Dora compliance requirements
Improve compliance with DORA by using the revised contracts provided by Google Cloud ,Considering that there is less than a year left to be ready for the implementation of the EU Digital Operational Resilience Act , you are releasing further details on how Google Cloud intends to assist financial firms in complying with DORA today.
What is Dora compliance?
When the rules for DORA were established in 2022, a cross-functional team at Google Cloud began working to prepare for DORA. As an organization, you are dedicated to DORA compliance, and they have been working toward this goal ever since. Among them are the implementation of operational modifications and the enhancement of how you work for providing customer assistance.
Leverage pre-built terms addressing DORA requirements in Article 30
Beginning today, financial companies are able to utilize your amended contract terms for Google Cloud and Google Workspace, which cover the major contractual elements in Article 30. This will assist customers in ensuring that their Google Cloud contracts are in compliance with DORA by January 17, 2025.
Responsibility for the management of third-party risks in information and communications technology:
Important contractual terms are included in Article 30 of DORA, which stipulates that financial institutions are required to address certain issues in their contracts for information and communications technology (ICT) services. Due to the fact that DORA does not provide a transition time for contracts that are already in place, you understand that customers will wish to address these needs in their Google Cloud contracts well in advance of January 17, 2025.
In addition to revising the wording of those terms of service contracts for Google Cloud and Google Workspace, google have also developed mappings to Article 30 for each of these services. It is possible for clients to have a better understanding of how these agreements, controls, and procedures may support their DORA requirements by using these mappings. In order to get further information, customers that want DORA contract conditions may get in touch with their Google Cloud agent.
Incident reporting: Google Cloud is dedicated to reporting issues and assisting others with the incident reporting that is expected of them. Beginning on January 17, 2025, google will, with regard to DORA in particular, notify customers of information and communications technology-related incidents that have an effect on their usage of Google Cloud. These messages will be made available to customers at no extra cost via the channels of notice that they are already acquainted with, which include email, the Service Health Dashboard, and those Google Cloud Support Center.
They are aware that the DORA standards in this particular sector are always undergoing changes. Google Cloud is dedicated to aligning itself with the final criteria in order to offer customers with the necessary information while also providing notification within the applicable time constraints. This will allow customers to support their own evaluation and reporting.
Testing for digital operational resilience: Google Cloud is dedicated to provide a support model for threat-led penetration testing (TLPT), which will make it possible to conduct cloud testing that is both efficient and safe. In accordance with the provisions of Article 26(4), it shall actively engage in TLPT beginning in the year 2025 by supporting pooled testing conducted by an external tester. They are sure that pooled testing is the most effective method for efficiently validating the digital operational resilience of Google Cloud. This method also allows us to manage the inherent risks that testing in a multi-tenant environment poses to other customers.
The manner in which Google Cloud is participating in the Level 2 actions
In spite of the fact that the text of DORA has been completed, there are still a number of essential criteria that need to be further clarified in secondary legislation that is referred to as the DORA Level 2 acts. Regulatory and implementation technical standards (RTS and ITS) are included in this category. These standards are implemented in crucial areas like as incident reporting, threat-led penetration testing, and subcontracting requirements.
Google Cloud is actively participating in the policy debate held by the European Union around the DORA Level 2 acts in order to provide assistance to policymakers and its clients. From this point forward, they will continue to engage in the conversation around DORA in a manner that is both open and productive. Specifically, you will argue for the following,
There is coherence between each of the Level 2 acts and the mission that is outlined in DORA
Harmonization with the mature approach in the global financial industry and other parallel EU regimes (such as with incident reporting) is a matter of concern.
Proportionality, particularly in situations where regulatory measures that would be suitable for some information and communications technology services might have an unanticipated and detrimental effect on the resilience of the financial sector if they were applied to public cloud services.
The future in view
It will be very important for financial institutions and the ICT providers that they work with to be ready for DORA this year. In order get closer to the deadline, you will continue to provide their customers with fresh materials and updates that are relevant to the DORA regulations that are applicable.