Requirement
DORA.IS-1.1: The financial entity shall consider participating in information sharing arrangements on cyber threats and vulnerabilities established among financial entities or with competent authorities, in order to strengthen collective digital operational resilience and stay informed of the threat landscape (Art. 45(1) DORA).
Guidance
Consider: participation in sector-specific Information Sharing and Analysis Centres (ISACs); ENISA threat sharing platforms; national CERT/CSIRT information sharing programmes; bilateral threat intelligence sharing with peers; and contribution of anonymised threat data to collective intelligence pools.
Documentation
Implementation
Requirement
DORA.IS-2.1: The financial entity shall establish internal procedures for receiving, handling, assessing and acting on cyber threat intelligence from information sharing arrangements, ensuring relevant intelligence is integrated into detection capabilities and the ICT risk management framework (Art. 45(2) DORA).
Guidance
Consider: designated threat intelligence function or analyst; defined procedures for intake, triage and analysis of threat intelligence; integration with SIEM detection rules and vulnerability prioritisation; mechanisms for contributing relevant anonymised threat data to sharing arrangements in compliance with applicable data protection requirements; and regular threat briefings to senior management.
Documentation
Implementation
Maturity Scale
Target: ≥ 3/5 for all categories
Documentation
No process documentation or not formally approved by management.
Implementation
Standard process does not exist. Actions are ad hoc and undocumented.
Documentation
Formally approved process documentation exists but has not been reviewed in the previous 2 years.
Implementation
Ad-hoc process exists and is performed informally. Results are inconsistent.
Documentation
Formally approved process documentation exists; exceptions are documented and approved. Documented & approved less than 5% of activities.
Implementation
Formal process exists and is implemented. Evidence available for most activities. Less than 10% process exceptions.
Documentation
Formally approved process documentation exists; exceptions are documented and approved. Documented & approved less than 3% of activities.
Implementation
Formal process fully implemented. Evidence available for all activities. Detailed metrics captured and reported. Less than 5% process exceptions.
Documentation
Formally approved process documentation exists; exceptions are documented and approved. Documented & approved less than 0.5% of activities.
Implementation
Formal process fully implemented and continually improving. Minimal exceptions (<1%). Process improvements tracked and evidenced.