What does Article 45 require?

Article 45 establishes a framework for information-sharing arrangements among financial entities. Article 45(1) allows financial entities to exchange amongst themselves cyber-threat information and intelligence including indicators of compromise, tactics, techniques and procedures, cyber-security alerts and configuration tools, to the extent that such information and intelligence sharing aims to enhance their digital operational resilience. Article 45(2) requires the financial entities to take place within trusted communities and notify the competent authorities of their participation. Article 45(3) addresses processing of personal data exchanged under the arrangements.

What are the DORA Level 2 acts?

Eight Commission Delegated (RTS) and Implementing (ITS) Regulations flesh out DORA's detailed obligations. The Delegated Regulations are the regulatory technical standards adopted by the Commission on the basis of the ESAs' draft RTS; the Implementing Regulations are the implementing technical standards. The eight acts are Delegated Regulation 2024/1772 (incident classification, Art 18(3)), Delegated Regulation 2024/1773 (ICT third-party policy, Art 28(10)), Delegated Regulation 2024/1774 (ICT RMF + simplified RMF, Arts 15 + 16(3)), Implementing Regulation 2024/2956 (register of information template, Art 28(9)), Delegated Regulation 2025/301 (incident report content + time limits, Art 20(a)), Implementing Regulation 2025/302 (incident report forms + templates, Art 20(b)), Delegated Regulation 2025/532 (subcontracting elements, Art 30(5)), and Delegated Regulation 2025/1190 (threat-led penetration testing, Art 26).

Why does DORA need so many Level 2 acts?

DORA is a framework Regulation: the Level 1 text (Regulation (EU) 2022/2554) sets the architecture and the binding outcomes, but many operational details are left to Level 2 (Commission Delegated and Implementing Regulations) for which the ESAs (EBA, EIOPA, ESMA) develop draft technical standards. The Level 2 acts cover the technical detail of the ICT risk management framework, the criteria and templates for incident classification and reporting, the technical methodology for threat-led penetration testing, and the template for the register of information. Without the Level 2 acts the Article-level obligations are operative but cannot be fully implemented.

Are the Level 2 acts already in force?

Yes. The four 2024 acts (2024/1772, 1773, 1774 published 25.6.2024; 2024/2956 published 2.12.2024) were in force before DORA's 17 January 2025 application date. The four 2025 acts entered into force during 2025 (2025/302 on 12 March 2025; 2025/532 on 22 July 2025; 2025/1190 on 18 July 2025; 2025/301 followed an equivalent track). The application of each Level 2 act follows its own provisions; financial entities should consult each act for the specific commencement details.

How does Modulos handle the Level 2 act landscape?

Modulos does not maintain a generic 'watch the delegated acts' requirement. Each Level 2 act is threaded into the requirement family it sharpens: 2024/1774 sharpens the ICT RMF and simplified-RMF governance and execution; 2024/1772, 2025/301, 2025/302 sharpen incident classification and reporting; 2025/1190 sharpens TLPT; 2024/1773, 2024/2956, 2025/532 sharpen the ICT third-party regime, register of information, and subcontracting. Article 45 information-sharing governance lives at ORF-388. Changes in the Level 2 landscape are assessed against the affected requirement families, controls, and evidence model.

DORA Information Sharing and Level 2 Acts — Article 45 + 8 Commission Regulations

Q: What is the JC 2024-34 ESAs Joint Guideline?

JC 2024-34 is the Joint Guideline of the ESAs (EBA, EIOPA, ESMA) on the Estimation of Aggregated Annual Costs and Losses Caused by Major ICT-Related Incidents, published on 19 March 2025 under DORA Article 11(10). The Guideline sets out the methodology that financial entities (other than microenterprises) follow when estimating aggregated annual costs and losses caused by major ICT-related incidents, for reporting under Article 11(11).

This page covers the parts of DORA that sit outside the main ICT risk, testing, and third-party pages: Article 45 information-sharing arrangements and the eight Commission Delegated and Implementing Regulations that operationalise DORA's detailed obligations. Each Level 2 act is threaded into the requirement family it sharpens; this page is the canonical inventory.

Quick decision

Considering joining a cyber-threat information-sharing community → Article 45 is the legal basis. Notify the competent authority of participation under Article 45(2); ensure GDPR-compliant processing of any personal data exchanged under Article 45(3).
Reviewing the technical detail of an ICT-related incident report → Delegated Regulation 2025/301 specifies the RTS content and time limits (Art 20(a) mandate); Implementing Regulation 2025/302 specifies the standard forms / templates / procedures (Art 20(b) mandate).
Building the ICT risk management framework or the simplified framework → Delegated Regulation 2024/1774 is the RTS specifying both (Arts 15 + 16(3) mandates).
Preparing the register of information → Implementing Regulation 2024/2956 is the ITS specifying the standard templates (Art 28(9) mandate).
Implementing the contractual baseline for ICT services supporting critical or important functions → Delegated Regulation 2024/1773 specifies the policy (Art 28(10) mandate); Delegated Regulation 2025/532 specifies subcontracting elements (Art 30(5) mandate).
Scoped into TLPT → Delegated Regulation 2025/1190 specifies the technical standards under Article 26.

TL;DR

Article 45 is the cornerstone information-sharing provision: financial entities may share cyber-threat information and intelligence within trusted communities, notify the competent authority of participation, and process any personal data in accordance with the GDPR.
Eight Commission Regulations flesh out DORA's operative obligations. Four were adopted in 2024 (2024/1772 incident classification; 2024/1773 ICT TPP policy; 2024/1774 ICT RMF + simplified RMF; 2024/2956 register of information template), and four in 2025 (2025/301 incident report content + time limits RTS; 2025/302 incident report forms + templates ITS; 2025/532 subcontracting elements; 2025/1190 threat-led penetration testing).
JC 2024-34 is the ESAs Joint Guideline on aggregated annual costs and losses caused by major ICT-related incidents (19 March 2025), under Article 11(10).
Modulos does not have a generic "watch the delegated acts" requirement; each Level 2 act is threaded into the requirement family it sharpens.

Primary source

Regulation (EU) 2022/2554 on EUR-Lex (CELEX 32022R2554) — Article 45 · the eight Commission Regulations below · ESAs JC 2024-34 Guideline (March 2025)

Article 45 establishes the framework for cyber-threat information-sharing arrangements among financial entities.

Article 45(1) allows financial entities to exchange amongst themselves cyber-threat information and intelligence including indicators of compromise, tactics, techniques and procedures, cyber-security alerts and configuration tools, to the extent that such information and intelligence sharing aims to enhance their digital operational resilience.
Article 45(2) requires that the arrangements take place within trusted communities of financial entities and that the financial entities notify the competent authorities of their participation in such information-sharing arrangements upon validation of their membership, and of any cessation of membership.
Article 45(3) addresses the processing of personal data exchanged under the arrangements in accordance with the GDPR.

In Modulos: ORF-388 (Article 45 information-sharing arrangement governance).

The eight Commission Regulations — the Level 2 inventory

Delegated Regulation (EU) 2024/1772 — incident classification (RTS, Art 18(3))

Title: Commission Delegated Regulation (EU) 2024/1772 of 13 March 2024 supplementing Regulation (EU) 2022/2554 with regard to regulatory technical standards specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents.

CELEX 32024R1772 · EUR-Lex · OJ L 2024/1772, 25.6.2024 · Mandate: DORA Article 18(3).

In Modulos: sharpens ORF-377 and MRF-303 (incident classification and materiality assessment).

Delegated Regulation (EU) 2024/1773 — ICT TPP policy (RTS, Art 28(10))

Title: Commission Delegated Regulation (EU) 2024/1773 of 13 March 2024 supplementing Regulation (EU) 2022/2554 with regard to regulatory technical standards specifying the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers.

CELEX 32024R1773 · EUR-Lex · OJ L 2024/1773, 25.6.2024 · Mandate: DORA Article 28(10).

In Modulos: sharpens ORF-385 and MRF-308 (contractual baseline).

Delegated Regulation (EU) 2024/1774 — ICT RMF + simplified RMF (RTS, Arts 15 + 16(3))

Title: Commission Delegated Regulation (EU) 2024/1774 of 13 March 2024 supplementing Regulation (EU) 2022/2554 with regard to regulatory technical standards specifying ICT risk management tools, methods, processes and policies and the simplified ICT risk management framework.

CELEX 32024R1774 · EUR-Lex · OJ L 2024/1774, 25.6.2024 · Mandates: DORA Articles 15 and 16(3).

In Modulos: sharpens the entire Article 5–16 RMF requirement family (ORF-363–ORF-375, MRF-293–MRF-301).

Implementing Regulation (EU) 2024/2956 — register of information template (ITS, Art 28(9))

Title: Commission Implementing Regulation (EU) 2024/2956 of 29 November 2024 laying down implementing technical standards for the application of Regulation (EU) 2022/2554 with regard to standard templates for the register of information.

CELEX 32024R2956 · EUR-Lex · OJ L 2024/2956, 2.12.2024 · Mandate: DORA Article 28(9).

In Modulos: sharpens ORF-386 and MRF-309 (register of information).

Delegated Regulation (EU) 2025/301 — incident report content + time limits (RTS, Art 20(a))

Title: Commission Delegated Regulation (EU) 2025/301 of 23 October 2024 supplementing Regulation (EU) 2022/2554 with regard to regulatory technical standards specifying the content and time limits for the initial notification of, and intermediate and final report on, major ICT-related incidents, and the content of the voluntary notification for significant cyber threats.

CELEX 32025R0301 · EUR-Lex · Mandate: DORA Article 20(a) (the RTS covers both content and time limits of the staged reports).

In Modulos: sharpens ORF-378 and MRF-304 (major-incident reporting).

Implementing Regulation (EU) 2025/302 — incident report forms + templates (ITS, Art 20(b))

Title: Commission Implementing Regulation (EU) 2025/302 of 23 October 2024 laying down implementing technical standards for the application of Regulation (EU) 2022/2554 with regard to standard forms, templates and procedures for financial entities to report major ICT-related incidents and to notify significant cyber threats.

CELEX 32025R0302 · EUR-Lex · OJ L 2025/302, 20.2.2025 · Mandate: DORA Article 20(b).

In Modulos: sharpens ORF-378 and MRF-304 (forms and templates for the staged reports).

Delegated Regulation (EU) 2025/532 — subcontracting elements (RTS, Art 30(5))

Title: Commission Delegated Regulation (EU) 2025/532 of 24 March 2025 supplementing Regulation (EU) 2022/2554 with regard to regulatory technical standards specifying the elements that a financial entity has to determine and assess when subcontracting ICT services supporting critical or important functions.

CELEX 32025R0532 · EUR-Lex · Mandate: DORA Article 30(5).

In Modulos: sharpens ORF-387 and MRF-310 (subcontracting).

Delegated Regulation (EU) 2025/1190 — threat-led penetration testing (RTS, Art 26)

Title: Commission Delegated Regulation (EU) 2025/1190 of 13 February 2025 supplementing Regulation (EU) 2022/2554 with regard to regulatory technical standards specifying elements related to threat-led penetration testing.

CELEX 32025R1190 · EUR-Lex · OJ L 2025/1190, 18.6.2025 · Mandate: DORA Article 26.

In Modulos: sharpens ORF-383 and MRF-306 (TLPT).

ESAs JC 2024-34 — Joint Guideline on aggregated annual costs and losses

JC 2024-34 is the Joint Guideline of the European Supervisory Authorities (EBA, EIOPA, ESMA) on the Estimation of Aggregated Annual Costs and Losses Caused by Major ICT-Related Incidents, published on 19 March 2025 under DORA Article 11(10). The Guideline sets out the methodology that financial entities (other than microenterprises) follow when estimating aggregated annual costs and losses caused by major ICT-related incidents, for reporting under Article 11(11).

In Modulos: sharpens ORF-380 (aggregated annual cost / loss estimation governance).

Why Modulos threads Level 2 into requirements rather than a watchlist

The earlier DORA modelling attempt used a standalone delegated-and-implementing-acts governance pattern. The rebuilt framework does not. Each Level 2 act is threaded into the requirement family it sharpens:

Level 2 family	Where it lands in Modulos	Practical effect
2024/1774	`ORF-363`–`ORF-375`, `MRF-293`–`MRF-301`	Sharpens the ICT risk-management framework + simplified-framework substance
2024/1772, 2025/301, 2025/302	`ORF-377`–`ORF-381`, `MRF-303`–`MRF-304`	Sharpens incident classification, staged reporting, and the report forms / templates
2025/1190	`ORF-383`, `MRF-306`	Sharpens TLPT
2024/1773, 2024/2956, 2025/532	`ORF-384`–`ORF-387`, `MRF-307`–`MRF-310`	Sharpens ICT third-party risk, contractual baseline, register of information, and subcontracting
Article 11(10) / JC 2024-34	`ORF-380`	Sharpens the aggregated annual cost / loss estimation duty

This keeps the framework legally traceable without creating a generic watchlist requirement that does not correspond to a distinct DORA duty. Changes in the Level 2 landscape are assessed against the affected requirement families, controls, and evidence model.

DORA overview

Framework structure, dates, OFF-16 / MFF-16 split

Applicability and governance

Articles 1–6, 16 — scope, proportionality, management body, ICT RMF foundation

ICT risk and resilience operations

Articles 5–23 — RMF substance, incident process, classification, reporting

Testing and third-party risk

Articles 24–30 — testing, TLPT, register of information, subcontracting

NIS2 vs DORA

Where each applies, sector-specific Union legal act interaction

Source attribution

Regulation (EU) 2022/2554 (DORA) Article 45 substance on this page is paraphrased from the Official Journal of the European Union L 333, 27.12.2022, pp. 1–79. The eight Commission Delegated and Implementing Regulations are individually published on EUR-Lex with the CELEX numbers and OJ pinpoints shown above. The ESAs Joint Guideline JC 2024-34 (19 March 2025) is published on the EBA, EIOPA, and ESMA websites under DORA Article 11(10).

Disclaimer

This page is for general informational purposes and does not constitute legal advice. The Level 2 acts and ESAs Joint Guidelines are themselves binding sources of obligations on financial entities, and the application of each follows its own provisions. For binding interpretation in your jurisdiction, consult the published EUR-Lex text and qualified counsel.

Comparison

EU AI Act

Commission guidance

ISO Standards

ISO/IEC 42001

ISO/IEC 27001

ISO/IEC 27701

NIST AI RMF

GDPR (EU)

NIS2 (EU)

DORA (EU)

OWASP for AI Security

UAE AI Ethics

MAS FEAT

Microsoft Supplier DPR

Commission guidance

ISO/IEC 42001

ISO/IEC 27001

ISO/IEC 27701

Information sharing and Level 2 acts — DORA Article 45 + eight Commission Regulations ​

Quick decision ​

TL;DR ​

Article 45 — information-sharing arrangements ​

The eight Commission Regulations — the Level 2 inventory ​

Delegated Regulation (EU) 2024/1772 — incident classification (RTS, Art 18(3)) ​

Delegated Regulation (EU) 2024/1773 — ICT TPP policy (RTS, Art 28(10)) ​

Delegated Regulation (EU) 2024/1774 — ICT RMF + simplified RMF (RTS, Arts 15 + 16(3)) ​

Implementing Regulation (EU) 2024/2956 — register of information template (ITS, Art 28(9)) ​

Delegated Regulation (EU) 2025/301 — incident report content + time limits (RTS, Art 20(a)) ​

Implementing Regulation (EU) 2025/302 — incident report forms + templates (ITS, Art 20(b)) ​

Delegated Regulation (EU) 2025/532 — subcontracting elements (RTS, Art 30(5)) ​

Delegated Regulation (EU) 2025/1190 — threat-led penetration testing (RTS, Art 26) ​

ESAs JC 2024-34 — Joint Guideline on aggregated annual costs and losses ​

Why Modulos threads Level 2 into requirements rather than a watchlist ​

Related pages ​

Source attribution ​

Information sharing and Level 2 acts — DORA Article 45 + eight Commission Regulations