DORA compliance Part 5: Information exchange

By Katalin Jakucs DORA
DORA compliance Part 5: Information exchange

In the age of growing digital threats, transparency and collaboration are decisive factors for mitigating risks. The fifth pillar of DORA encourages financial entities to exchange information and insights regarding cyber threats according to secure standard processes. 

Strong collective resilience

The fifth pillar of DORA (Chapter VI, Articles 45 and 49) focuses on the voluntary, standardized information exchange among companies, authorities, and other actors in the financial sector. The aim is to improve “situational awareness” and boost resilience across the entire EU financial industry by sharing insights, threat analyses, and best practices.

Which obligations do companies have?

Financial entities can efficiently exchange information regarding ICT-related risks, incidents, and vulnerabilities in line with standardized and secure processes. There is, however, no obligation to do so. The dialog with authorities, customers, and other companies is supposed to support coordinated risk management. This way, the European Commission wants to promote threat intelligence sharing: If all actors communicate swiftly and transparently about threat analyses, risks, security alerts, and tried-and-tested defense mechanisms, other organizations can also take appropriate measures in a timely manner, if needed. To protect the integrity of all actors, there are strict confidentiality requirements for everybody involved in the information exchange. Financial entities must merely inform the relevant authority once their participation in such information sharing agreements has been confirmed or ended.

Benefits of an active information exchange

  • early risk detection
  • timely and custom-fit countermeasures in threat situations
  • facilitating efficient network effects
  • boosting resilience across the entire financial sector
  • sustained improvement of the security posture in the European finance market
  • simplified compliance with regulatory requirements

Practical example

As part of an industry association’s information sharing agreement, participating members are being informed about a new ransomware campaign. Due to the fast and targeted distribution of analyses and alerts via a large distribution list, all recipients can instantly take preventive measures and e.g. offer targeted training for employees and update security policies accordingly. This coordinated approach can help to prevent millions of dollars in potential losses as well as reputational damage.

DORA compliance: information exchange checklist

  • Cooperation networks: Have you identified all potential partners for the information exchange, such as industry associations, CERTs (Computer Emergency Response Teams) and regulatory authorities?
  • Defined processes: Have you established clear internal processes for reporting and distributing security-related information?
  • Efficient data protection: Do your security measures ensure the adequate protection of sensitive information?
  • Employee training: Are your teams well-trained in terms of the importance of information sharing and the handling of sensitive data
  • Technical infrastructure: Are you using secure platforms and tools to facilitate efficient and compliant information exchange?

Collaboration facilitates security

The information exchange promoted by DORA enables finance companies to systematically enhance their security strategies and resilience in the face of digital threats. By sharing knowledge and supporting each other, organizations do not only make an important contribution to their own safety but to the stability and resilience of the entire financial sector.

Learn more about how Tresorit can help financial organizations manage their data in a safe and compliant manner.

Suggested Articles