Supporting Boards in Achieving Digital Operational Resilience

During the transition period starting now, credit unions are expected to strengthen ICT governance arrangements, review and update ICT and outsourcing contracts, and ensure that incident management and operational resilience frameworks can respond effectively to ICT disruptions and cyber threats.

By 17 January 2028, boards will be required to demonstrate to the Central Bank of Ireland that their credit union has in place:

• Robust ICT governance structures, with clearly defined roles, responsibilities, and escalation pathways
• Effective ICT risk management and cybersecurity controls aligned with recognised good practice
• Appropriate oversight of ICT third-party service providers, including documented exit and substitution planning
• Operational resilience arrangements supported by testing, documentation, and Board-level assurance

While the exemption delays the point of formal enforcement, it does not remove supervisory expectations. The Central Bank of Ireland has consistently emphasised that firms should align with the spirit and direction of DORA, as well as with existing guidance on ICT risk management, outsourcing, and operational resilience.

Boards should apply DORA’s requirements in a proportionate manner, reflecting the size, complexity, and risk profile of their credit union, while ensuring that all core resilience principles are met.

The Central Bank of Ireland’s Cross-Industry Guidance on Operational Resilience aligns supervisory expectations with DORA and encourages firms not yet directly subject to DORA to adopt equivalent measures as part of their operational resilience frameworks. In practice, supervisory focus is increasingly placed on demonstrable capability, including governance records, testing outcomes, third-party oversight artifacts, and board-level assurance, rather than policy intent alone.

During the transition period, credit unions are expected to strengthen ICT governance arrangements, review and update ICT and outsourcing contracts, and ensure that incident management and operational resilience frameworks can respond effectively to ICT disruptions and cyber threats.

By January 2028, boards will be required to demonstrate to the Central Bank of Ireland that their credit union has in place:

• Robust ICT governance structures, with clearly defined roles, responsibilities, and escalation pathways
• Effective ICT risk management and cybersecurity controls aligned with recognised good practice
• Appropriate oversight of ICT third-party service providers, including documented exit and substitution planning
• Operational resilience arrangements supported by testing, documentation, and Board-level assurance

While the exemption delays the point of formal enforcement, it does not remove supervisory expectations. The Central Bank of Ireland has consistently emphasised that firms should align with the spirit and direction of DORA, as well as with existing guidance on ICT risk management, outsourcing, and operational resilience.

Boards should apply DORA’s requirements in a proportionate manner, reflecting the size, complexity, and risk profile of their credit union, while ensuring that all core resilience principles are met.

The Central Bank of Ireland’s Cross-Industry Guidance on Operational Resilience aligns supervisory expectations with DORA and encourages firms not yet directly subject to DORA to adopt equivalent measures as part of their operational resilience frameworks. In practice, supervisory focus is increasingly placed on demonstrable capability, including governance records, testing outcomes, third-party oversight artifacts, and board-level assurance, rather than policy intent alone.

DORA is structured around five core pillars:

1. ICT risk management
2. ICT-related incident management and reporting
3. Digital operational resilience testing
4. ICT third-party risk management
5. Information-sharing arrangements

Taken together, these pillars establish a comprehensive regulatory framework designed to ensure that financial entities can withstand, respond to, and recover from ICT disruptions and cyber incidents.

For Irish credit unions, this requires a careful review of internal governance structures, enhanced oversight of external ICT and outsourcing providers, and preparation for expanded documentation, reporting, testing, and contractual requirements. Importantly, Boards must be able to evidence oversight, challenge, and assurance through clear decision-making records, structured reporting, and regulator-ready artefacts.

Credit unions are encouraged to participate in sectoral information-sharing initiatives and collaborative testing exercises to strengthen collective resilience and align with DORA’s emphasis on cross-sector cooperation.

In this context, early and proportionate engagement with DORA during the transition period enables boards to enhance institutional resilience, reduce future regulatory and remediation risk, and ensure that compliance obligations are met in a controlled and defensible manner.

Approaching DORA as a governance and resilience framework, rather than as a late-stage compliance exercise, supports:

• Stronger Board oversight and accountability
• Increased member confidence and institutional trust
• Improved preparedness for supervisory engagement
• A sustainable approach to digital and operational resilience

To support credit unions in moving from regulatory interpretation to practical implementation, Tymans Group delivers a dedicated flagship readiness programme, the DORA Evidence Pack.

It is a 12-week program led by the board that helps boards and senior management get ready for DORA compliance by January 2028, while also creating clear evidence that meets the Central Bank of Ireland's expectations for digital operational resilience.

This program ensures you meet the Central Bank's current 'Cross-Industry Guidance on Operational Resilience' and addresses the immediate CBI 2025/2026 concerns while simultaneously building the foundation for the 2028 DORA deadline via independent validation.

Programme Outcomes

By the conclusion of the engagement, the credit union will have:

• Board-approved DORA governance and oversight arrangements, including documented accountability structures, reporting lines, and escalation mechanisms aligned with DORA and Central Bank of Ireland expectations
• Cost-Efficiency through Proportionality. Avoid overspending on unnecessary tech implementations and process bottlenecks.
• A regulator-ready evidence base demonstrating ICT governance, incident management governance, and third-party oversight governance supported by appropriate documentation.
• Proactive gap remediation aims to preempt supervisory findings and ensure remediation ahead of 2028, supported by a structured and proportionate roadmap to full compliance.

Core Deliverables

The engagement produces a defined suite of inspectable artifacts, including:

• A DORA gap analysis and readiness assessment mapped to DORA requirements and relevant Central Bank supervisory guidance
• An ICT governance and Board oversight framework
• ICT-related incident classification, response, and reporting procedures
• Third-party ICT risk and exit strategy framework
• A consolidated Board briefing and assurance pack suitable for sign-off and regulatory engagement
• A phased DORA implementation roadmap through to 2028, including operational resilience testing and scenario-based evidence packs. 
  The implementation of the roadmap is a separate engagement.