Article 45: Information-sharing arrangements on cyber threat information and intelligence

Article 45 permits (and implicitly expects you to govern) voluntary information-sharing arrangements where financial entities exchange cyber threat information and intelligence, such as IOCs and TTPs, under defined safeguards. Operationalize it by standing up a controlled sharing program with clear scope, legal/privacy guardrails, classification rules, intake/release workflows, and auditable records of what was shared, with whom, and why. (Regulation (EU) 2022/2554, Article 45)

Key takeaways:

• Treat threat intel sharing as a governed process, not an ad hoc SOC activity. (Regulation (EU) 2022/2554, Article 45)
• Define “what can be shared” and “how to share” through classification, approvals, and data minimization rules. (Regulation (EU) 2022/2554, Article 45)
• Keep defensible evidence: membership/arrangement docs, decision logs, shared artifacts, and post-share actions taken. (Regulation (EU) 2022/2554, Article 45)

A mature cyber threat intelligence program already consumes external information. Article 45 focuses on the other direction: sharing cyber threat information and intelligence among financial entities through information-sharing arrangements. The practical compliance question is not “should we share?”, but “if we share, can we prove it is controlled, lawful, and aligned to security outcomes?”

For a CCO or GRC lead, the fastest path is to treat Article 45 as a requirement to build governance around any threat intel exchange your security teams participate in, including informal sharing with peers, sector groups, and structured communities. You want tight definitions (what qualifies as cyber threat information vs. personal data vs. confidential business information), a release process that is quick enough for the SOC but still reviewable, and records that survive supervisory scrutiny.

This page gives requirement-level implementation guidance you can put into a control register, assign to owners, and evidence quickly. Primary reference: Regulation (EU) 2022/2554, Article 45, available on EUR-Lex. (Regulation (EU) 2022/2554, Article 45)

Regulatory text

DORA states that “Financial entities may exchange amongst themselves cyber threat information and intelligence, including indicators of compromise, tactics, techniques, and procedures, cyber security alerts and configuration tools, to the extent that such information and intelligence sharing…” (Regulation (EU) 2022/2554, Article 45)

Operator meaning: Article 45 authorizes peer-to-peer sharing of threat information and implies you must put conditions around that sharing so it is controlled. Your operational obligation is to implement a governed information-sharing arrangement: define what you share (and do not share), who can share, through which channels, with what approvals, and what records you keep to show the sharing was appropriate and security-driven. (Regulation (EU) 2022/2554, Article 45)

Plain-English interpretation (what the requirement expects)

You need a repeatable way to exchange cyber threat information and intelligence with other financial entities without creating new confidentiality, privacy, or operational risks. Concretely, you must be able to show:

• Scope control: sharing is limited to cyber threat information (e.g., IOCs, TTPs, alerts, defensive configurations) and not a backdoor for sensitive client data or proprietary business information. (Regulation (EU) 2022/2554, Article 45)
• Governance: there is an arrangement or set of rules (contractual or documented community rules) that sets expectations, permitted uses, and handling requirements. (Regulation (EU) 2022/2554, Article 45)
• Traceability: you can reconstruct what was shared, by whom, under what authority, and what the organization did with received intelligence. (Regulation (EU) 2022/2554, Article 45)

Who it applies to (entity and operational context)

Entity scope: financial entities in scope of DORA that choose to participate in cyber threat information and intelligence sharing with other financial entities. (Regulation (EU) 2022/2554, Article 45)

Operational contexts that trigger real work:

• Your SOC shares IOCs or TTPs with peer institutions through an industry group or direct email/chat.
• Your threat intel team publishes detection logic or hardening guidance to a closed community.
• Your incident response team exchanges time-sensitive indicators during an active campaign affecting multiple firms.
• You receive external intel and route it into detection engineering, vulnerability management, or third-party risk workflows.

If none of this happens today, your “compliance” work is still to document a position: either you do not participate, or you participate under a defined arrangement and process. (Regulation (EU) 2022/2554, Article 45)

What you actually need to do (step-by-step)

1) Inventory your current sharing and channels

Build a simple inventory that answers:

• Which communities, groups, or bilateral relationships share threat intel?
• What channels are used (platforms, portals, email lists, ticketing integrations)?
• Who posts externally, and under what role? (SOC analyst, TI analyst, CISO office)
• What artifact types are exchanged (IOCs, YARA/Sigma rules, TTP narratives, defensive configs)? (Regulation (EU) 2022/2554, Article 45)

Output: “Threat Intel Sharing Register” (arrangement, counterparties, channels, owners, allowed content types).

2) Define “shareable” vs. “restricted” content (classification rules)

Create a short, enforceable classification and handling rule set specifically for threat intel sharing:

• Allowed: sanitized IOCs, hashes, domains, IPs, generalized TTPs, defensive configuration guidance.
• Restricted: customer identifiers, raw logs with personal data, internal architecture diagrams, credentials, exploit code if disallowed by policy, sensitive third-party contractual details.

Tie this to your existing information classification policy, but keep a threat-intel-specific quick reference for the SOC. (Regulation (EU) 2022/2554, Article 45)

Practical control: add a mandatory “sanitization checklist” before external release (remove usernames, hostnames, ticket links, case IDs, client references).

3) Establish an approval workflow that works at incident speed

You need two modes:

• Standard sharing (planned / routine): TI lead approval, with Legal/Privacy consultation when content might include regulated data or contractual restrictions.
• Expedited sharing (active incident / time-critical): pre-authorized roles can share a constrained set of indicators (e.g., hashes/domains) with after-the-fact review logged.

Document the decision criteria for expedited sharing so it is not a loophole. (Regulation (EU) 2022/2554, Article 45)

Daydream fit: implement a compliance workflow where the SOC can submit a “release request” mapped to Article 45, with embedded checks, approvers, and an auditable decision trail.

4) Put rules into the arrangement (or validate the community’s rules)

For each sharing community or bilateral relationship, confirm there is documented governance, such as:

• membership/access controls,
• acceptable use (defensive purposes),
• onward sharing restrictions,
• confidentiality expectations,
• retention and deletion expectations,
• breach/escalation expectations if shared data is mishandled.

If the group has “terms,” store them and link them to your register. If it is informal peer sharing, create a lightweight bilateral agreement or written operating rules. (Regulation (EU) 2022/2554, Article 45)

5) Integrate intake into operations (receiving intel is part of compliance)

Supervisors will care that sharing is security-driven. Define how received intelligence is actioned:

• triage and relevance scoring,
• detection engineering intake (SIEM/EDR rules),
• vulnerability management mapping,
• third-party exposure checks when indicators relate to a service provider,
• closure criteria (implemented, rejected with rationale, or monitored). (Regulation (EU) 2022/2554, Article 45)

Control objective: demonstrate that sharing improves resilience and is not a “checkbox community membership.”

6) Recordkeeping: prove control operation

For each outbound share, log:

• date/time, sender, approver (or expedited basis),
• recipient/community,
• content type and classification,
• sanitization confirmation,
• any restrictions (no onward sharing, embargo dates),
• link to incident/ticket (internal reference). (Regulation (EU) 2022/2554, Article 45)

For each inbound item, log:

• source,
• assessment outcome,
• actions taken (detections deployed, blocks pushed, advisories issued),
• closure. (Regulation (EU) 2022/2554, Article 45)

Required evidence and artifacts to retain

Keep these artifacts in a single “Article 45 evidence pack” (or mapped in your control register):

• Threat Intel Sharing Register (arrangements, communities, owners, channels). (Regulation (EU) 2022/2554, Article 45)
• Documented sharing rules (community terms, bilateral agreements, internal SOP). (Regulation (EU) 2022/2554, Article 45)
• Classification + sanitization guidance for threat intel outputs. (Regulation (EU) 2022/2554, Article 45)
• Approval workflow evidence (tickets, approvals, exceptions). (Regulation (EU) 2022/2554, Article 45)
• Outbound sharing logs with samples of shared indicators (sanitized). (Regulation (EU) 2022/2554, Article 45)
• Inbound processing logs showing triage and action taken. (Regulation (EU) 2022/2554, Article 45)
• Periodic review records (access reviews for communities, channel reviews, lessons learned after incidents). (Regulation (EU) 2022/2554, Article 45)

Common exam/audit questions and hangups

Prepare crisp answers to these:

1. “Show me what you share externally and who approved it.” Expect a sample-based review across routine and incident-driven shares. (Regulation (EU) 2022/2554, Article 45)
2. “How do you prevent personal data or confidential client info from being shared?” Auditors will look for classification, sanitization steps, and training evidence. (Regulation (EU) 2022/2554, Article 45)
3. “What communities are you in, and what are the rules?” Missing terms is a common gap. (Regulation (EU) 2022/2554, Article 45)
4. “What did you do with the intel you received?” Show intake to detections, blocking, vulnerability actions, or a documented rationale for no action. (Regulation (EU) 2022/2554, Article 45)

Frequent implementation mistakes and how to avoid them

• Mistake: Treating sharing as purely a SOC practice with no compliance ownership.
  Avoidance: assign a control owner (CISO org) and a governance owner (GRC/Compliance) and document RACI for approvals and exceptions. (Regulation (EU) 2022/2554, Article 45)

• Mistake: No boundary between “threat intel” and “incident details.”
  Avoidance: require sanitization and use “minimum necessary” indicators; keep customer-impact narrative internal. (Regulation (EU) 2022/2554, Article 45)

• Mistake: No record of outbound shares because they happen in chat/email.
  Avoidance: mandate that any external share is logged via ticket or a structured form, even if the content is posted elsewhere. (Regulation (EU) 2022/2554, Article 45)

• Mistake: Joining multiple sharing groups without access governance.
  Avoidance: implement periodic access reviews and disable accounts on role change; centralize ownership of community memberships. (Regulation (EU) 2022/2554, Article 45)

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for Article 45. The risk is still practical: uncontrolled sharing can create confidentiality breaches, privacy issues, contractual disputes with third parties, and supervisory findings for weak governance and evidence. Supervisors tend to focus on demonstrable control operation, not intent. (Regulation (EU) 2022/2554, Article 45)

Practical 30/60/90-day execution plan

First 30 days (stand up control structure)

• Appoint owners (Security/TI for operations; Compliance for governance) and document RACI.
• Build the Threat Intel Sharing Register from interviews and tool discovery.
• Publish a one-page “shareable vs restricted” guide and a basic sanitization checklist. (Regulation (EU) 2022/2554, Article 45)

By 60 days (make it operable and auditable)

• Implement the release workflow (standard and expedited) in your ticketing/GRC tooling.
• Collect and store community terms/bilateral arrangement documents, or create internal operating rules where none exist.
• Start logging inbound and outbound events consistently; run a tabletop focused on “expedited sharing during incident response.” (Regulation (EU) 2022/2554, Article 45)

By 90 days (prove it works)

• Run a sample-based internal audit: pick several shares and verify approvals, sanitization, and records.
• Demonstrate intake outcomes: at least a few inbound intel items mapped to detection/vuln/third-party actions, with closures.
• Formalize metrics that are non-numeric in reporting (e.g., “high/medium/low adoption outcomes”) to avoid weak statistics, and feed findings into corrective actions tracked to closure in Daydream. (Regulation (EU) 2022/2554, Article 45)

Frequently Asked Questions

Do we have to participate in an information-sharing arrangement under Article 45?

Article 45 is framed as permission (“may exchange”), but if you do share, you should govern it and retain evidence that sharing was controlled. Treat the requirement as “govern and evidence any sharing you conduct.” (Regulation (EU) 2022/2554, Article 45)

What counts as “cyber threat information and intelligence” for sharing purposes?

The text explicitly includes indicators of compromise, tactics/techniques/procedures, cybersecurity alerts, and configuration tools. Define your own allowed artifact list and map it to your classification rules so the SOC can apply it consistently. (Regulation (EU) 2022/2554, Article 45)

Can we share information that includes personal data?

Put a default rule in place that outbound shares must be sanitized to remove personal data and customer identifiers unless Legal/Privacy has explicitly approved an exception. Keep the approval and rationale with the sharing record. (Regulation (EU) 2022/2554, Article 45)

How do we handle “expedited sharing” during an active incident without breaking governance?

Pre-authorize limited roles to share a constrained set of indicators under an expedited path, then require a short after-action review and log completion. Auditors will accept speed if you can show boundaries and traceability. (Regulation (EU) 2022/2554, Article 45)

We share in multiple communities. What evidence will an examiner actually ask for?

Expect requests for (1) the list of communities/arrangements and their rules, (2) samples of outbound shares with approvals/sanitization evidence, and (3) examples showing how inbound intel led to security actions or documented rejection. (Regulation (EU) 2022/2554, Article 45)

Where does this sit with third-party risk management?

Treat sharing communities and platforms as third parties if they provide tooling or handle your shared data, and make sure their terms and controls align with your sharing rules. Track the relationship in your third-party inventory and link it to the Article 45 evidence pack. (Regulation (EU) 2022/2554, Article 45)