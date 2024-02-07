



With less than a year until the EU Digital Operational Resilience Act (Regulation (EU) 2022/2554 – DORA) comes into force, today we are announcing how Google Cloud plans to support financial institutions with DORA compliance. Share more information about what you have.

We are committed to DORA compliance as an organization, and cross-functional teams at Google Cloud have been working on DORA readiness since the requirements were finalized in 2022. This includes implementing operational changes and enhancing our customer support model.

Starting today, to help customers ensure their Google Cloud agreements are DORA compliant by January 17, 2025, financial institutions are implementing Google Cloud and Google Workspace updates that address key contract provisions in Section 30. You will have access to the latest terms and conditions.

How Google Cloud helps customers respond to DORA

Managing information and communications technology third-party risks: Article 30 of DORA contains key contractual provisions that financial institutions must address in their contracts for information and communications technology (ICT) services. DORA does not provide a transition period for existing contracts, so we welcome customers to request that their Google Cloud contracts address these requirements well in advance of January 17, 2025.

In addition to updating the terms and conditions for Google Cloud and Google Workspace, we also created a mapping of Google Cloud and Google Workspace to Article 30. These mappings help our customers understand how our contracts, controls, and processes can support their DORA obligations. Customers who require DORA terms and conditions should contact their Google Cloud representative for more information.

Incident reporting: Google Cloud is committed to reporting incidents and assisting customers with their incident reporting needs. Specifically for DORA, starting January 17, 2025, we will notify customers of ICT-related incidents that impact their use of Google Cloud. (Please note that you must be subscribed to the DORA Terms and Conditions to receive ICT-related incident notifications.) These notifications will be sent to your favorite email address, Service Health Dashboard, and through Google Cloud's existing notification channels at no additional charge. support Center.

We recognize that DORA requirements in this area continue to evolve. Google Cloud is committed to providing notification within the required timeframe and providing customers with the information they need to facilitate their own assessment and reporting, consistent with the final requirements.

Digital Operational Resilience Testing: Google Cloud is committed to providing a support model for threat-driven penetration testing (TLPT) that enables effective and secure cloud testing. From 2025, the Company will participate in the TLPT by facilitating pool testing by external testers as described in Article 26.4. We believe pooled testing is the best way to effectively test Google Cloud's digital operational resilience while managing the inherent risks to other customers that come with testing in a multi-tenant environment. doing.

How Google Cloud engages in Level 2 conduct

Although the text of DORA is complete, several important requirements still need to be further detailed in secondary legislation, known as DORA Level 2 legislation. These include regulatory and implementation technology standards (RTS and ITS) in key areas such as incident reporting, threat-driven penetration testing, and subcontracting.

To support policymakers and customers, Google Cloud is actively participating in EU policy discussions regarding DORA Level 2 legislation. Please continue to engage in the conversation about DORA in a transparent and constructive manner. In particular, please insist on the following:

Consistency between Level 2 laws and the powers provided in DORA. A mature approach in the global financial sector and harmonization with other parallel EU regimes (e.g. incident reporting). Proportionality, particularly in the case of appropriate regulatory approaches for some companies. Applying ICT services to public cloud services can have unintended negative impacts on the resilience of the financial sector.

Looking to the future

This year will be critical for financial institutions and their ICT providers as they prepare for DORA. As the deadline approaches, we continue to support our customers with new resources and updates that address applicable DORA requirements.

Our goal is to make Google Cloud the service of choice for sustainable digital transformation on the terms of European organizations, and we look forward to more in the future.

