DORA's implementation period starts now. What we're doing to prepare for the new law
Head of Trusted Cloud Services, Office of the CISO
Global Lead Regulatory Risk & Compliance
Hear monthly from our Cloud CISO in your inbox
Get the latest on security from Cloud CISO Phil Venables.Subscribe
Today is the start of the two year implementation period for the EU Digital Operational Resilience Act (DORA). Financial entities in the European Union (EU) and their critical ICT providers must be ready to comply with DORA by January 17, 2025. At Google Cloud, we firmly believe that DORA will be vital to accelerating digital innovation in the European financial services sector. We have been engaging with policymakers on DORA since September 2020. We are now excited to collaborate with customers and regulators to operationalize the new DORA requirements ahead of the deadline.
As we approach the 2025 deadline, we intend to continue to support our customers with new resources and updates to our Compliance Resource Center. The first of these resources is our new DORA Customer Guide, which contains helpful information about how our customers can navigate the DORA regulations.
What DORA does for the European financial sector
DORA standardizes how financial entities report cybersecurity incidents, test their digital operational resilience, and manage Information and Communications Technology (ICT) third-party risk across the financial services sector and EU member states. In addition to establishing clear expectations for the role of ICT providers, DORA will also allow EU financial regulators to directly oversee critical ICT providers. Where the criteria are met, this would apply to cloud service providers like Google Cloud.
How Google Cloud is preparing for DORA
Over the last two years, our team has been engaging with policymakers and regulators to understand their perspectives on how the new law could improve digital operational resilience in the European financial sector.
Now that DORA is finalized, a cross-functional team at Google Cloud (including subject matter experts from Risk and Compliance, Security, Legal, Government Affairs, and Product) is reviewing the details and preparing compliance plans where needed. These plans build upon our strong foundation in areas like security, resilience, and third-party risk management that already enable our EU financial services customers to address their rigorous regulatory expectations.
We plan to use the implementation period to further enhance our capabilities in each of the DORA focus areas, including:
Oversight: We’re preparing for potential designation as a critical ICT provider and the annual engagements that will follow, including oversight plans, inspections, and recommendations. We’re confident that this structured dialogue will help to improve risk management and resilience both for our customers and across the sector. We will approach a relationship with our lead overseer with the same commitment to ongoing transparency, collaboration, and assurance that we approach our customers and their regulators with today.
Incident reporting: We’re very focused on how we can support customers with the incident reporting requirements under DORA. In particular, we’re looking at ways that our industry-leading information security operation and sophisticated security monitoring tools and solutions could be even more helpful to customers. With the addition of Mandiant to the Google Cloud family, we now also offer proven global expertise in comprehensive incident response and technical assurance to help organizations mitigate threats and reduce business risk before, during and after an incident. We are excited about how these capabilities can help our customers with DORA compliance.
Digital operational resilience testing: We firmly believe that cyber resilience must be tested. If done well, activities like threat led penetration testing can be powerful tools. Given the clear benefits of pooled testing in the public cloud context, this is something we’re very interested in exploring. Our customers have had continued success with pooled audits of Google Cloud. This gives us confidence that a similar collaborative and scalable approach can enable robust and effective testing.
Third-party risk management: Google Cloud’s contracts for financial entities in the EU already address the contractual requirements in the EBA outsourcing guidelines, the EIOPA cloud outsourcing guidelines, the ESMA cloud outsourcing guidelines, and additional member state requirements. We recognize that DORA also contains requirements for contracts with ICT providers. We are reviewing these closely to understand how they may impact our contracts for financial entities in future.
Like our customers, Google Cloud is thinking about the key DORA issues now. However, we understand that the details in these areas still need to be fully defined in forthcoming regulatory and technical standards. We are committed to engaging in the discussions about these standards in the same transparent and constructive way as we participated in the DORA dialogue.
Our goal is to make Google Cloud the best possible service for sustainable, digital transformation for European organizations on their terms — and there is much more to come.