Considerations for EU financial entities: Financial entities must establish an internal governance and control framework for ICT risk management and engage in ongoing monitoring of ICT risks. These ICT risk management and monitoring requirements extend to the use of ICT services provided by third party providers.

Considerations for ICT providers: ICT providers need to be able to support customers’ ICT risk management and monitoring, including where relevant systems and processes are managed by the provider. In addition, in the case of critical ICT providers, the new Lead Overseer will assess the provider’s risk management processes, including ICT risk management policies, ICT business continuity policy, and ICT response and recovery plans. 

Google Cloud support: Even before you are on Google Cloud, you can use our Risk Assessment & Critical Asset Discovery solution to evaluate your organization’s current IT risk, identify where your critical assets reside, and receive recommendations for improving your security posture and resilience. We’ve also published guidance on managing risk with controls and managing your assets. 

Once on Google Cloud, you can leverage several tools to map and manage your cloud resources on an ongoing basis, including Cloud Monitoring, Resource Manager, Infrastructure Manager and Cyber Insurance Hub. Information about Google’s approach to risk management is available in Google’s certifications and audit reports. 

If you would like additional assistance, Mandiant (now part of Google Cloud) offers Risk Management services including Cyber Risk Management Operations Service, Threat Modeling Security Service, Cyber Security Due Diligence Service, and a Cyber Security Program Assessment. Please also see our ICT Risk Management Customer Guide for additional guidance.

Considerations for EU financial entities: DORA consolidates financial sector incident reporting requirements under a single streamlined framework. This means financial entities operating in multiple sectors or EU member states should no longer need to navigate parallel, overlapping reporting regimes during what is necessarily a time-sensitive situation. 

DORA also aims to address parallel incident reporting regimes like NIS2. Together, these changes help get regulators the information they need while allowing financial entities to focus on other critical aspects of incident response. Financial entities must report incidents according to defined thresholds in specific templates and timelines as well as implement procedures for documenting root causes and improvements following incidents. 

Considerations for ICT providers: ICT providers need to be able to support customers’ incident reporting requirements. In addition, in the case of critical ICT providers, the Lead Overseer will directly assess the provider's processes for identification, monitoring, and prompt reporting of material ICT-related incidents to financial entities. 

Google Cloud support: Google will notify customers with our updated DORA contract terms of ICT-Related Incidents that impact their use of Google Cloud. We will provide these notifications at no additional cost via our existing notification channels (including email, Personalized Service Health (PSH), the Service Health Dashboard, and the Google Cloud Support Center). 

We are committed to providing notice within the time frames and with the information financial entities need to facilitate their own assessment and reporting based on the DORA requirements.

Considerations for EU financial entities: Drawing on existing EU initiatives like TIBER-EU, DORA establishes a EU-wide approach to testing digital operational resilience. For certain financial entities this includes advanced threat-led penetration testing (TLPT) every three years. By clarifying testing methodology and introducing mutual recognition of testing results, DORA helps financial entities continue to build and scale their testing capabilities in a way that works throughout the EU.  

Considerations for ICT providers: DORA directly addresses the role of the ICT provider in TLPT performed by financial entities. Notably, DORA permits pooled testing to manage the impact of testing on multi-tenant services like public clouds. In addition, in the case of critical ICT providers, the Lead Overseer will directly assess the provider’s own testing of ICT systems, infrastructure, and controls. 

Google Cloud support: Google will participate in TLPT by facilitating pooled testing by an external tester as described in Article 26(4) of DORA. We are confident that pooled testing is the best way to effectively test digital operational resilience of Google Cloud while managing the inherent risks to other customers of testing in a multi-tenant environment.

Considerations for EU financial entities: DORA builds on the strong foundation established by the European Supervisory Authorities’ respective outsourcing guidelines by further coordinating ICT third-party risk management requirements across sectors, including the requirements to implement an ICT third party risk management framework and for contracts with ICT providers. By helping to ensure that similar risks are addressed consistently across sectors and EU member states, DORA will enable financial entities to consolidate and enhance their ICT third-party risk management programs.

Considerations for ICT providers: ICT providers need to be able to support customers’ third party risk management requirements. In addition, DORA will allow the Lead Overseer to directly oversee critical ICT providers. This mechanism will create a direct communication channel between regulators and designated ICT providers via annual engagements, including oversight plans, inspections, and recommendations. 

Google Cloud support: Google offers financial entities updated contract terms for Google Cloud, Google Workspace and SecOps Services to address the key contractual provisions in Article 30. If you need DORA contract terms, please contact your Google Cloud representative for further details. We have also created mappings to Article 30 for both Google Cloud and Google Workspace to help you understand how our contracts, controls, and processes can support you with meeting the DORA requirements.

Considerations for EU financial entities: DORA outlines considerations for financial entities to voluntarily share cyber threat information and intelligence with other financial entities and regulators. 

Considerations for ICT providers: DORA contemplates ICT providers being involved in information-sharing arrangements that protect potentially sensitive information. However, these arrangements are yet to be defined.  

Google Cloud support: Google Cloud offers products and services to help customers proactively protect against cyber threats in line with DORA’s requirements. We publish a quarterly Threat Horizons Report to provide strategic intelligence about threats to our customers. Customers can also leverage Mandiant’s incident response, cyber risk management services, and offensive security services to guard against and prepare for cyber incidents.

DORA is a EU regulation. It applies across the financial services sector in all EU member states. DORA updates existing rules and establishes an enhanced set of common requirements to mitigate ICT risks and enhance digital resilience in the European financial system. Importantly, DORA also introduces a framework for direct oversight of critical ICT providers by financial regulators in the EU, namely the European Banking Authority, the European Insurance and Occupational Pensions Authority and the European Securities and Markets Authority (together, the European Supervisory Authorities).

DORA establishes an enhanced set of common requirements for financial entities in the EU to mitigate ICT risks and enhance digital resilience in the European financial system. In particular:

1. DORA contains detailed requirements for financial entities about ICT risk management.
2. DORA consolidates the financial sector incident reporting requirements under a single streamlined framework.
3. Drawing on existing EU initiatives like TIBER-EU, DORA establishes an EU-wide approach to testing digital operational resilience, including threat-led penetration testing.
4. DORA builds on the strong foundation established by the European Supervisory Authorities’ respective outsourcing guidelines by further coordinating ICT third-party risk management requirements across sectors, including the requirements for contracts with ICT providers.

DORA also allows the European Supervisory Authorities to directly oversee critical ICT providers. This mechanism creates a direct communication channel between regulators and designated ICT providers via annual engagements, including oversight plans, inspections, and recommendations.

DORA primarily applies to financial entities in the EU. However, part of DORA applies directly to ICT providers (including cloud services providers) who are designated “critical” by the European Supervisory Authorities following an official process. Designation is based on a number of factors, including the systemic impact of a failure of the ICT provider’s services and the systemic importance of the financial entities that rely on those services.

DORA took effect on 17 January 2025 (2 years and 20 days after it was published in the Official Journal of the EU). 

DORA only applies directly to critical ICT providers after they are designated “critical” by the European Supervisory Authorities. Therefore, the deadline for compliance for critical ICT providers depends on the timing of designation.

Google Cloud EMEA Limited has been officially designated as a critical ICT third-party service provider (CTPP). This designation includes the following Google Cloud EMEA Limited subsidiaries: Google Cloud France SARL, Google Cloud Italy S.r.l, and Google Cloud Poland Sp. z o.o.

Google Cloud EMEA Limited has been designated as a critical ICT third-party service provider (CTPP) based on a criticality assessment performed by the European Supervisory Authorities (ESAs). To reach a conclusion about each CTPP, the ESAs consider the following criteria set out in DORA: (a) the systemic impact of a disruption of the CTPP’s ICT services on the financial sector, (b) the systemic importance of the financial entities using the CTPP’s ICT services, (c) the level of reliance of financial entities on the CTPP’s ICT services, and (d) the substitutability of the CTPP’s ICT services. The precise methodology for the ESA’s criticality assessment is set out in the Delegated Regulation specifying the criteria for the designation of ICT third-party service providers as critical for financial entities.

Google Cloud EMEA Limited will be directly overseen by an assigned Lead Overseer. The Lead Overseer will be one of the European Supervisory Authorities for the financial sector. The Lead Overseer will assess if Google Cloud EMEA Limited has comprehensive, sound and effective rules, procedures, mechanisms and arrangements to manage the information and communication technology (ICT) risk that it may pose to financial entities using its services. If you would like more information about how oversight of critical ICT third-party service providers (CTPPs) will work in practice, please refer to the Guide to Oversight Activities published by the European Supervisory Authorities.

Designation and oversight of Google Cloud EMEA Limited as a critical ICT third-party service provider (CTPP) does not affect a customer’s use of our services or alter the terms in your contract.

If your organization is a financial entity subject to DORA, oversight of a CTPP does not in any way replace or reduce your organization’s own responsibilities under DORA, including for third party risk management.

That said, by supplementing risk management by financial entities and creating a clear mechanism for information and learnings to flow between CTPPs and key EU and national supervisory stakeholders, we feel confident that customers and users will benefit from the oversight of CTPPs.

The oversight framework for critical ICT providers under DORA creates a genuine opportunity to enhance understanding, transparency, and trust among ICT providers, financial entities, and financial regulators, and ultimately stimulate innovation in the financial sector in Europe. DORA will create a direct communication channel between regulators and designated ICT providers via annual engagements, including oversight plans, inspections, and recommendations. We’re confident that this structured dialogue will help to improve risk management and resilience across the sector.

Google Cloud is committed to enabling regulators to effectively supervise a financial entity’s use of our services. We grant information, audit and access rights to financial entities, their regulators and their appointees, and support our customers when they or their regulators choose to exercise those rights. We will approach a relationship with our Lead Overseer with the same commitment to ongoing transparency, collaboration, and assurance. 

We are very focused on planning for direct oversight requirements and committed to ensuring that our direct oversight function effectively supports the regulator communication, efficient audits, and remediation plans within deadlines.

We offer financial entities updated contract terms for Google Cloud, Google Workspace and SecOps Services to address the key contractual provisions in Article 30. If you need DORA contract terms, please contact your Google Cloud Representative for further details. 

We have also created mappings to Article 30 for both Google Cloud and Google Workspace to help you understand how our contracts, controls, and processes can support you with meeting the DORA requirements.

The RTS on Subcontracting contains additional contract requirements. Our updated contract terms for Google Cloud, Google Workspace and SecOps Services also address the contractual requirements in the RTS on Subcontracting. If you need DORA contract terms, please contact your Google Cloud Representative for further details.

Where you use Google Cloud to provide your own ICT services to financial entities in the EU, we recognize that you need the right downstream contract terms in place with Google. To help, in this scenario we offer customers and partners equivalent contract terms to address the key contractual provisions in Article 30. If you need DORA contract terms, please contact your Google Cloud Representative for further details. 

We have also created a mapping to Article 30 for Google Cloud to help you understand how our contracts, controls, and processes can support you with meeting the DORA requirements.