Docs

Appearance

Information sharing and Level 2 acts

This page covers the parts of DORA that sit outside the main ICT risk, testing, and third-party pages: Article 45 information-sharing and the design choice to thread the Level 2 acts into the relevant requirement families instead of creating one generic “secondary legislation governance” requirement.

Information-sharing obligations

RequirementTopicRegulation reference
ORF-388Cyber-threat information-sharing arrangement governanceArt. 45(1)-(3)

There is no dedicated MFF counterpart here by design. In the current DORA model, Article 45 participation is treated as an entity-facing governance choice rather than a separate service-level execution family.

Why there is no standalone “secondary legislation” requirement

The earlier DORA attempt used a standalone delegated-and-implementing-acts governance pattern. The rebuilt framework does not.

Instead, each Level 2 act is threaded into the requirement families it actually sharpens:

Level 2 familyWhere it lands in ModulosPractical effect
2024/1774ORF-362 to ORF-375, MRF-293 to MRF-302sharpens the ICT risk-management and resilience-governance model
2024/1772, 2025/301, 2025/302ORF-377 to ORF-381, MRF-303 to MRF-304sharpens incident classification, staged reporting, and payment-related reporting
2025/1190ORF-382 to ORF-383, MRF-305 to MRF-306sharpens digital operational resilience testing and TLPT
2024/1773, 2024/2956, 2025/532ORF-384 to ORF-387, MRF-307 to MRF-310sharpens ICT third-party risk, contracts, register, and subcontracting

That is deliberate. It keeps the framework legally traceable without creating a generic watchlist requirement that does not correspond to a distinct DORA duty.

What this means operationally

  • users do not implement a separate “watch the delegated acts” requirement
  • instead, the relevant DORA requirements already cite the Level 2 acts that shape them
  • changes in the Level 2 landscape should be assessed against the affected requirement families, controls, and evidence model
DORA overview

Framework structure and OFF-16/MFF-16 split

Applicability and governance

Scope, accountability, and governance foundations

Testing and third-party risk

TLPT, contract, register, and subcontracting execution model

Disclaimer

This page is for general informational purposes and does not constitute legal advice.