Appearance
Information sharing and secondary legislation
This page covers DORA obligations that keep programs aligned with evolving supervisory expectations.
Information-sharing obligations
| Requirement | Topic | Regulation reference |
|---|---|---|
ORF-320 | Cyber-threat information-sharing and authority-notification governance | Art. 45(1)-(3) |
MRF-292 | AI system cyber-threat information-sharing notification execution | Art. 45(1)-(3) |
Secondary legislation governance and execution
| Requirement | Topic | Regulation reference |
|---|---|---|
ORF-321 | DORA delegated and implementing acts governance | Art. 15, 16(3), 18(4), 20, 26(11), 28(9)-(10), 30(5) |
MRF-293 | DORA delegated and implementing acts operational implementation | Art. 15, 16(3), 18(4), 20, 26(11), 28(9)-(10), 30(5) |
Execution model in Modulos
- maintain a delegated/implementing-act watchlist in org governance workflows
- assess impact on existing controls and requirement mappings
- apply system-level control updates where acts affect incident, testing, or third-party processes
- retain traceable evidence of decisions, updates, and approvals
Acts currently referenced by requirement metadata
- Commission Delegated Regulation (EU) 2024/1774
- Commission Delegated Regulation (EU) 2024/1773
- Commission Delegated Regulation (EU) 2024/1772
- Commission Implementing Regulation (EU) 2024/2956
- Commission Delegated Regulation (EU) 2025/301
- Commission Implementing Regulation (EU) 2025/302
- Commission Delegated Regulation (EU) 2025/532
- Commission Delegated Regulation (EU) 2025/1190
Related pages
DORA overview
Framework structure and OFF-16/MFF-16 split
Applicability and governance
Scope, accountability, and governance foundations
Testing and third-party risk
TLPT and ICT third-party execution model
Disclaimer
This page is for general informational purposes and does not constitute legal advice.