability assessments).
Article 45(2) sets the conditions. Sharing arrangements must:
- Aim to enhance digital operational resilience — not competitive intelligence gathering
- Take place within trusted communities — with defined membership criteria and governance
- Protect commercially sensitive information — business data, customer data, and competitive intelligence are explicitly excluded
- Comply with GDPR — particularly regarding the processing of personal data contained in threat indicators
- Respect competition law — arrangements must not facilitate anticompetitive coordination
Article 46 provides the framework for sharing arrangements, requiring that they define the conditions for participation, involvement of public authorities, and operational elements including the use of dedicated IT platforms.
The Legal Guardrails
| Constraint | Source | Practical Implication |
|---|---|---|
| Personal data in IOCs | GDPR Art. 6(1)(f) | IP addresses, email addresses in threat data require legitimate interest assessment; anonymize where possible |
| Competition law | TFEU Art. 101 | No sharing of pricing, strategy, customer lists, or market behavior data; limit scope to threat intelligence |
| Commercially sensitive data | DORA Art. 45(2) | Sanitize shared intelligence to remove institution-specific operational details |
| Cross-border transfers | GDPR Ch. V | Sharing with non-EU entities (e.g., US-based FS-ISAC members) requires appropriate safeguards |
| Classification handling | TLP Protocol | Respect Traffic Light Protocol designations; RED intelligence stays within the receiving entity |
The legal constraints are real but navigable. The financial sector has decades of experience with information sharing in anti-money laundering, fraud prevention, and sanctions compliance. Applying similar governance frameworks to cyber threat intelligence is an extension, not an invention.
The Information Sharing Landscape for Financial Services
Financial institutions in 2025 face a mature ecosystem of sharing arrangements, each with distinct characteristics.
Comparison of Major Sharing Arrangements
| Arrangement | Coverage | Cost | Intelligence Quality | DORA Art. 45 Compliance | Speed of Dissemination |
|---|---|---|---|---|---|
| FS-ISAC (Financial Services ISAC) | Global; 5,000+ members across 75 countries | EUR 15K-100K/year depending on tier | High — curated, sector-specific | Direct satisfaction — designed for financial sector sharing | Hours to minutes via automated feeds |
| ENISA / EU-SCICF | EU-focused; cross-sector including finance | Free (public body) | Medium — broader scope, less sector-specific | Complementary — public authority participation per Art. 46 | Days to hours |
| National CERTs (CERT-EU, BSI, ANSSI, etc.) | Country-specific | Free | Medium to high — varies by CERT maturity | Complementary — NCA coordination per Art. 46 | Hours to days |
| Bilateral arrangements | Institution-to-institution | Internal cost only | Variable — depends on partner maturity | Compliant if governance meets Art. 46 criteria | Minutes (direct communication) |
| Vendor-specific ISACs | Product/platform-specific | Often included in license | Low to medium — product-focused, not threat-actor focused | Supplementary — does not satisfy Art. 45 alone | Hours via product updates |
Why FS-ISAC Is the Default Answer
For most European financial institutions, FS-ISAC membership is the most direct path to Article 45 compliance — and the highest-value intelligence source. Founded in 1999 by the US financial sector, FS-ISAC has grown into the global financial services threat intelligence sharing organization with over 5,000 member institutions across 75 countries.
FS-ISAC's intelligence products directly align with Article 45's scope: indicators of compromise (IOC feeds), tactics, techniques, and procedures (TTP analyses), cybersecurity alerts (vulnerability notifications and active threat advisories), and configuration tools (defensive playbooks and detection rules).
The organization operates under governance that satisfies Article 46 requirements: defined membership criteria, trusted community designation, operational platforms (including automated STIX/TAXII feeds), and public authority involvement (NCA and law enforcement liaison).
Critically, FS-ISAC provides intelligence that is financially sector-specific. A generic CERT advisory about a vulnerability is useful. An FS-ISAC alert that a specific threat actor is actively exploiting that vulnerability to target SWIFT-connected institutions in the European Banking Authority's jurisdiction — with IOCs, detection rules, and defensive recommendations — is operationally actionable.
Building an Information Sharing Operating Model
Joining FS-ISAC or another sharing arrangement is necessary but insufficient. To extract strategic value from information sharing, institutions need an operating model that connects received intelligence to defensive action.
The Intelligence-to-Action Pipeline
Intelligence sharing creates value only when it drives faster detection, better prevention, and informed risk decisions. The pipeline from receipt to action involves four stages:
Stage 1: Ingestion. Automated feeds (STIX/TAXII, MISP) deliver IOCs and threat reports to a central platform — typically a Threat Intelligence Platform (TIP) or SIEM. Manual dissemination (email alerts, portal notifications) supplements automated feeds for strategic intelligence.
Stage 2: Enrichment. Raw intelligence is enriched with internal context. An IP address flagged as a command-and-control server is correlated against the institution's network logs, asset inventory, and vulnerability data. A malware hash is checked against endpoint detection data. Enrichment transforms external intelligence into internally relevant intelligence.
Stage 3: Action. Enriched intelligence drives defensive actions: firewall rules updated, detection signatures deployed, vulnerable systems patched or isolated, incident response teams alerted. The speed of this stage determines the operational value of the sharing arrangement.
Stage 4: Contribution. The institution shares back — sanitized observations, confirmed IOCs, detection techniques, and post-incident analyses. Contribution sustains the sharing ecosystem. Free-riders degrade intelligence quality for everyone.
Decision Framework: What to Share
| Intelligence Type | Share? | Sanitization Required | Channel |
|---|---|---|---|
| IOCs (IPs, domains, hashes) confirmed in your environment | Yes | Remove internal hostnames, user IDs | Automated STIX/TAXII feed |
| TTPs observed in attacks against your institution | Yes | Remove institution-specific details; describe technique generically | FS-ISAC member report |
| Vulnerability discoveries in financial sector software | Yes | Coordinate with vendor (responsible disclosure) before sharing | CERT notification + FS-ISAC |
| Detection rules that proved effective | Yes | Remove internal network topology details | FS-ISAC community playbook |
| Customer-impacting incident details | With caution | Anonymize fully; share only attack methodology, not business impact | Bilateral or NCA channel |
| Internal security architecture details | No | N/A — competitive and security-sensitive | N/A |
| Vendor-specific vulnerability details (pre-patch) | No | N/A — coordinate with vendor first | Responsible disclosure channel |
The GDPR Intersection
The most frequently cited barrier to information sharing is GDPR. Threat intelligence often contains personal data — IP addresses, email addresses, user agent strings — that falls within GDPR's scope. The concern is legitimate but solvable.
Article 6(1)(f) of GDPR provides the legal basis: processing is lawful when necessary for "the purposes of the legitimate interests pursued by the controller or by a third party." Defending against cyber threats is a well-established legitimate interest, recognized explicitly by GDPR Recital 49, which states that "the processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security" constitutes a legitimate interest.
The practical framework:
- Minimize personal data. Share hashes, behavioral signatures, and domain patterns rather than raw logs containing personal data where possible.
- Anonymize where feasible. Replace specific IP addresses with subnet ranges when the subnet-level indicator is sufficient for detection.
- Apply proportionality. The severity of the threat justifies the breadth of data sharing. An active ransomware campaign targeting payment processors justifies sharing specific IOCs including IP addresses. A low-severity reconnaissance scan does not justify sharing full packet captures.
- Document the legitimate interest assessment. Maintain a standing DPIA for your information sharing program. Update it annually or when the sharing scope changes.
- Implement retention limits. IOCs have a shelf life. Delete shared intelligence that is no longer operationally relevant.
Measuring the Value of Information Sharing
Compliance teams struggle to quantify the return on information sharing investments. The value is real but manifests across multiple dimensions:
Detection speed. Institutions that receive and act on FS-ISAC alerts detect sector-targeted attacks hours or days before institutions relying solely on internal detection. In cybersecurity, hours matter — they are the difference between containing an intrusion and suffering a breach.
False positive reduction. External threat intelligence contextualizes internal alerts. An alert about network traffic to a suspicious IP address is ambiguous. The same alert, correlated with an FS-ISAC advisory identifying that IP as a confirmed command-and-control server for a campaign targeting European banks, is unambiguous and actionable.
Regulatory credibility. When an NCA asks "what information sharing arrangements do you participate in?" during a supervisory review, membership in FS-ISAC and documented intelligence-to-action workflows demonstrate maturity that purely internal capabilities cannot match.
Incident response preparedness. Institutions that regularly process external threat intelligence build organizational muscle for rapid response. Teams accustomed to triaging shared IOCs and deploying defensive measures are faster and more effective when a real incident occurs.
Building Your Article 45 Program: A Practical Roadmap
Quarter 1 — Foundation. Establish FS-ISAC membership (or equivalent sector-specific ISAC). Designate an information sharing lead within the CISO function. Complete the GDPR legitimate interest assessment for threat intelligence sharing.
Quarter 2 — Automation. Deploy automated IOC ingestion via STIX/TAXII into your SIEM or TIP. Establish correlation rules that enrich external intelligence with internal context. Define escalation thresholds for high-severity shared intelligence.
Quarter 3 — Contribution. Begin contributing sanitized intelligence back to the sharing community. Establish internal review procedures to ensure shared intelligence is properly sanitized. Train the SOC on contribution workflows.
Quarter 4 — Governance. Formalize the information sharing policy. Report to the management body on intelligence received, actions taken, and value delivered. Integrate information sharing metrics into the ICT risk management framework (Pillar I reporting). Prepare for NCA supervisory review by documenting the complete program.
The Strategic Advantage
Financial institutions that build mature information sharing capabilities gain more than DORA compliance. They gain an intelligence advantage that translates directly into better security outcomes: faster detection of targeted attacks, better-informed risk decisions, stronger vendor risk assessments (enriched with threat data about vendors' exposure), and enhanced incident response that benefits from collective sector experience.
Article 45 is the only DORA pillar that is explicitly voluntary. That will not remain the case forever. The regulatory trajectory — across the ESAs, ENISA, and the ECB — points toward increasing expectations around information sharing participation and maturity. The Europol takedown of NoName057 affiliates demonstrated how cross-border intelligence sharing can directly disrupt threat actors targeting financial infrastructure. The institutions that build their programs now, while the requirement is still framed as encouragement, will be years ahead when it becomes an expectation.
Pillar V is not an afterthought. It is the intelligence infrastructure that makes the other four pillars more effective.
This guide reflects DORA Regulation (EU) 2022/2554 Articles 45-49 and associated ESA guidance as applicable in 2025. FS-ISAC membership details and costs are illustrative and subject to change.