Google Cloud & the EU Network and Information Systems Directive (NIS2)

Google supports your NIS2 compliance efforts by committing in our contracts to implement and maintain technical, organizational and physical security measures in relation to our cloud services. We also offer you additional security products and features to help you protect your cloud environments. Google publishes documentation and resources to assist you in your security assessment of our Google Cloud and Workspace services.

Information as to how our contracts, controls, and processes support your supplier and service provider acquisition requirements contained in Article 21(2) of the NIS2 Directive and Points 5.1 and 6.1 of the EU implementing regulation annex are provided below.

Cybersecurity in Google Cloud and Workspace

Security in Google Cloud and Workspace is addressed in the Cloud Data Processing Addendum, which describes the security of the data centers, hardware, software, and networking that support the services. Given the one-to-many nature of our services, Google provides the same robust security for all our customers. We provide detailed information to customers about our security practices so that customers can understand them and consider them as part of their acquisition requirements.

More information is available at: 

• Google Cloud Trust Center 
• Google Security Overview 
• Google Infrastructure Security Design Overview 
• Security Resources

Although you define the security of your data and applications in the cloud, the security of your data is of paramount importance to Google. We take the following proactive steps to assist you: 

• Encryption at rest. Google encrypts customer data stored at rest by default, with no additional action required from you. More information is available at Google Cloud Encryption at rest and Google Workspace Encryption whitepaper.
• Encryption in transit. Google encrypts and authenticates all data in transit at one or more network layers when data moves outside physical boundaries not controlled by Google or on behalf of Google. More information is available at Google Cloud Encryption in transit and Google Workspace Encryption whitepaper. 

You can choose to use Google Cloud Security products to enhance and monitor the security of your data. Information on Google Cloud Security products is available at Cloud Security Products. 

Google also publishes cloud security best practices guides and resources at Google Cloud security best practices and on our Google Workspace security and data protection page.

Google provides service level agreements regarding availability of our cloud services. They are available at Google Cloud Platform Service Level Agreements and Google Workspace Service Level Agreement. Customers can monitor Google’s performance of our services (including the service level agreements) on an ongoing basis using the functionality of the services. Google maintains and makes available to customers dashboards that provide information about the status of the Google Cloud services at https://status.cloud.google.com and Workspace services at https://www.google.com/appsstatus/dashboard/. The status dashboards are provided for informational purposes only.

Personnel Skills and Training

The skills and training of Google personnel is addressed in Appendix 2: Security Measures of the Cloud Data Processing Addendum. Google personnel are required to comply with Google’s confidentiality and privacy policies, are provided with security training and are required to complete additional requirements appropriate to their role. Google personnel are also required to conduct themselves in a manner consistent with our guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. 

Personnel Background Verification

Google’s background verification of Google personnel is addressed in Appendix 2: Security Measures of the Cloud Data Processing Addendum. Google conducts reasonably appropriate background checks to the extent legally permissible and in accordance with applicable local labor law and statutory regulations.

Incident Notification

Google’s incident notification commitments are set forth in Section 7.2 of the Cloud Data Processing Addendum. Google notifies customers promptly and without undue delay after becoming aware of data incidents and promptly takes reasonable steps to minimize harm and secure customer data. More information is available at Data Incident Response Process.

Audit Reports

Google recognizes that you expect independent verification of our security, privacy and compliance controls. Google undergoes several independent third-party audits on a regular basis to provide this assurance. Google commits to comply with the following key international standards during the term of our contract with you: 

• ISO/IEC 27001 (Information Security Management Systems) 
• SOC 2 
• SOC 3

as well as any additional certifications described in Appendix 4 of the Cloud Data Processing Addendum. You can review Google’s current certifications and audit reports at any time. Compliance reports manager provides you with easy, on-demand access to these critical compliance resources.

Vulnerability Management

Google’s internal vulnerability management process actively scans for security threats across technology stacks. This process uses a combination of commercial, open-source, and purpose-built in-house tools. Vulnerabilities that we have mitigated are published to Google Cloud security bulletins. More information about vulnerability management is available in our Google Security Overview.

Subprocessor Cybersecurity

Google’s cybersecurity requirements for its subprocessors are addressed in Section 11 and Appendix 2: Security Measures of the Cloud Data Processing Addendum. Google conducts an audit of the security and privacy practices of subprocessors before onboarding to ensure subprocessors provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide. Once Google has assessed the risks presented by the subprocessor, the Subprocessor is required to enter into appropriate security, confidentiality and privacy contract terms.

Data Retrieval and Deletion

Retrieval and deletion of customer data upon contract termination are addressed in Sections 6 and 9 of the Cloud Data Processing Addendum. Google enables customers to export customer data in a manner consistent with the functionality of the Services. Google deletes customer data from Google’s systems at the end of the term as described in Section 6.

Google will continue to evolve our capabilities as the regulatory landscape changes.