In a recent, perhaps surprising
development, the Department of Finance confirmed to the Irish League of Credit
Unions (ILCU) on 10th July 2023, its intention to apply the member state
exemption in relation to the DORA Digital Operational Resilience Act (DORA).
This resolution, made possible by the wording in Article 2 (4) which allows
discretion to Member States, means Irish Credit Unions will be exempt from
compliance with DORA.
There is a certain school of thought,
notably represented by the ILCU, which sees this decision as a positive
outcome. However, as a seasoned cyber security, risk, and compliance
professional, I hold a divergent view. This article attempts to articulate my
standpoint, drawing upon more than three decades of experience in the global
financial sector, and aiming to foster a thought-provoking conversation around
the implications of this exemption.
In a time when cyber threats are evolving
at a startling pace and affecting an increasingly interconnected financial
ecosystem, DORA emerges as a crucial piece of legislation. The Act harmonises
ICT risk management across the European Union's financial sector, and allows
for proportional application to different entities, including credit unions. It
brings a structured, pragmatic approach to managing ICT risks, helping to
secure businesses, members, and the broader financial industry. In essence,
DORA could be likened to a well-forged weapon, adept at protecting against
The exemption for Credit Unions from DORA
is perceived as a triumph by the ILCU. However, one must not overlook the
benefits DORA offers, nor ignore the consistent guidance provided by the
Central Bank of Ireland (CBI), who seemingly did not support the exemption.
The CBI has always emphasised the
importance of operational and digital resilience, and this exemption seems to
contradict that message, along with guidance from the National Cyber Security
Centre and the wider EU Strategy. I believe that DORA's implementation could
have offered a great catalyst for the industry to establish a unified approach
to ICT risk management. If implemented well, it would assist even non-cyber
risk experts in understanding and adhering to best practices.
Considering the ever-intensifying cyber threat landscape and the sector's interconnectedness and reliance on the supply chain, the exemption seems an unusual decision. In a digital society where reliance on credit unions for financial services, including mortgages (nearly), is growing, robust oversight and governance are not just advisable but crucial.
Although DORA can appear as a difficult "legal-ease" document to interpret, it essentially offers a common sense approach to ICT Risk Management. By exempting credit unions from DORA compliance, we might be robbing them of an opportunity to apply rational, pragmatic, and proportional controls that can protect their businesses and members.
While the exemption from DORA compliance seems to be indeed the current state of affairs, it does not absolve Credit Unions from the necessity to have a robust cyber security framework that supports digital operational resilience. It is my sincere hope that the Department of Finance reconsiders its stance, reflecting on the broader perspective and taking into account the potential repercussions of this exemption.
In conclusion, regardless of the official status of DORA compliance, it is incumbent upon the Credit Unions themselves to recognise the evolving cyber threats and take proactive measures to ensure operational resilience. After all, the spirit of DORA is not merely about regulatory compliance, but about fostering a resilient digital financial ecosystem that can capably withstand the relentless onslaught of cyber threats.