EU Digital Operational Resilience Act (DORA)

Considerations for EU financial entities: Financial entities must establish an internal governance and control framework for ICT risk management and engage in ongoing monitoring of ICT risks. These ICT risk management and monitoring requirements extend to the use of ICT services provided by third party providers.

Considerations for ICT providers: ICT providers need to be able to support customers’ ICT risk management and monitoring, including where relevant systems and processes are managed by the provider. In addition, in the case of critical ICT providers, the new Lead Overseer will assess the provider’s risk management processes, including ICT risk management policies, ICT business continuity policy, and ICT response and recovery plans. 

Google Cloud support: Even before you are on Google Cloud, you can use our Risk Assessment & Critical Asset Discovery solution to evaluate your organization’s current IT risk, identify where your critical assets reside, and receive recommendations for improving your security posture and resilience. We’ve also published guidance on managing risk with controls and managing your assets. 

Once on Google Cloud, you can leverage several tools to map and manage your cloud resources on an ongoing basis, including Google Cloud Operations, Resource Manager, Cloud Deployment Manager and Risk Manager. Information about Google’s approach to risk management is available in Google’s certifications and audit reports. 

If you would like additional assistance, Mandiant (now part of Google Cloud) offers Risk Management services including Cyber Risk Management Operations Service, Threat Modeling Security Service, Cyber Security Due Diligence Service, and a Cyber Security Program Assessment.

Considerations for EU financial entities: DORA consolidates financial sector incident reporting requirements under a single streamlined framework. This means financial entities operating in multiple sectors or EU member states should no longer need to navigate parallel, overlapping reporting regimes during what is necessarily a time-sensitive situation. 

DORA also aims to address parallel incident reporting regimes like NIS2. Together, these changes help get regulators the information they need while allowing financial entities to focus on other critical aspects of incident response. Financial entities must report incidents according to defined thresholds in specific templates and timelines – these are to be fully defined - as well as implement procedures for documenting root causes and improvements following incidents. 

Considerations for ICT providers: ICT providers need to be able to support customers’ incident reporting requirements. In addition, in the case of critical ICT providers, the new Lead Overseer will directly assess the provider's processes for identification, monitoring, and prompt reporting of material ICT-related incidents to financial entities. 

Google Cloud support: Starting in 2025, Google will notify customers with our updated DORA contract terms of ICT-Related Incidents that impact their use of Google Cloud. We will provide these notifications at no additional cost via our existing notification channels (including email, the Service Health Dashboard, and the Google Cloud Support Center). 

Although these requirements are still evolving, we are committed to providing notice within the time frames and with the information financial entities need to facilitate their own assessment and reporting based on the final requirements.

Considerations for EU financial entities:  Drawing on existing EU initiatives like TIBER-EU, DORA establishes a new EU-wide approach to testing digital operational resilience. For certain financial entities this includes advanced threat-led penetration testing (TLPT) every three years. By clarifying testing methodology and introducing mutual recognition of testing results, DORA will help financial entities continue to build and scale their testing capabilities in a way that works throughout the EU.  

Considerations for ICT providers: DORA directly addresses the role of the ICT provider in TLPT performed by financial entities. Notably, DORA permits pooled testing to manage the impact of testing on multi-tenant services like public clouds. In addition, in the case of critical ICT providers, the new Lead Overseer will directly assess the provider’s own testing of ICT systems, infrastructure, and controls. 

Google Cloud support: Starting in 2025, Google will participate in TLPT by facilitating pooled testing by an external tester as described in Article 26(4) of DORA. We are confident that pooled testing is the best way to effectively test digital operational resilience of Google Cloud while managing the inherent risks to other customers of testing in a multi-tenant environment.

Considerations for EU financial entities: DORA builds on the strong foundation established by the European Supervisory Authorities’ respective outsourcing guidelines by further coordinating ICT third-party risk management requirements across sectors, including the requirements to implement an ICT third party risk management framework and for contracts with ICT providers. By helping to ensure that similar risks are addressed consistently across sectors and EU member states, DORA will enable financial entities to consolidate and enhance their ICT third-party risk management programs.

Considerations for ICT providers: ICT providers need to be able to support customers’ third party risk management requirements. In addition, DORA will allow the new Lead Overseer to directly oversee critical ICT providers. This mechanism will create a direct communication channel between regulators and designated ICT providers via annual engagements, including oversight plans, inspections, and recommendations. 

Google Cloud support: Starting in February 2024, Google will offer financial entities updated contract terms for Google Cloud and Google Workspace to address the key contractual provisions in Article 30. If you need DORA contract terms, please contact your Google Cloud representative for further details. We have also created mappings to Article 30 for both Google Cloud and Google Workspace to help you understand how our contracts, controls, and processes can support you with meeting the DORA requirements.

Considerations for EU financial entities: DORA outlines considerations for financial entities to voluntarily share cyber threat information and intelligence with other financial entities and regulators. 

Considerations for ICT providers: DORA contemplates ICT providers being involved in information-sharing arrangements that protect potentially sensitive information. However, these arrangements are yet to be defined.  

Google Cloud support: Google Cloud offers products and services to help customers proactively protect against cyber threats in line with DORA’s requirements. We publish a quarterly Threat Horizons Report to provide strategic intelligence about threats to our customers. Customers can also leverage Mandiant’s incident response, cyber risk management services, and technical assurance services to guard against and prepare for cyber incidents.

DORA is a new EU regulation. It will apply across the financial services sector in all EU member states. DORA updates existing rules and establishes an enhanced set of common requirements to mitigate ICT risks and enhance digital resilience in the European financial system. Importantly, DORA also introduces a new framework for direct oversight of critical ICT providers by financial regulators in the EU.

DORA establishes an enhanced set of common requirements for financial entities in the EU to mitigate ICT risks and enhance digital resilience in the European financial system. In particular:

1. DORA contains detailed requirements for financial entities about ICT risk management.

2. DORA consolidates the financial sector incident reporting requirements under a single streamlined framework.

3. Drawing on existing EU initiatives like TIBER-EU, DORA establishes a new EU-wide approach to testing digital operational resilience, including threat-led penetration testing.

4. DORA builds on the strong foundation established by the European Supervisory Authorities’ respective outsourcing guidelines by further coordinating ICT third-party risk management requirements across sectors, including the requirements for contracts with ICT providers.

DORA will also allow financial regulators to directly oversee critical ICT providers. This mechanism will create a direct communication channel between regulators and designated ICT providers via annual engagements, including oversight plans, inspections, and recommendations.

DORA primarily applies to financial entities in the EU. However, part of DORA applies directly to ICT providers (including cloud services providers) who are designated “critical” by financial regulators in the EU following an official process. Designation will be based on a number of factors, including the systemic impact of a failure of the ICT provider’s services and the systemic importance of the financial entities that rely on those services.

DORA will take effect on 17 January 2025 (2 years and 20 days after it was published in the Official Journal of the EU). 

DORA only applies directly to critical ICT providers after they are designated “critical” by financial regulators in the EU. Therefore, the deadline for compliance for critical ICT providers depends on the timing of designation. Although DORA will not apply to Google Cloud directly unless and until an official designation, we are already preparing to address potential direct requirements.

We have been engaging with the policymakers on the DORA proposal since it was tabled in September 2020. In parallel we set up a readiness program to analyze potential customer expectations and our own responsibilities as DORA evolved during the legislative process. 

Now that the text of DORA is finalized, a cross-functional team at Google Cloud (including subject matter experts from Risk & Compliance, Security, Legal, Government Affairs and Product) is reviewing the details and preparing and implementing compliance plans where needed. These plans build upon our strong foundation in areas like security, resilience and third party risk management that already enable our customers to address the rigorous expectations under the EBA outsourcing guidelines, the EIOPA cloud outsourcing guidelines, the ESMA cloud outsourcing guidelines.

We intend to use the implementation period to further enhance our capabilities in each of the DORA focus areas. Our goal is to make Google Cloud the best possible service for sustainable, digital transformation for European organizations on their terms.

Although the text of DORA has been finalized, several important requirements must still be further specified in secondary legislation known as the DORA Level 2 acts. These include regulatory technical standards or “RTS” on key areas like incident reporting, threat-led penetration testing and subcontracting. 

We recognise that the final Level 2 requirements will need to be addressed where relevant. However, as the Level 2 drafts are subject to change, it is not possible to preempt them. 

To support policymakers and our customers, Google Cloud is actively engaging in the EU policy discussion on the DORA Level 2 acts. We will continue to participate in the dialogue about DORA in a transparent and constructive way. In particular, we will advocate for:

Consistency between each of the Level 2 acts and with the mandate provided in DORA.

Harmonization with the maturing approach in the global financial sector and other parallel EU regimes (e.g. on incident reporting).

Proportionality especially where regulatory approaches that may be appropriate for some ICT services may have an unintended, negative impact on financial sector resilience if applied to public cloud services.

The oversight framework for critical ICT providers under DORA creates a genuine opportunity to enhance understanding, transparency, and trust among ICT providers, financial entities, and financial regulators, and ultimately stimulate innovation in the financial sector in Europe. DORA will create a direct communication channel between regulators and designated ICT providers via annual engagements, including oversight plans, inspections, and recommendations. We’re confident that this structured dialogue will help to improve risk management and resilience across the sector.

Google Cloud is committed to enabling regulators to effectively supervise a financial entity’s use of our services. We grant information, audit and access rights to financial entities, their regulators and their appointees, and support our customers when they or their regulators choose to exercise those rights. We would approach a relationship with a Lead Overseer with the same commitment to ongoing transparency, collaboration, and assurance. 

We are working to ensure our direct oversight function effectively supports regulator communication, efficient audits, and commitment to remediation within deadlines. Though we are very focused on planning for direct requirements, how regulatory oversight will work in practice still needs to be finalized in the regulatory technical standards on oversight.

Starting in February 2024, we will offer financial entities updated contract terms for Google Cloud and Google Workspace to address the key contractual provisions in Article 30. If you need DORA contract terms, please contact your Google Cloud Representative for further details. 

We have also created mappings to Article 30 for both Google Cloud and Google Workspace to help you understand how our contracts, controls, and processes can support you with meeting the DORA requirements.

We engage on financial services sector policy developments that significantly impact Google Cloud and our customers’ use of our services globally. 

Where policymakers are considering an approach similar to DORA, they often first consider how that approach fits into the existing local regulatory framework, including any perceived areas for improvement. The European Commission consulted on this issue in 2020 before proposing the initial DORA draft. 

Where policymakers have confirmed the need for a different (and potentially direct) regulatory approach, we engage to share our technological expertise vis-a-vis cloud services and consistently advocate for:

harmonization and deduplication of requirements (both within and between countries)

requirements that are proportionate and fit-for-purpose

a technology neutral approach that encourages innovation

- an approach that respects the security and integrity of our services for all our customers

The UK is an example of another country currently considering a direct regulatory framework for critical third party providers to the financial sector. We are engaging on the Consultation Paper based on the principles above. 

It is important to keep in mind that DORA is not the only regulation that would apply to cloud providers in Europe. The NISD2 Directive will also introduce sector-agnostic supervision for critical third parties, and there are many national requirements that apply to cloud services in regulated industries. 

Cloud adoption in financial services is still new, and forthcoming regulation needs to stimulate this type of innovation. Different countries will take different approaches to ensuring security and operational resilience of the financial services ecosystem, and direct regulation or oversight is not the only solution that fits different markets. We understand that regulators in other jurisdictions are equally focused on standards, horizontal rules and self-regulatory practices. Whichever approach policymakers take, it is important to ensure regulatory consistency and harmonization of the applied principles across the board as they impact global technology players and the cross-border digital finance ecosystem.