DORA2026-03-103 min read

DORA Article 40 Explained: Information Sharing Arrangements

Also available in:DeutschFrançaisEspañolNederlandsItaliano

Table of Contents

  1. 01Introduction
  2. 02Key Requirements
  3. 03Implementation Guide
  4. 04Common Pitfalls
  5. 05How Matproof Helps
  6. 06Related Articles

Introduction

As the financial sector increasingly relies on digital technologies, the potential for cyber threats escalates. To address this, the Digital Operational Resilience Act (DORA) introduces comprehensive requirements to enhance operational resilience and ensure a consistent level of digital risk management across the European Union. This article explores DORA Article 40, which pertains to voluntary information sharing on cyber threats and is crucial for financial entities to maintain the security and stability of financial services.

Key Requirements

DORA Article 40 emphasizes the importance of information sharing and cooperation among financial entities to tackle cyber threats effectively. Here are the key requirements outlined for these arrangements:

  • Cooperation and Information Sharing: Financial entities must participate in voluntary arrangements for sharing information on cyber threats, vulnerabilities, risks, and incidents.
  • Confidentiality and Anonymization: Information shared must protect confidentiality and, where necessary, be anonymized to protect sensitive data and comply with data protection regulations.
  • Purpose Limitation: Information sharing should be limited to the purpose of addressing cyber threats and enhancing operational resilience.
  • Proportionality: The sharing arrangements must be proportionate to the potential risks and vulnerabilities.
  • No Barriers to Market Entry: The arrangements must not create barriers to entry or distort competition in the financial market.
  • Reporting Obligations: Financial entities must report to their competent authorities on their participation in such arrangements.

Implementation Guide

To ensure compliance with DORA Article 40, organizations should take the following practical steps:

  1. Assess Current Practices: Evaluate existing information sharing arrangements and identify any gaps that need to be addressed.
  2. Establish Partnerships: Form alliances with other financial entities and relevant authorities to create or join information sharing platforms.
  3. Develop Protocols: Create clear protocols for sharing information that respect confidentiality, anonymization, and proportionate sharing.
  4. Train Staff: Educate employees on the importance of information sharing and train them on the protocols and procedures.
  5. Monitor and Update: Regularly monitor the effectiveness of information sharing arrangements and update them based on evolving threats and best practices.
  6. Report to Authorities: Keep competent authorities informed about participation in information sharing arrangements and any significant incidents.

Common Pitfalls

When implementing DORA Article 40, financial entities should avoid the following mistakes:

  • Neglecting Confidentiality: Failing to protect the confidentiality of shared information can lead to legal and reputational risks.
  • Ignoring Data Protection Laws: Overlooking data protection regulations can result in fines and sanctions.
  • Lack of Proportionality: Sharing excessive or unnecessary information can create operational inefficiencies and potentially violate privacy rights.
  • Not Reporting: Failing to report participation in information sharing arrangements to competent authorities can lead to regulatory penalties.
  • Inadequate Training: Employees who are not adequately trained may mishandle sensitive information or miss critical updates on cyber threats.

How Matproof Helps

Matproof's compliance management platform automates the tracking of compliance activities and evidence collection, ensuring that financial entities meet DORA Article 40 requirements efficiently. By streamlining the process, Matproof helps organizations avoid common pitfalls and maintain robust information sharing arrangements without burdening their staff with excessive documentation.

Related Articles

For further reading on DORA and related topics, consider these articles:

By understanding and complying with DORA Article 40, financial entities can contribute to a more secure and resilient financial sector, protecting both their operations and their customers from the growing threat of cyber attacks.

DORA Article 40Information Sharing Arrangementsdigital operational resilienceICT risk managementfinancial regulation

Ready to simplify compliance?

Get audit-ready in weeks, not months. See Matproof in action.

Request a demo