Jul 24

DORA: A Missed Opportunity for Credit Unions in Ireland

In a recent, perhaps surprising development, the Department of Finance confirmed to the Irish League of Credit Unions (ILCU) on 10th July 2023, its intention to apply the member state exemption in relation to the DORA Digital Operational Resilience Act (DORA). This resolution, made possible by the wording in Article 2 (4) which allows discretion to Member States, means Irish Credit Unions will be exempt from compliance with DORA.   There is a certain school of thought, notably represented by the ILCU, which sees this decision as a positive outcome. However, as a seasoned cyber security, risk, and compliance professional, I hold a divergent view. This article attempts to articulate my standpoint, drawing upon more than three decades of experience in the global financial sector, and aiming to foster a thought-provoking conversation around the implications of this exemption.

DORA: A Protective Shield for the Digital Financial World

In a time when cyber threats are evolving at a startling pace and affecting an increasingly interconnected financial ecosystem, DORA emerges as a crucial piece of legislation. The Act harmonises ICT risk management across the European Union's financial sector, and allows for proportional application to different entities, including credit unions. It brings a structured, pragmatic approach to managing ICT risks, helping to secure businesses, members, and the broader financial industry. In essence, DORA could be likened to a well-forged weapon, adept at protecting against cyber adversaries.

Exemption: A Short-term Relief or a Missed Opportunity?

The exemption for Credit Unions from DORA is perceived as a triumph by the ILCU. However, one must not overlook the benefits DORA offers, nor ignore the consistent guidance provided by the Central Bank of Ireland (CBI), who seemingly did not support the exemption.   The CBI has always emphasised the importance of operational and digital resilience, and this exemption seems to contradict that message, along with guidance from the National Cyber Security Centre and the wider EU Strategy. I believe that DORA's implementation could have offered a great catalyst for the industry to establish a unified approach to ICT risk management. If implemented well, it would assist even non-cyber risk experts in understanding and adhering to best practices.

The Reality of the Cyber Threat Landscape

Considering the ever-intensifying cyber threat landscape and the sector's interconnectedness and reliance on the supply chain, the exemption seems an unusual decision. In a digital society where reliance on credit unions for financial services, including mortgages (nearly), is growing, robust oversight and governance are not just advisable but crucial.
Although DORA can appear as a difficult "legal-ease" document to interpret, it essentially offers a common sense approach to ICT Risk Management. By exempting credit unions from DORA compliance, we might be robbing them of an opportunity to apply rational, pragmatic, and proportional controls that can protect their businesses and members.

The Future: A Matter of Choice

While the exemption from DORA compliance seems to be indeed the current state of affairs, it does not absolve Credit Unions from the necessity to have a robust cyber security framework that supports digital operational resilience. It is my sincere hope that the Department of Finance reconsiders its stance, reflecting on the broader perspective and taking into account the potential repercussions of this exemption.
In conclusion, regardless of the official status of DORA compliance, it is incumbent upon the Credit Unions themselves to recognise the evolving cyber threats and take proactive measures to ensure operational resilience. After all, the spirit of DORA is not merely about regulatory compliance, but about fostering a resilient digital financial ecosystem that can capably withstand the relentless onslaught of cyber threats.