DORA-Art45-P1

Article: 45 (1)
Pillar: Information Sharing
Regulation Ref: Regulation (EU) 2022/2554, Article 45(1)
Last Reviewed: 2026-01-15

Financial entities may exchange amongst themselves cyber threat information and intelligence, including indicators of compromise, tactics, techniques and procedures, cyber security alerts and configuration tools, to the extent that such information and intelligence sharing takes place within trusted communities of financial entities, is aimed at enhancing the digital operational resilience of financial entities, takes place in compliance with applicable data protection rules, and is carried out in accordance with relevant competition law.

Evidence Profiles

Information Sharing Policy RARE

Policy document defining the institution's approach to sharing cyber threat information and intelligence with trusted communities, including scope, governance, data protection safeguards, and competition law compliance as required by DORA Article 45.

Formats: PDF
Evidence Class: info-sharing-policy
Availability: RARE
Update Frequency: annual
Typical Author: CISO
Approval Chain: CISO → DPO → Legal Counsel → Board Risk Committee

Content Sections

Expected Fields

Common Quality Issues

Policy exists but no active sharing arrangements in place
Data protection safeguards not specific to threat intelligence sharing
Competition law implications not assessed by legal counsel
No defined criteria for what information can be shared

Information Sharing Participation Agreement RARE

Formal agreement documenting participation in a trusted community for cyber threat information sharing, including terms of participation, confidentiality obligations, and data handling requirements.

Formats: DOCX PDF
Evidence Class: info-sharing-agreement
Availability: RARE
Update Frequency: annual
Typical Author: Legal Counsel
Approval Chain: Legal Counsel → CISO → DPO

Content Sections

Expected Fields

Common Quality Issues

Agreement not executed despite policy commitment
Confidentiality obligations not aligned with internal classification
Missing data retention and destruction provisions
No regular review of agreement terms

Threat Intelligence Anonymisation Procedures RARE

JSON-structured procedures for anonymising and sanitising threat intelligence before sharing with external communities, ensuring compliance with data protection regulations.

Formats: JSON
Evidence Class: anonymisation-procedures
Availability: RARE
Update Frequency: annual
Typical Author: Threat Intelligence Analyst
Approval Chain: Threat Intelligence Analyst → DPO → CISO

Content Sections

Expected Fields

Common Quality Issues

Anonymisation procedures not formalised
PII removal rules incomplete for all data types
No automated anonymisation tooling
Validation checklist not consistently applied

Fact Schemas

info_sharing_arrangements_status

Schema ID: fs-info-sharing-arrangements
Control: DORA-Art45-P1

Valid Ranges

assessment_date: within last 12 months
trusted_communities_count: at least 1 for active participation

Related Schemas

JSON Schema

{
  "properties": {
    "assessment_date": {
      "format": "date",
      "type": "string"
    },
    "competition_law_reviewed": {
      "type": "boolean"
    },
    "data_protection_compliant": {
      "type": "boolean"
    },
    "has_sharing_policy": {
      "type": "boolean"
    },
    "has_trusted_communities": {
      "type": "boolean"
    },
    "last_sharing_activity_date": {
      "format": "date",
      "type": "string"
    },
    "sharing_active": {
      "type": "boolean"
    },
    "trusted_communities_count": {
      "minimum": 0,
      "type": "integer"
    }
  },
  "required": [
    "assessment_date",
    "has_sharing_policy",
    "has_trusted_communities",
    "data_protection_compliant"
  ],
  "type": "object"
}

info_sharing_participation_status

Schema ID: fs-info-sharing-participation
Control: DORA-Art45-P1

Valid Ranges

participation_date: current or within agreement validity period
last_contribution_date: within last 6 months for active participation

Related Schemas

JSON Schema

{
  "properties": {
    "active_participant": {
      "type": "boolean"
    },
    "agreement_signed": {
      "type": "boolean"
    },
    "community_name": {
      "minLength": 1,
      "type": "string"
    },
    "confidentiality_obligations_met": {
      "type": "boolean"
    },
    "indicators_received_count": {
      "minimum": 0,
      "type": "integer"
    },
    "indicators_shared_count": {
      "minimum": 0,
      "type": "integer"
    },
    "last_contribution_date": {
      "format": "date",
      "type": "string"
    },
    "participation_date": {
      "format": "date",
      "type": "string"
    }
  },
  "required": [
    "community_name",
    "participation_date",
    "agreement_signed",
    "active_participant"
  ],
  "type": "object"
}

anonymisation_procedures_status

Schema ID: fs-anonymisation-procedures
Control: DORA-Art45-P1

Valid Ranges

effective_date: within last 18 months
last_procedure_test_date: within last 12 months

Related Schemas

JSON Schema

{
  "properties": {
    "automated_anonymisation": {
      "type": "boolean"
    },
    "dpo_approved": {
      "type": "boolean"
    },
    "effective_date": {
      "format": "date",
      "type": "string"
    },
    "has_attribution_removal": {
      "type": "boolean"
    },
    "has_pii_removal": {
      "type": "boolean"
    },
    "has_validation_checklist": {
      "type": "boolean"
    },
    "last_procedure_test_date": {
      "format": "date",
      "type": "string"
    },
    "procedure_version": {
      "minLength": 1,
      "type": "string"
    }
  },
  "required": [
    "procedure_version",
    "effective_date",
    "has_pii_removal",
    "has_attribution_removal",
    "has_validation_checklist"
  ],
  "type": "object"
}