CU DORA Terms of Service

Effective Date: Jan 01 2026

Service: creditunion.cyberprism.ie AKA “CUDORA”

These Terms of Service (“Terms”) govern the provision of the DORA CU Compliance Community and related services (the “Service”) by Cyber Risk International Limited (“CRI”) to subscribing credit unions (“Subscriber”).

By accepting a quotation, service order, or invoice for the Service, the Subscriber agrees to be bound by these Terms.

1. Service Overview

The DORA CU Compliance Community is a structured digital resilience and governance support programme designed to assist Irish credit unions in progressing toward compliance with the EU Digital Operational Resilience Act (DORA) and related supervisory expectations.

The Service provides access to CRI’s CyberPrism CU Platform and associated advisory tools to support assessment, planning, governance strengthening, and compliance monitoring.

The Service is designed to empower credit unions to self-manage compliance. It provides structured tools, guidance, dashboards and community-based advisory support.

Unless expressly agreed in writing, the Service does not include implementation, operational execution, or regulatory certification.

2. Structured Readiness Subscription – What’s Included

Subscribers receive:

• Access to the CyberPrism CU Platform

• DORA compliance dashboards

• IT Thematic Review alignment tools

• Built-in policy and governance templates

• Access to CU Advisor and CBI Advisor tools (24/7)

• Monthly group advisory sessions hosted by CRI

• AI-powered support and ticketing helpdesk

• Email support for service-related queries

• Educational discounts on CRI Partner (ICTTF) certification programmes

• Access to shared community resources

The subscription is advisory and platform-based in nature and does not constitute consultancy, legal advice, regulatory advice, or outsourced compliance services.

3. Independent Assurance & Sign-Off (Optional Add-On)

Independent Assurance & Sign-Off is an optional, separately scoped and separately priced service.

Where purchased, it includes:

• Independent review of documentation provided by the Subscriber

• Sampling-based validation methodology

• Evaluation of governance and control evidence within an agreed scope

• Issuance of a written Independent Sign-Off letter limited to the defined scope

The Independent Sign-Off:

• Is not a statutory audit

• Is not regulatory certification

• Does not constitute approval by any supervisory authority

• Is based solely on documentation and evidence provided

• Is limited to the scope defined in the relevant quotation or service order

The Subscriber remains fully responsible for regulatory compliance and supervisory engagement outcomes.

4. What Is Not Included

Unless separately contracted in writing, the Service does not include:

• One-to-one advisory consultations or bespoke advisory

• Policy drafting or document completion

• Implementation or testing of controls

• Acting as an outsourced compliance officer

• Regulatory representation

• Legal advice

• Certification of compliance

• Third-party audit or statutory assurance services

Such services may be provided under a separate engagement.

5. Subscription, Renewal & Payment

The Structured Readiness subscription is billed annually in advance.

Service access begins upon receipt of payment.

Subscriptions automatically renew annually unless written notice of cancellation is received at least 30 days before the renewal date.

An annual uplift of up to 10% may apply upon renewal.

All fees are quoted exclusive of VAT.

Independent Assurance & Sign-Off services are separately invoiced and payable in accordance with the agreed quotation.

6. Client Responsibilities

The Subscriber acknowledges and agrees that:

• CRI provides tools, guidance and validation within defined scope only.

• The Subscriber retains full responsibility for compliance with DORA and other regulatory obligations.

• All information entered into the platform must be accurate and complete.

• Outputs and templates are general in nature and do not constitute legal or regulatory advice.

• Compliance outcomes depend on proper implementation and governance by the Subscriber.

7. No Third-Party Reliance

All reports, outputs, dashboards, and Independent Sign-Off letters are provided solely for the internal governance use of the Subscriber.

No third party may rely on any CRI output without CRI’s prior written consent.

CRI accepts no duty of care to any third party.

8. Limitation of Liability

To the fullest extent permitted by law:

• CRI’s total aggregate liability arising out of or in connection with the Service shall not exceed the total fees paid by the Subscriber in the 12 months preceding the claim.

• CRI shall not be liable for indirect, consequential, incidental or special loss.

• CRI shall not be liable for loss of profits, loss of business, loss of reputation, regulatory fines, penalties, or supervisory sanctions.

• CRI shall not be liable for compliance failures arising from inaccurate or incomplete information provided by the Subscriber.

Nothing in these Terms excludes liability for fraud or wilful misconduct.

9. Intellectual Property

All content, methodologies, templates, tools and materials provided through the CyberPrism CU Platform remain the intellectual property of CRI.

Subscribers are granted a non-exclusive, non-transferable licence for internal governance use during the subscription term.

Reports and Independent Sign-Off letters may not be reproduced or distributed outside the Subscriber organisation without written consent.

10. Confidentiality & Data Protection

CRI treats all Subscriber data as confidential and processes personal data in accordance with applicable Irish and EU data protection law.

The Subscriber is responsible for ensuring it has lawful authority to upload any data to the platform.

11. Suspension & Termination

CRI may suspend or terminate access if:

• Payment is overdue

• There is material breach of these Terms

• There is misuse of the platform

Refunds are not available for unused portions of a subscription term.

12. Force Majeure

CRI shall not be liable for failure or delay in performance due to circumstances beyond its reasonable control.

13. Entire Agreement

These Terms, together with any accepted quotation or service order, constitute the entire agreement between the parties and supersede any prior discussions or representations.

14. Governing Law

These Terms are governed by the laws of Ireland.

Any dispute shall be subject to the exclusive jurisdiction of the Irish courts.

15. Contact

Cyber Risk International Limited
[email protected]
www.cri.ie