AI, DORA and the Consumer Protection Code: A readiness question for credit unions, not a fire drill

There is a way to talk about regulation that turns every development into an emergency. It helps no one, least of all a credit union board trying to decide where to put limited attention. So it is worth being clear at the start: the regulatory direction on AI for Irish credit unions is forming, not falling. The right posture is calm, deliberate preparation through a known horizon. Not a fire drill.

That said, calm is not the same as waiting. There are concrete things already in force, and concrete things on the way, and the credit unions that prepare for them now will find the eventual scrutiny straightforward rather than stressful. The point of reading the landscape clearly is precisely to avoid the panic that comes from being caught short.

 

DORA is live, and it already reaches AI

 

Start with what is already in force. The Digital Operational Resilience Act is not on the horizon. It applies now. For credit unions, the most relevant part is its treatment of third-party ICT risk, because the AI tools a credit union depends on are, in DORA's terms, ICT dependencies.

That has a practical consequence. If a credit union relies on an external AI service for any part of onboarding, fraud screening, or underwriting, that dependency sits inside the operational resilience expectations DORA already sets. AI is not singled out. It is simply that AI tools are ICT third parties, and DORA governs those. The work here is to know where those dependencies are and to govern them as DORA expects, which is the operational resilience side that RunReady is built to carry.

 

The Consumer Protection Code is moving

 

The revised Consumer Protection Code is in consultation. Colm Kincaid, the Central Bank's Deputy Governor for Consumer and Investor Protection, has been clear about the direction of travel: stronger expectations on how firms treat consumers, including transparency in the decisions that affect them.

For a credit union, the link to AI is direct. As AI is used in more member-facing decisions, from lending to servicing, the explainability and fair-treatment expectations of the Code apply to those decisions. Preparing now means making sure that anywhere AI touches a member outcome, the decision can be explained and justified to the standard the revised Code will expect. That is not a constraint to resent. It is the same standard a credit union would want to hold itself to regardless.

 

AI governance is forming under PRISM

 

The Central Bank supervises through its PRISM risk-based framework, and AI governance expectations are taking shape within it. Closer scrutiny is expected from late 2026, which is exactly what makes this a readiness question rather than an immediate compliance deadline.

The realistic read is that supervisors will increasingly expect a credit union to show three things: that it understands where AI sits in its risk profile, that it governs that deliberately, and that it can evidence both. That is a reasonable expectation, and it is one a credit union can get well ahead of with a clear view of its own AI-driven risks.

 

This is preparation, and preparation rewards starting early

 

Here is the calm version of the timeline. DORA is live, but the full weight of supervisory scrutiny on AI for credit unions sits on a horizon, not next week. The revised Code is in consultation, not enacted. PRISM scrutiny tightens from late 2026. There is genuine time to prepare properly.

That time is the opportunity. It is a window to map where AI touches member outcomes and ICT dependencies, to govern those points deliberately, and to build the evidence trail before a supervisor asks for it. A credit union that does this work in the calm before is in a completely different position to one scrambling once the scrutiny lands. The whole argument for acting now is that it lets you act calmly rather than under pressure later.

If you want to see where AI sits across the obligations the Central Bank already supervises, the Irish credit union edition of our AI Disruption Risk Index scores regulatory readiness as one of the highest AI-driven risks in the sector. The Index is free, and it gives a board a clear, evidenced starting view rather than a generic checklist.

 

Prepared, with evidence, before a supervisor asks

 

Against the objective of regulatory and legal readiness, this is a high and rising AI-driven risk for the sector, with the structural driver being regulatory complexity. The work is to know, with evidence, where AI sits across the obligations the Central Bank already supervises, and to be able to show that governance is deliberate.

A board reading this should be asking where, today, AI touches a member outcome or an ICT dependency, and whether that point could be explained and evidenced to a supervisor on request. Where the honest answer is "not yet", that is the preparation list, and there is time to work it calmly.

This is where a platform earns its place. RunSafe, the objective-led, AI-powered risk and controls layer of Drova's RunGood platform, is built to keep the controls behind each obligation current as both the rules and the AI driver move, and to generate the evidence by default. While the rules are still forming, that is the difference between "show me" being a click and being a scramble.

The direction is forming, the horizon is known, and the time to prepare is now, precisely so that none of it has to be a fire drill later.