DORA, the ConsumerProtection Code, and AI

The Digital Operational Resilience Act is not on the horizon. It is in force. For credit unions, the most relevant part is its treatment of third-party ICT risk, because the AI tools a credit union uses are, in DORA terms, ICT dependencies.

That matters in a practical way. If a credit union relies on an external AI service for any part of onboarding, fraud screening, or underwriting, that dependency falls within the operational resilience expectations DORA sets. The point is not that AI is singled out. It is that AI tools are ICT third parties, and DORA already governs those.

The revised Consumer Protection Code is in consultation. The Central Bank's Deputy Governor for Consumer and Investor Protection has been clear about the direction: stronger expectations on how firms treat consumers, including transparency in decisions that affect them.

For credit unions, the link to AI is direct. As AI is used in more member-facing decisions, from lending to servicing, the explainability and fair-treatment expectations of the Code apply to those decisions. Preparing now means making sure that anywhere AI touches a member outcome, the decision can be explained and justified to the standard the revised Code will expect.

The Central Bank supervises through its PRISM risk-based framework, and AI governance expectations are taking shape within it. Closer scrutiny is expected from late 2026, which is what makes this a regulatory readiness question rather than an immediate compliance deadline.

The realistic read is that supervisors will increasingly ask credit unions to show that they understand where AI sits in their risk profile, that they govern it deliberately, and that they can evidence both. That is a reasonable expectation, and it is one a credit union can get ahead of with a clear view of its own AI-driven risks.

It is worth being calm about the timeline. DORA is live, but the full weight of supervisory scrutiny on AI for credit unions sits on a horizon, not a deadline next week. The revised Code is in consultation, not enacted. PRISM scrutiny tightens from late 2026. That is a window to prepare properly: to map where AI touches member outcomes and ICT dependencies, govern those points deliberately, and build the evidence trail before a supervisor asks for it.

Against the objective of regulatory and legal readiness, this is a high AI-driven risk for the sector, with the structural driver being regulatory complexity. The work is to know, with evidence, where AI sits across the obligations the Central Bank already supervises, and to be able to show that governance is deliberate. The AI Disruption Risk Index gives a board that starting view: where AI drives the risks tied to regulatory readiness, scored against the credit union's own objectives, with the attribution made explicit.