Simplify DORA compliance with Google Cloud's updated contracts
Gillian Hamilton
Global Lead Regulatory Risk & Compliance
Thiébaut Meyer
Director, Office of the CISO
With less than one year to prepare for the EU Digital Operational Resilience Act (Regulation (EU) 2022/2554 - ‘DORA’) coming into force, today we are sharing more information about how Google Cloud plans to support financial entities with their DORA compliance. (The EU DORA regulation is unrelated to another DORA, Google Cloud’s DevOps Research and Assessment team, which produces the annual State of DevOps Report.)
As an organization, we are committed to DORA compliance and a cross-functional team at Google Cloud has been working to prepare for DORA since the requirements were finalized in 2022. This includes implementing operational changes and enhancing our customer support model.
Starting today, to help customers ensure their Google Cloud contracts are DORA-compliant by January 17, 2025, financial entities can use our updated contract terms for Google Cloud and Google Workspace, which address the key contractual provisions in Article 30.
How Google Cloud will help customers with their own DORA readiness
Management of Information and Communications Technology third-party risk: Article 30 of DORA contains key contractual provisions that financial entities must address in their contracts for Information and Communications Technology (ICT) services. We appreciate that customers will want to address these requirements in their Google Cloud contracts well in advance of January 17, 2025, as DORA does not provide a transition period for existing contracts.
In addition to updating our contract terms for Google Cloud and Google Workspace, we’ve also created mappings to Article 30 for Google Cloud and Google Workspace. These mappings can help customers understand how our contracts, controls, and processes can support their DORA obligations. Customers who need DORA contract terms can contact their Google Cloud representative to learn more.
Incident reporting: Google Cloud is committed to reporting incidents and helping our customers with their required incident reporting. For DORA specifically, starting on January 17, 2025, we will notify customers of ICT-Related Incidents that impact their use of Google Cloud. (Note that customers must be on DORA contract terms to receive ICT-related incident notifications.) These notifications will be provided to customers at no additional cost via the existing notification channels customers are familiar with — email, the Service Health Dashboard, and our Google Cloud Support Center.
We recognize that DORA requirements in this area are continuing to evolve. Google Cloud is committed to aligning with the final requirements to provide notice within the required time frames and the information needed for customers to facilitate their own assessment and reporting.
Digital operational resilience testing: Google Cloud is committed to providing a support model for threat-led penetration testing (TLPT) that will allow for effective and secure cloud testing. Starting in 2025, we will participate in TLPT by facilitating pooled testing by an external tester as described in Article 26(4). We are confident that pooled testing is the best way to effectively test digital operational resilience of Google Cloud while also managing the inherent risks to other customers of testing in a multi-tenant environment.
How Google Cloud is engaging on the Level 2 acts
Although the text of DORA has been finalized, several important requirements must still be further specified in secondary legislation known as the DORA Level 2 acts. These include regulatory and implementing technical standards (RTS and ITS) in key areas such as incident reporting, threat-led penetration testing, and subcontracting.
To support policymakers and our customers, Google Cloud is actively engaging in the EU policy discussion on the DORA Level 2 acts. We’ll continue to participate in the dialogue about DORA in a transparent and constructive way. In particular, we’ll advocate for:
- Consistency between each of the Level 2 acts and with the mandate provided in DORA.
- Harmonization with the maturing approach in the global financial sector and other parallel EU regimes (such as with incident reporting).
- Proportionality especially where regulatory approaches that may be appropriate for some ICT services may have an unintended, negative impact on financial sector resilience if applied to public cloud services.
Looking ahead
This year will be crucial for financial entities and their ICT providers preparing for DORA. As we approach the deadline, we will continue to support our customers with new resources and updates that address the applicable DORA requirements.
Our goal is to make Google Cloud the best possible service for sustainable, digital transformation for European organizations on their terms — and there is much more to come.
* The EU’s DORA directive is not to be confused with DevOps Research and Assessment, a Google Cloud program that produces the annual DORA State of DevOps report.