Information Sharing

Information sharing is a critical requirement of the Digital Operational Resilience Act (DORA), designed to foster collaboration, transparency, and collective resilience across the financial sector.

Outlined in Articles 19–21, information sharing ensures that financial institutions, ICT providers, and regulatory bodies exchange actionable intelligence to strengthen defenses against cyber threats and operational risks.

This requirement complements the other core pillars of DORA: 

• ICT Risk Management
• Incident Reporting
• Third-Party Risk Management
• Operational Resilience Testing

Together, these elements provide a comprehensive framework for digital operational resilience, ensuring financial institutions can maintain stability and compliance in an evolving risk landscape.

This guide explores the information-sharing component in detail, offering insights into its implementation and benefits.

📚 Related: The Digital Operational Resilience Act (DORA) - Regulation (EU) 2022/2554

What is Information Sharing under DORA compliance?

Information sharing under DORA refers to the exchange of cybersecurity and ICT risk-related data between financial institutions, ICT providers, regulatory bodies, and other stakeholders.

The goal is to strengthen collective defenses against cyber threats, reduce duplication of effort, and improve the overall resilience of the financial ecosystem.

DORA mandates that information sharing must be conducted securely, ensuring the protection of sensitive data and compliance with privacy regulations. 

📚 Related: Official DORA Journal of the EU

DORA Compliance Requirements for Information Sharing

DORA mandates that financial institutions establish systems and processes to facilitate secure and efficient information sharing. Key requirements include:

• Secure Channels: Implement mechanisms to exchange information without compromising data security or privacy.
• Participation in Networks: Join and contribute to industry-wide information-sharing arrangements and regulatory collaborations.
• Data Integrity: Ensure all shared data is accurate, standardized, and relevant.
• Confidentiality Measures: Protect sensitive data while sharing actionable intelligence to meet privacy regulations.

📚 Related: DORA Maturity Assessment

Core Elements of Information Sharing under DORA

1. Establishing Secure Information-Sharing Mechanisms (Article 19)

Creating secure channels for information sharing is the first step in meeting DORA’s requirements. Financial institutions must implement systems that ensure the safe exchange of data, maintaining confidentiality, integrity, and availability.

Organizations often rely on Threat Intelligence Platforms (TIPs) or other encrypted communication tools to facilitate secure data exchanges. These platforms streamline the process by integrating various data sources, providing a unified system for analyzing and disseminating threat intelligence. For example, a bank using a TIP can automatically share Indicators of Compromise (IoCs) from a detected phishing attack with peers, enabling them to strengthen their defenses proactively.

Key Activities:

• Deploy secure communication tools, such as Threat Intelligence Platforms (TIPs), to facilitate encrypted data sharing.
• Implement access controls to ensure only authorized parties can access shared information.
• Use encryption protocols to protect sensitive data during transmission.
• Establish clear policies for handling shared information, including data ownership and confidentiality agreements.

The outcome of implementing secure mechanisms is a trusted, scalable, and efficient framework for exchanging actionable intelligence, reducing risks across the ecosystem while maintaining compliance.

2. Participation in Information-Sharing Arrangements (Article 20)

DORA encourages organizations to actively participate in structured information-sharing arrangements, such as industry forums, threat intelligence networks, or public-private partnerships.

For instance, a financial institution might join an EU-wide threat intelligence forum, where members share real-time updates on malware trends, regulatory developments, or potential vulnerabilities in common technologies. This collaboration ensures that participants benefit from the collective expertise of the group while aligning with DORA’s requirements for active engagement.

Key Activities:

• Join industry-specific forums or consortia that focus on threat intelligence and ICT risk management.
• Engage in cross-border collaborations to share insights on global threats and vulnerabilities.
• Contribute to public-private partnerships by sharing best practices and incident data with regulators and peer institutions.
• Designate representatives to participate in regular meetings and exchange sessions.

The outcome is improved situational awareness, faster response times to sector-wide threats, and stronger coordination between public and private entities, ultimately enhancing the resilience of the entire financial ecosystem.

3. Ensuring Data Quality and Relevance (Article 20)

Accurate, timely, and relevant data is essential for effective information sharing. Organizations must validate the data they share and ensure it is actionable for recipients.

For example, an organization reporting a ransomware attack might include detailed IoCs, such as the hash of the malicious file and the IP address of the command-and-control server, alongside mitigation strategies. Standardization through formats like STIX ensures that recipients can seamlessly integrate the shared data into their security systems for immediate action.

Key Activities:

• Establish a validation process for all shared information, such as confirming the accuracy of indicators of compromise (IoCs).
• Use standardized formats like STIX (Structured Threat Information Expression) to ensure consistency and usability.
• Regularly update shared data to reflect the latest intelligence and threat developments.
• Monitor feedback from recipients to refine the relevance and usefulness of shared information.

The outcome of prioritizing data quality is the dissemination of reliable intelligence that recipients can use effectively to enhance their security posture and respond swiftly to potential threats.

4. Balancing Transparency with Confidentiality (Article 21)

While transparency is critical for effective information sharing, organizations must also safeguard sensitive data to ensure compliance with privacy and security regulations.

Financial institutions often anonymize data before sharing it, especially when it involves customer information or proprietary details. For instance, sharing aggregated data on the volume and frequency of phishing attempts across the sector provides valuable insights without revealing specifics about any individual organization. Organizations must also establish and enforce policies defining what information can be shared and the safeguards required to protect it during and after transmission.

Key Activities:

• Use anonymization techniques to remove identifiable details from shared data, ensuring compliance with GDPR and similar regulations.
• Define and communicate clear policies on what information can be shared and under what circumstances.
• Implement data loss prevention (DLP) tools to monitor and control the sharing of sensitive information.
• Regularly review confidentiality agreements with partners and update them as needed.

The outcome is a responsible and compliant approach to information sharing that ensures actionable intelligence is available to stakeholders without compromising data privacy or security. This builds trust within the network and enhances the collective ability to respond to threats effectively.

Operational Resilience Testing Tools and Technologies

• Threat Intelligence Platforms (TIPs): Enable organizations to collect, analyze, and share threat intelligence with peers and partners securely.
• Secure Messaging Systems: Provide encrypted communication channels for sharing sensitive information with trusted parties.
• Standardization Formats (e.g., STIX): Facilitate seamless integration of shared data into security systems by adhering to common formats and protocols.
• Governance Dashboards: Track and monitor information-sharing activities, ensuring alignment with DORA’s requirements and organizational policies. 

📚 Related: The Role of Enterprise Architecture in DORA Compliance

Most Common Challenges

1. Data Sensitivity Concerns: Organizations often hesitate to share information due to fears of exposing sensitive data. 
   Solution: Use anonymization techniques and secure communication channels to mitigate risks.
   
   
2. Inconsistent Data Standards: Variability in data formats and quality can hinder effective information sharing. 
   Solution: Standardize data using formats like STIX to ensure consistency and usability.
   
   
3. Lack of Participation: Limited engagement in information-sharing arrangements reduces the benefits of collective intelligence. 
   Solution: Actively participate in industry forums and foster collaborative relationships with peers.
   
   
4. Balancing Transparency and Privacy: Striking the right balance between sharing actionable insights and protecting sensitive data is challenging. 
   Solution: Establish clear policies and implement strong confidentiality safeguards.

Best Practices

• Establish Trust and Collaboration: Build relationships with peers and regulatory bodies to foster an environment of trust and cooperation.
• Focus on Actionable Insights: Share information that is accurate, relevant, and timely to support effective decision-making.
• Leverage Advanced Tools: Use threat intelligence platforms and secure communication systems to streamline information-sharing processes.
• Align with Regulatory Standards: Ensure all information-sharing activities comply with DORA and other applicable regulations.
• Continuously Improve Practices: Regularly review and refine information-sharing processes to address new challenges and maximize effectiveness. 

Information sharing under DORA enhances collective resilience by enabling organizations to collaborate effectively against ICT risks and cyber threats. By implementing secure systems, engaging in industry networks, and adhering to privacy regulations, financial institutions can foster a culture of transparency and cooperation while maintaining compliance.