DORA, Credit Union Boards, and the Training Obligation You Cannot Delegate

Jan 13 / Paul C Dwyer

For Credit Union Directors, DORA is not an IT regulation.

It is a governance regulation with direct implications for how Boards make decisions, oversee risk, and demonstrate accountability.

From January 2025, EU supervisors are no longer assessing digital resilience purely through systems and controls. They are assessing whether Boards understand, govern, and take responsibility for digital operational resilience.  Credit Unions in Ireland have a "DORA Deadline Deferral" unit 2028 but their board obligations exist today!

And that changes the bar for Board training.

Why training is a regulatory expectation — not a “best practice”


DORA repeatedly assigns responsibility to the “management body”. In Credit Union governance structures, this typically means the Board, with specific responsibilities also delegated to senior management.

Crucially, DORA does not allow Boards to outsource accountability.

While operational tasks may sit with management or external providers, the duty to oversee, approve, challenge, and evidence decisions remains with the Board.

This is why training matters. Regulators are not asking:

“Did the Board attend a course?”

They are asking:

“Can the Board demonstrate it is competent to discharge its responsibilities under DORA?”

Training is how that competence is established, refreshed, and evidenced.

What supervisors expect Credit Union Boards to understand

DORA expects Boards to be able to operate at a level where they can:

  • approve and periodically review the ICT risk management framework

  • set and monitor risk appetite for digital and operational resilience

  • oversee incident management and ensure timely, accurate reporting

  • understand the scope and limitations of resilience testing

  • govern outsourcing and third-party ICT risk, including concentration risk

  • ensure remediation actions are prioritised, funded, and tracked


This does not mean Directors must become technical specialists.
It means they must be informed decision-makers who understand:

  • what “good” looks like

  • where risk is concentrated

  • when assurance is weak or incomplete

  • where evidence is required, not just reassurance


Why traditional cyber awareness training is not enough

Many Credit Union Boards already receive periodic cyber updates or awareness sessions. These are useful — but they do not meet the governance intent of DORA.

DORA is concerned with:

  • oversight, not operations

  • evidence, not presentations

  • decision-making, not information-sharing


A Board that understands phishing but cannot:

  • challenge third-party contracts,

  • assess testing outcomes, or

  • oversee major incident decisions


will struggle to demonstrate compliance.

What “being trained” actually looks like under DORA

A defensible DORA Board training programme focuses on role clarity and oversight capability, not technical depth.

In practice, that means training should cover:

1. Why Credit Unions are in scope — and how proportionality applies

Including what proportionality does and does not allow Boards to rely on.

2. Board accountability and personal responsibility

What the Board approves, what management executes, and how regulators assess Board effectiveness.

3. ICT risk management through a Board lens

Understanding frameworks, reporting, metrics, and assurance — without drowning in technical detail.

4. Incident management and regulatory reporting

What constitutes a major incident, what decisions the Board must oversee, and what evidence must be retained.

5. Testing, assurance, and demonstrating resilience

How to distinguish meaningful testing from box-ticking and how Boards should interpret results.

6. Outsourcing and third-party ICT risk

Governing dependency risk, contractual controls, exit strategies, and accountability for outsourced services.

Evidence matters more than intent

One of the most common regulatory findings across financial services is not absence of policies, but absence of evidence.

Supervisors expect to see that Boards:

  • receive appropriate information

  • ask informed questions

  • challenge assumptions

  • make decisions consciously

  • track outcomes and remediation


Training supports this by creating a shared understanding, consistent language, and a clear baseline for what the Board should expect from management.

A simple Board-level reality check

Ask yourselves:

  • Could we clearly explain our DORA obligations to a supervisor?

  • Do we know where our most critical ICT dependencies sit?

  • Would we recognise weak assurance if we saw it?

  • Do our minutes reflect challenge, not just updates?

  • Are we confident our outsourcing oversight would withstand scrutiny?


If any of these raise hesitation, the issue is not effort — it is capability.


The practical path forward for Credit Union Boards

The most effective approach is concise, board-specific training that:

  • respects Directors’ time

  • uses plain language

  • is grounded in regulatory expectations

  • focuses on oversight, not operations

  • produces artefacts Boards can actually use

CDBM Certified DORA Board Member Training Program

This is the rationale behind CDBM-CU (Certified DORA Board Member – Credit Unions): a focused programme designed to help Credit Union Boards understand their obligations under DORA and demonstrate informed, defensible oversight.

Because under DORA, resilience is no longer something you hope exists.
It is something the Board must be able to prove.