What does Article 45 require?

Article 45 establishes a framework for information-sharing arrangements among financial entities. Article 45(1) allows financial entities to exchange amongst themselves cyber-threat information and intelligence — including indicators of compromise, tactics, techniques and procedures, cyber-security alerts and configuration tools — subject to three cumulative conditions: the sharing aims to enhance digital operational resilience (point (a)), takes place within trusted communities of financial entities (point (b)), and is implemented through arrangements that protect sensitive information and operate under rules of conduct respecting business confidentiality, personal-data protection under the GDPR, and competition policy (point (c)). Article 45(2) requires the arrangements to define the conditions for participation and, where appropriate, the involvement of public authorities and ICT third-party service providers, and operational elements such as dedicated IT platforms. Article 45(3) requires financial entities to notify competent authorities of their participation upon validation of membership, and of any cessation of membership.

What are the DORA Level 2 acts?

Eight Commission Delegated (RTS) and Implementing (ITS) Regulations flesh out DORA's detailed obligations. The Delegated Regulations are the regulatory technical standards adopted by the Commission on the basis of the ESAs' draft RTS; the Implementing Regulations are the implementing technical standards. The eight acts are Delegated Regulation 2024/1772 (incident classification, Art 18(3)), Delegated Regulation 2024/1773 (ICT third-party policy, Art 28(10)), Delegated Regulation 2024/1774 (ICT RMF + simplified RMF, Arts 15 + 16(3)), Implementing Regulation 2024/2956 (register of information template, Art 28(9)), Delegated Regulation 2025/301 (incident report content + time limits, Article 20, first paragraph, point (a)), Implementing Regulation 2025/302 (incident report forms + templates, Article 20, first paragraph, point (b)), Delegated Regulation 2025/532 (subcontracting elements, Art 30(5)), and Delegated Regulation 2025/1190 (threat-led penetration testing, Art 26(11)). Further delegated acts under Articles 31(6) and 43(2) (criticality-designation criteria, oversight fees) address the oversight framework rather than financial entities' own obligations.

Why does DORA need so many Level 2 acts?

DORA is a framework Regulation: the Level 1 text (Regulation (EU) 2022/2554) sets the architecture and the binding outcomes, but many operational details are left to Level 2 (Commission Delegated and Implementing Regulations) for which the ESAs (EBA, EIOPA, ESMA) develop draft technical standards. The Level 2 acts cover the technical detail of the ICT risk management framework, the criteria and templates for incident classification and reporting, the technical methodology for threat-led penetration testing, and the template for the register of information. Without the Level 2 acts the Article-level obligations are operative but cannot be fully implemented.

Are the Level 2 acts already in force?

Yes. The four 2024 acts (2024/1772, 1773, 1774 published 25.6.2024; 2024/2956 published 2.12.2024) were in force before DORA's 17 January 2025 application date. The four 2025 acts entered into force during 2025: 2025/301 and 2025/302 (both published in the OJ on 20 February 2025) on 12 March 2025; 2025/532 (published 2 July 2025) on 22 July 2025; and 2025/1190 (published 18 June 2025) on 8 July 2025. The application of each Level 2 act follows its own provisions; financial entities should consult each act for the specific commencement details.

What is the JC 2024-34 ESAs Joint Guideline?

JC 2024-34 is the Joint Guideline of the ESAs (EBA, EIOPA, ESMA) on the Estimation of Aggregated Annual Costs and Losses Caused by Major ICT-Related Incidents, issued under the mandate in DORA Article 11(11) — final report of 17 July 2024, with the guidelines published in the official EU languages on 19 March 2025 and competent-authority compliance notifications due by 19 May 2025. The Guideline sets out the methodology that financial entities (other than microenterprises) follow when estimating the aggregated annual costs and losses caused by major ICT-related incidents that Article 11(10) requires them to report to the competent authorities upon request.

How does Modulos handle the Level 2 act landscape?

Modulos does not maintain a generic 'watch the delegated acts' requirement. Each Level 2 act is threaded into the requirement family it sharpens: 2024/1774 sharpens the ICT RMF and simplified-RMF governance and execution; 2024/1772, 2025/301, 2025/302 sharpen incident classification and reporting; 2025/1190 sharpens TLPT; 2024/1773, 2024/2956, 2025/532 sharpen the ICT third-party regime, register of information, and subcontracting. Article 45 information-sharing governance lives at ORF-388. Changes in the Level 2 landscape are assessed against the affected requirement families, controls, and evidence model.

DORA Information Sharing and Level 2 Acts — Article 45 + 8 Commission Regulations

This page covers the parts of DORA that sit outside the main ICT risk, testing, and third-party pages: Article 45 information-sharing arrangements and the eight Commission Delegated and Implementing Regulations that operationalise DORA's detailed obligations. Each Level 2 act is threaded into the requirement family it sharpens; this page is the canonical inventory.

Quick decision

Considering joining a cyber-threat information-sharing community → Article 45 is the legal basis. Check the three Article 45(1)(a)–(c) conditions (resilience purpose, trusted community, protective rules of conduct including GDPR compliance), ensure the arrangement defines participation conditions per Article 45(2), and notify the competent authority of participation — and of any cessation — under Article 45(3).
Reviewing the technical detail of an ICT-related incident report → Delegated Regulation 2025/301 specifies the content and time limits (RTS under Article 20, first paragraph, point (a)); Implementing Regulation 2025/302 specifies the standard forms / templates / procedures (ITS under point (b)).
Building the ICT risk management framework or the simplified framework → Delegated Regulation 2024/1774 is the RTS specifying both (Arts 15 + 16(3) mandates).
Preparing the register of information → Implementing Regulation 2024/2956 is the ITS specifying the standard templates (Art 28(9) mandate).
Implementing the contractual baseline for ICT services supporting critical or important functions → Delegated Regulation 2024/1773 specifies the policy (Art 28(10) mandate); Delegated Regulation 2025/532 specifies subcontracting elements (Art 30(5) mandate).
Scoped into TLPT → Delegated Regulation 2025/1190 specifies the technical standards under the Article 26(11) mandate.

TL;DR

Article 45 is the cornerstone information-sharing provision: financial entities may share cyber-threat information and intelligence within trusted communities, notify the competent authority of participation, and process any personal data in accordance with the GDPR.
Eight Commission Regulations flesh out DORA's operative obligations. Four were adopted in 2024 (2024/1772 incident classification; 2024/1773 ICT TPP policy; 2024/1774 ICT RMF + simplified RMF; 2024/2956 register of information template), and four in 2025 (2025/301 incident report content + time limits RTS; 2025/302 incident report forms + templates ITS; 2025/532 subcontracting elements; 2025/1190 threat-led penetration testing, under the Article 26(11) mandate).
JC 2024-34 is the ESAs Joint Guideline on aggregated annual costs and losses caused by major ICT-related incidents (final report 17 July 2024; official-language publication 19 March 2025), mandated by Article 11(11) in support of the Article 11(10) reporting duty.
Modulos does not have a generic "watch the delegated acts" requirement; each Level 2 act is threaded into the requirement family it sharpens.

Primary source

Regulation (EU) 2022/2554 on EUR-Lex (CELEX 32022R2554) — Article 45 · the eight Commission Regulations below · ESAs JC 2024-34 Guideline (March 2025)

Article 45 establishes the framework for cyber-threat information-sharing arrangements among financial entities.

Article 45(1) allows financial entities to exchange amongst themselves cyber-threat information and intelligence, including indicators of compromise, tactics, techniques and procedures, cyber-security alerts and configuration tools, where the sharing (a) aims to enhance digital operational resilience, (b) takes place within trusted communities of financial entities, and (c) is implemented through information-sharing arrangements that protect the potentially sensitive nature of the information and are governed by rules of conduct in full respect of business confidentiality, protection of personal data in accordance with the GDPR, and competition-policy guidelines.
Article 45(2) requires the information-sharing arrangements to define the conditions for participation and, where appropriate, the involvement of public authorities (and the capacity in which they participate), of ICT third-party service providers, and operational elements, including the use of dedicated IT platforms.
Article 45(3) requires financial entities to notify competent authorities of their participation in the arrangements, upon validation of their membership, or, as applicable, of the cessation of their membership once it takes effect.

In Modulos: ORF-388 (Article 45 information-sharing arrangement governance).

The eight Commission Regulations — the Level 2 inventory

Delegated Regulation (EU) 2024/1772 — incident classification (RTS, Art 18(3))

Title: Commission Delegated Regulation (EU) 2024/1772 of 13 March 2024 supplementing Regulation (EU) 2022/2554 with regard to regulatory technical standards specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents.

CELEX 32024R1772 · EUR-Lex · OJ L 2024/1772, 25.6.2024 · Mandate: DORA Article 18(3) (ESAs draft RTS); adopted on the basis of Article 18(4), third subparagraph.

In Modulos: sharpens ORF-377 and MRF-303 (incident classification and materiality assessment).

Delegated Regulation (EU) 2024/1773 — ICT TPP policy (RTS, Art 28(10))

Title: Commission Delegated Regulation (EU) 2024/1773 of 13 March 2024 supplementing Regulation (EU) 2022/2554 with regard to regulatory technical standards specifying the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers.

CELEX 32024R1773 · EUR-Lex · OJ L 2024/1773, 25.6.2024 · Mandate: DORA Article 28(10).

In Modulos: sharpens ORF-393 (the Article 28(2) strategy on ICT third-party risk, whose required policy on ICT services supporting critical or important functions this RTS specifies) and the contractual baseline at ORF-385 / MRF-308.

Delegated Regulation (EU) 2024/1774 — ICT RMF + simplified RMF (RTS, Arts 15 + 16(3))

Title: Commission Delegated Regulation (EU) 2024/1774 of 13 March 2024 supplementing Regulation (EU) 2022/2554 with regard to regulatory technical standards specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework.

CELEX 32024R1774 · EUR-Lex · OJ L 2024/1774, 25.6.2024 · Mandates: DORA Articles 15 and 16(3).

In Modulos: sharpens the entire Article 5–16 RMF requirement family (ORF-363–ORF-375, MRF-293–MRF-301).

Implementing Regulation (EU) 2024/2956 — register of information template (ITS, Art 28(9))

Title: Commission Implementing Regulation (EU) 2024/2956 of 29 November 2024 laying down implementing technical standards for the application of Regulation (EU) 2022/2554 with regard to standard templates for the register of information.

CELEX 32024R2956 · EUR-Lex · OJ L 2024/2956, 2.12.2024 (a corrigendum was published in the OJ on 19.9.2025; consult the consolidated text) · Mandate: DORA Article 28(9).

In Modulos: sharpens ORF-386 and MRF-309 (register of information).

Delegated Regulation (EU) 2025/301 — incident report content + time limits (RTS, Art 20, first paragraph, point (a))

Title: Commission Delegated Regulation (EU) 2025/301 of 23 October 2024 supplementing Regulation (EU) 2022/2554 with regard to regulatory technical standards specifying the content and time limits for the initial notification of, and intermediate and final report on, major ICT-related incidents, and the content of the voluntary notification for significant cyber threats.

CELEX 32025R0301 · EUR-Lex · OJ L, 2025/301, 20.2.2025 · Mandate: DORA Article 20, first paragraph, point (a) (the RTS covers both content and time limits of the staged reports).

In Modulos: sharpens ORF-378 and MRF-304 (major-incident reporting).

Implementing Regulation (EU) 2025/302 — incident report forms + templates (ITS, Art 20, first paragraph, point (b))

Title: Commission Implementing Regulation (EU) 2025/302 of 23 October 2024 laying down implementing technical standards for the application of Regulation (EU) 2022/2554 with regard to the standard forms, templates, and procedures for financial entities to report a major ICT-related incident and to notify a significant cyber threat.

CELEX 32025R0302 · EUR-Lex · OJ L 2025/302, 20.2.2025 · Mandate: DORA Article 20, first paragraph, point (b).

In Modulos: sharpens ORF-378 and MRF-304 (forms and templates for the staged reports).

Delegated Regulation (EU) 2025/532 — subcontracting elements (RTS, Art 30(5))

Title: Commission Delegated Regulation (EU) 2025/532 of 24 March 2025 supplementing Regulation (EU) 2022/2554 with regard to regulatory technical standards specifying the elements that a financial entity has to determine and assess when subcontracting ICT services supporting critical or important functions.

CELEX 32025R0532 · EUR-Lex · OJ L, 2025/532, 2.7.2025 · Mandate: DORA Article 30(5) (the RTS specifies the Article 30(2)(a) elements).

In Modulos: sharpens ORF-387 and MRF-310 (subcontracting).

Delegated Regulation (EU) 2025/1190 — threat-led penetration testing (RTS, Art 26(11))

Title: Commission Delegated Regulation (EU) 2025/1190 of 13 February 2025 supplementing Regulation (EU) 2022/2554 with regard to regulatory technical standards specifying the criteria used for identifying financial entities required to perform threat-led penetration testing, the requirements and standards governing the use of internal testers, the requirements in relation to the scope, testing methodology and approach for each phase of the testing, results, closure and remediation stages and the type of supervisory and other relevant cooperation needed for the implementation of TLPT and for the facilitation of mutual recognition.

CELEX 32025R1190 · EUR-Lex · OJ L 2025/1190, 18.6.2025 · Mandate: DORA Article 26(11).

In Modulos: sharpens ORF-383 and MRF-306 (TLPT).

ESAs JC 2024-34 — Joint Guideline on aggregated annual costs and losses

JC 2024-34 is the Joint Guideline of the European Supervisory Authorities (EBA, EIOPA, ESMA) on the Estimation of Aggregated Annual Costs and Losses Caused by Major ICT-Related Incidents, issued under the mandate in DORA Article 11(11): the ESAs adopted the final report on 17 July 2024 and published the guidelines in the official EU languages on 19 March 2025. The Guideline sets out the methodology that financial entities (other than microenterprises) follow when estimating the aggregated annual costs and losses that Article 11(10) requires them to report to the competent authorities upon their request.

In Modulos: sharpens ORF-380 (aggregated annual cost / loss estimation governance).

How to operationalize Article 45 and the Level 2 acts in Modulos

Modulos threads each Level 2 act into the requirement family it sharpens, rather than maintaining a standalone "watch the delegated acts" requirement that corresponds to no distinct DORA duty:

Level 2 family	Where it lands in Modulos	Practical effect
2024/1774	`ORF-363`–`ORF-375`, `MRF-293`–`MRF-301`	Sharpens the ICT risk-management framework + simplified-framework substance
2024/1772, 2025/301, 2025/302	`ORF-377`–`ORF-381`, `MRF-303`–`MRF-304`	Sharpens incident classification, staged reporting, and the report forms / templates
2025/1190	`ORF-383`, `MRF-306`	Sharpens TLPT
2024/1773, 2024/2956, 2025/532	`ORF-393`, `ORF-384`–`ORF-387`, `MRF-307`–`MRF-310`	Sharpens the ICT third-party risk strategy and policy, lifecycle, contractual baseline, register of information, and subcontracting
Article 11(10) / JC 2024-34	`ORF-380`	Sharpens the aggregated annual cost / loss estimation duty

This keeps the framework legally traceable. Changes in the Level 2 landscape are assessed against the affected requirement families, controls, and evidence model.

DORA overview

Framework structure, dates, OFF-16 / MFF-16 split

Applicability and governance

Articles 1–6, 16 — scope, proportionality, management body, ICT RMF foundation

ICT risk and resilience operations

Articles 5–23 — RMF substance, incident process, classification, reporting

Testing and third-party risk

Articles 24–30 — testing, TLPT, register of information, subcontracting

NIS2 vs DORA

Where each applies, sector-specific Union legal act interaction

Source attribution

Regulation (EU) 2022/2554 (DORA) Article 45 substance on this page is paraphrased from the Official Journal of the European Union L 333, 27.12.2022, pp. 1–79. The eight Commission Delegated and Implementing Regulations are individually published on EUR-Lex with the CELEX numbers and OJ pinpoints shown above. The ESAs Joint Guideline JC 2024-34 (final report 17 July 2024; official-language publication 19 March 2025) is published on the EBA, EIOPA, and ESMA websites under the DORA Article 11(11) mandate.

Disclaimer

This page is for general informational purposes and does not constitute legal advice. The Level 2 acts and ESAs Joint Guidelines are themselves binding sources of obligations on financial entities, and the application of each follows its own provisions. For binding interpretation in your jurisdiction, consult the published EUR-Lex text and qualified counsel.

Comparison

EU AI Act

Commission guidance

ISO Standards

ISO/IEC 42001

ISO/IEC 27001

ISO/IEC 27701

NIST AI RMF

GDPR (EU)

NIS2 (EU)

DORA (EU)

OWASP for AI Security

UAE AI Ethics

MAS FEAT

Microsoft Supplier DPR

Commission guidance

ISO/IEC 42001

ISO/IEC 27001

ISO/IEC 27701

Information sharing and Level 2 acts — DORA Article 45 + eight Commission Regulations ​

Quick decision ​

TL;DR ​

Article 45 — information-sharing arrangements ​

The eight Commission Regulations — the Level 2 inventory ​

Delegated Regulation (EU) 2024/1772 — incident classification (RTS, Art 18(3)) ​

Delegated Regulation (EU) 2024/1773 — ICT TPP policy (RTS, Art 28(10)) ​

Delegated Regulation (EU) 2024/1774 — ICT RMF + simplified RMF (RTS, Arts 15 + 16(3)) ​

Implementing Regulation (EU) 2024/2956 — register of information template (ITS, Art 28(9)) ​

Delegated Regulation (EU) 2025/301 — incident report content + time limits (RTS, Art 20, first paragraph, point (a)) ​

Implementing Regulation (EU) 2025/302 — incident report forms + templates (ITS, Art 20, first paragraph, point (b)) ​

Delegated Regulation (EU) 2025/532 — subcontracting elements (RTS, Art 30(5)) ​

Delegated Regulation (EU) 2025/1190 — threat-led penetration testing (RTS, Art 26(11)) ​

ESAs JC 2024-34 — Joint Guideline on aggregated annual costs and losses ​

How to operationalize Article 45 and the Level 2 acts in Modulos ​

Related pages ​

Source attribution ​

Information sharing and Level 2 acts — DORA Article 45 + eight Commission Regulations