Identity & Security

DORA and the shared pursuit of digital operational resilience in finance

If you are a financial entity in the European Union (EU), the new draft regulation from the European Commission on Digital Operational Resilience for the Financial Sector (DORA) is likely top of mind. DORA aims to consolidate and upgrade existing Information and Communications Technology (ICT) risk management requirements, and is also introducing a new framework for direct oversight of critical ICT service providers by financial regulators in the EU. Where the criteria are met, this would apply to cloud service providers like Google Cloud. 

It’s important to know that DORA is still in draft and is going through the legislative process. As of today, DORA doesn’t create any new requirements for financial entities or ICT service providers. Google Cloud is following the proposed regulation and is contributing to the collaborative dialogue that is shaping it to help DORA achieve the European Commission’s priorities.

Enhancing the digital resilience of the European financial system

DORA addresses a number of important topics for financial entities using ICT services, with the objective of enhancing the digital resilience of the European financial system from incident reporting to operational resilience testing and third party risk management.

Resilience and security are at the core of Google Cloud’s operations. We firmly believe that migration to the public cloud can help financial entities improve their operational resilience and security posture. These benefits have come into full view during the COVID-19 pandemic -- our technology and infrastructure have continued to support our customers without shortfalls. 

At the same time, the oversight framework for critical third-party providers under DORA could create a genuine opportunity to enhance understanding, transparency, and trust among ICT service providers, financial entities, and financial regulators, and ultimately stimulate innovation in the financial sector in Europe. 

Google Cloud already supports our customers in many of the areas addressed in DORA: 

  • Incident reporting: To protect our customers’ data, Google Cloud runs an industry-leading information security operation that combines stringent processes, a world-class team, and multi-layered information security and privacy infrastructure. Our Data incident response whitepaper outlines Google Cloud approach to managing and responding to data incidents. 

  • Operational resilience and testing: Our global infrastructure, baseline controls, and security features offer strong tools that customers can use to achieve resilience on our services. We are also committed to open source standards. These solutions help customers control the availability of their workloads and run them wherever they want without being dependent on or locked into a single cloud provider. We also recognize that resilience must be tested. Google Cloud conducts our own rigorous testing, including penetration testing and disaster recovery testing, and empowers our customers to perform their own penetration testing. We also provide information about how customers can use our services in their disaster recovery planning in our Disaster Recovery Planning Guide

  • Third-party risk: We recognize that financial entities must consider outsourcing and third-party risk management requirements when using cloud services. Google Cloud’s contracts for financial entities in the EU address the contractual requirements in the EBA outsourcing guidelines and the EIOPA cloud outsourcing guidelines. We pay close attention as laws and regulatory expectations continue to evolve. 

Policy engagement on the new framework

As the conversation around DORA progresses, we will continue to lend our view and technology expertise to policymakers and industry in a transparent manner, in particular advocating for the following:

  • Harmonization and deduplication of requirements, including between DORA and existing frameworks like the European Supervisory Authorities’ Outsourcing Guidelines and the NIS Directive.

  • Requirements that are proportionate and fit-for-purpose, especially those that recognize the technological and operational realities of evolving ICT services in the cloud context.

  • Technology neutrality and innovation, which we believe is always encouraged by open ecosystems and the free flow of data.

  • An approach that would be consistent with a multi-tenant cloud environment and respect the security and integrity of our services for all customers, whether they are subject to DORA or not. 

We are committed to being a constructive voice as we engage with stakeholders on the proposal. Open dialogue and sharing expertise and best practices will be key to DORA’s effectiveness.