EU Digital Operational Resilience Act (DORA)
By January 17, 2025, European Union (EU) financial entities and their critical Information and Communications Technology (ICT) providers must be ready to comply with the EU Digital Operational Resilience Act (Regulation (EU) 2022/2554 - ‘DORA’). DORA standardizes how financial entities report cybersecurity incidents, test their digital operational resilience, and manage ICT third-party risk across the financial services sector and EU member states.
In addition to establishing clear expectations for the role of ICT providers, DORA allows EU financial regulators to oversee critical ICT providers directly. Where the criteria are met, this applies to cloud service providers like Google Cloud.
Google Cloud’s support for customers
As we approach the January 17, 2025 deadline, Google Cloud will continue to support our customers with new resources and updates that address the applicable DORA requirements, including:
- Updated contract terms for Google Cloud and Google Workspace to address the key contractual provisions in Article 30 of DORA. If you need DORA contract terms, please contact your Google Cloud representative for further details
Mappings to Article 30 of DORA for both Google Cloud and Google Workspace to help customers understand how our contracts, controls, and processes can support their DORA requirements
Applicability and Google Cloud’s responsibility
Although DORA will not apply to Google Cloud directly unless and until an official designation as a critical ICT provider by EU regulators, we are already preparing to address potential direct requirements and intend to engage openly with regulators about designation.
Like existing ICT risk management requirements, DORA contains requirements about how financial entities in the EU should manage their ICT providers (including cloud services providers). Although these requirements don’t apply to ICT providers directly, Google Cloud recognises that we will need to enable our customers to address these expectations comprehensively to ensure their continued success while using our services.
In order to prepare, Google Cloud continues to enhance our product and operational capabilities in each of DORA’s focus areas - see examples above. To support our customers, we have dedicated teams like our Office of the CISO that address customers' questions and feedback. Additionally, ahead of the 2025 deadline we will continue to update our documentation and resources to provide further insight into Google Cloud’s approach to resilience, incident management, and other key DORA focus areas.