Search the Community

The newest version of the European Union Network and Information Systems directive, or NIS2, came into force in January 2023. Member States have until October 2024 to transpose it into their national law. One of the most critical changes with NIS2 is the schedule for reporting a cybersecurity breach. Unlike NIS, NIS2 requires that every […] The post Taking Time to Understand NIS2 Reporting Requirements appeared first on Blog. The post Taking Time to Understand NIS2 Reporting Requirements appeared first on Security Boulevard. View the full article

Last July, Google Cloud launched our ambassador partnership with the Health Information Sharing and Analysis Center (Health-ISAC) and committed to working with industry leaders to better protect our healthcare ecosystem. Securing healthcare technology and data is a global challenge, and to meet it security professionals need to have better channels for sharing information and effective security practices. To that end, we’re pleased to announce that our relationship with Health-ISAC is now expanding to include CISOs and security leaders in Europe, the Middle East, and Africa (EMEA). On May 23, 2023, we’ll join the Health-ISAC on a 17-city tour across the region, starting in Zurich, Switzerland, as part of its European Healthcare Threat Landscape Tour. In each session, we will bring together experts from across the region with cybersecurity practitioners from the Health-ISAC, Google Cloud, law enforcement, and regulatory bodies. Our goals is to focus the discussions on several topics: How the threat landscape is unique to each country we visit; How we can better share threat intelligence; What are the emerging European laws and regulations that can affect healthcare and cybersecurity; How ransomware continues to evolve and the threat that poses to healthcare; organizations; What we can do to improve cyber incident response; What impact digital sovereignty can have on European healthcare; And which initiatives Health-ISAC and Google Cloud are launching to better protect Europe’s healthcare system. The timing for the tour could not come at a more critical time. Ransomware and digital extortion threatens healthcare and its subsectors, with national health systems in Ireland, UK, Germany, and Spain all recently experiencing extended outages because of ransomware. Threat actors continue to target proprietary data at biotechnology and pharmaceutical firms. Meanwhile, existing regulations such as the Digital Markets Act and GDPR, and new regulations such as the NIS2 Directive (Directive (EU) 2022/2555), which seek to protect EU citizens and businesses from risks posed by the digital world, are raising the bar that CISOs and security leaders must surpass to ensure their businesses can stay compliant and able compete in the global digital economy. “The European Healthcare Threat Landscape Tour is one of many efforts we have undertaken to build a closer community of trust around threats and cybersecurity practices that keep health organization's safe,” said Denise Anderson, executive director, Health-ISAC. “We all rely on these organizations to take care of us and produce therapies that keep us healthy. Delivering these engagements alongside Google Cloud helps us achieve global scale and shows off both organizations’ commitments to building a sustainable, resilient healthcare ecosystem for entire societies.” Each stop in the tour will provide opportunities to dive deep into these topics, grow an understanding of these challenges, create a space for collaboration, and build closer, trusted partnerships. The meetings are open to member and non-member organizations working in healthcare. Interested participants can contact the Health-ISAC through their contact form or register on their website for the nearest event. “The Google Cybersecurity Action Team’s mission is to secure customers, secure the cloud, and secure the planet (and beyond). Working with industry groups like Health-ISAC helps us achieve this mission while respecting each other and the unique challenges European health systems face. Myself and our EMEA-based Google Cloud and Mandiant security teams are looking forward to another great collaboration,” said Phil Venables, chief information security officer, Google Cloud. At Google Cloud, we’re committed to helping build a secure and resilient healthcare ecosystem for everyone. As we hit the road with the Health-ISAC this summer, we’ll be sure to send updates on what we learn through this collaboration and how we can all work together to secure smarter in 2023 and beyond.

Welcome to February’s Cloud CISO Perspectives. This month, we’re going to take a look at one of the most important issues our industry faces right now: securing the software supply chain. At Google Cloud, we’ve been heavily invested in creating a layered approach to software supply chain security, which I talk about in my column below. But first, I want to acknowledge that it has been one year since Russia invaded Ukraine. In addition to the immeasurable impact on the lives across the region, this also marks the first time that cyber operations have played such a prominent role in a world conflict. There were more cyberattacks against Ukraine from January to April than there had been in the entire eight years preceding the invasion. We’ve reflected on this further in “The Fog of War,” a new report by Google’s Threat Analysis Group (TAG) and Mandiant. It was also a primary topic of discussion at the Munich Cyber Security Conference, where policymakers, business leaders, and technology experts discussed how the role of transformational technologies can help build more resilient cyber defenses. We’re continuing to provide support for the Ukrainian government and aid organizations before, during, and after security events. As with all Cloud CISO Perspectives, the contents of this newsletter are posted to the Google Cloud blog. If you’re reading this on the website and you’d like to receive the email version, you can subscribe here. SBOM+SLSA = Safer software As the complexity of today’s software has increased, and the role it plays in businesses become even more vital than before, so too has securing the software supply chain grown more important. Google has pledged $10 billion to advancing cybersecurity, and we are committed to protect key open source components that are vital to our public infrastructure and organizations around the world. While high-profile security incidents such as SolarWinds and Log4j have helped convince government and business leaders of the importance of securing the software supply chain, there is still much work to be done. aside_block [StructValue([(u'title', u'Hear monthly from our Cloud CISO in your inbox'), (u'body', <wagtail.wagtailcore.rich_text.RichText object at 0x3eb9adabcc50>), (u'btn_text', u'Subscribe today'), (u'href', u'https://go.chronicle.security/cloudciso-newsletter-signup?utm_source=cgc-blog&utm_medium=blog&utm_campaign=FY23-Cloud-CISO-Perspectives-newsletter-blog-embed-CTA&utm_content=-&utm_term=-'), (u'image', <GAEImage: gcat small.jpg>)])] Securing the software we depend on is a key priority for defenders and something Google is committed to helping organizations do. At Google Cloud, we strongly believe that using a software bill of materials (SBOM) in conjunction with our open-source Supply chain Levels for Software Artifacts (SLSA) framework can create a more secure and more resilient software supply chain ecosystem. An SBOM will tell you what’s in the software, and if there are any publicly-disclosed vulnerabilities that you need to update. Those are important, but that still leaves the supply chain at risk of exploitation: An SBOM won’t tell you if the software was produced with security and integrity in mind. In the case of SolarWinds, having an SBOM wouldn’t have helped stop the attack or detect the breach earlier because the attack vector relied on rogue software implanted through a software build system compromise. To know that you can trust the software, you also need to understand how the organization that produced the software is controlled. Nearly a decade in development, the SLSA framework can help you analyze end-to-end software supply chain risk. It creates a set of incremental, enforceable security guidelines that automatically create auditable metadata. It’s a verifiable way to assure consumers that the software they use hasn’t been tampered with. Organizations need to know what is in the software and have the ability to assess the integrity of how the software is built. Combining SBOM and SLSA creates the framework needed to answer this. As public cloud providers apply SBOM and SLSA to their own software supply chains, their customers will automatically benefit from the improved security. We have also been working on products so organizations can utilize these frameworks in their software development processes. Our Software Delivery Shield solution, announced at Google Cloud Next in October 2022, is a fully-managed software supply chain security solution with a modular set of capabilities to help developers, DevOps, and security teams build secure applications. It supports organizations at different stages of software development maturity, so they can tailor the solution to their specific needs and security priorities. We also have our Assured Open Source Software (OSS) service that can help development teams incorporate the same OSS packages that Google uses into their developer workflows. The software curated by the Assured OSS service is regularly scanned for vulnerabilities, updated, and tested by Google, is verifiably signed by Google, and is SLSA compliant. I’ve spoken at length about how at Google Cloud we believe in a shared fate approach to security. While that’s true for identifying security responsibilities with our customers, it’s also true for how we approach industry-wide problems such as securing the software supply chain. Software developers and security leaders can come together to make software more resilient against cyberattacks to continue to build global trust in technology. In case you missed it Here are the latest updates, products, services, and resources from our security teams this month: Join our quarterly Security Talks on March 22: Our quarterly digital event Google Cloud Security Talks explores the latest security products, trends, and innovations coming from our cybersecurity leaders and practitioners. In our first session of the year, we combine several short discussions on topics including modernizing your security operations and building security into your cloud transformation journey with a deep dive on the latest threat intel trends from our Mandiant research teams. Register now. Security takeaways from our report on Russian cyber operations against Ukraine: As a new Google report demonstrates, organizations are at risk from the types of attacker activities that Russia has been using against Ukraine. Executive leaders who understand these threats are better positioned to help their organization reduce risk. Here's why. Security Leaders Survival Guide: How to tell if your team is on the right path: Digital transformations can be a difficult exercise, with concerns or requirements for data compatibility, sovereignty, resiliency, and security all playing a role. For the third blog in this series, we offer cloud security advice for financial services security leaders. Read more. Health-ISAC and Google Cloud partner to build more resilient healthcare: Working with the Health-ISAC Threat Operations Center, Google Cloud security engineers have connected the Health-ISAC Indicator Threat Sharing (HITS) feed directly to our Chronicle Security Operations information and event management. HITS allows Health-ISAC members to easily connect and quickly share threat intelligence through machine-to-machine automation. Read more. Black History Month: Celebrating the success of Black founders with Google Cloud: F8th: Vivene Salmon Gagné, co-founder and chief legal officer for cybersecurity startup F8th, talks about how Google Cloud helped F8th grow and develop its behavioral biometric algorithms. Read more. Vroom! Google Cloud joins Catena-X to help car makers build a sovereign data ecosystem: Google Cloud brings to the Catena-X Automotive Network Association secure and sovereign data management, data analytics, cloud-first integration of advanced AI technologies, and open source efforts to help create a shared service ecosystem. Read more. How Google Cloud Armor helps Broadcom block DDoS Attacks: As Broadcom migrated its enterprise security solution infrastructure from Amazon Web Services to Google Cloud, defending the environment’s network security infrastructure remained a top priority. Here’s how we helped Broadcom protect against DDoS attacks. Read more. Three steps to protect your software supply chain today: A new paper from Google Cloud analyzes recent high-profile software supply chain attacks and recommends three actions your organization can take to better protect your software supply chain. Read more. The top five global data and AI trends in 2023: Global organizations have increased customer trust and productivity by improving how they discover, classify, and manage their structured and unstructured data. Our 2023 Data and AI Trends report can help security leaders and teams learn more about why knowing your data is vital to your organization. Read more. Google Cloud security tips, tricks, and updates Mandiant now supports Attack Surface Management for Google Cloud: How do adversaries see your network? You can see what they see with Mandiant Attack Surface Management for Google Cloud, which can enable customers to centralize visibility into cloud-hosted external assets. Read more. Confidential GKE Nodes now available on Compute Optimized C2D VMs: Organizations which rely on Google Kubernetes Engine can enhance the security of GKE clusters or node pools, which includes keeping data encrypted in memory with dedicated keys generated and managed by the processor. Read more. Harden Kubernetes clusters, monitor workload compliance at scale: Evaluate your new and existing applications for PCI DSS compliance with Google Cloud’s Policy Controller, which enables the enforcement of fully programmable policies for your clusters. Read more. New Google Cloud Firewall capabilities now available: Our unique, fully-distributed architectural approach to firewalls is a scalable, built-in service with advanced protection capabilities that can help strengthen and simplify your security posture, and implement Zero Trust networking, for cloud workloads. Here's how to get started. How to integrate Cloud SQL for PostgreSQL or MySQL in your authentication flow: Hardening a complex application is a challenge, especially for applications that include multiple layers with different authentication schemes. With our new Integrated IAM authentication capability, customers can leverage end-to-end authentication for their applications and while applying our robust auditing capabilities. Read more. How to secure Cloud Run deployments with least privilege access: With Cloud Run, developers can quickly deploy production web apps and APIs on a serverless environment running on top of Google Cloud. Here’s how to improve Cloud Run security by applying the principle of least privilege to inbound and outbound scenarios. Read more. How to use Anthos to improve governance and security for platforms and apps: Anthos is our secure container application platform that runs on premises and in the cloud, with integrated and easy-to-operationalize security features connected to a centralized control plane in the Google Cloud. It can be used to implement security policies across distributed platforms and applications. Learn how. Document AI Workbench can train document extraction models for production use cases: AI for security is not just about anomaly and malware detection: It can have huge benefits for workflow and productivity enhancements. Read more. Compliance and Controls How Google Cloud is preparing for NIS2 and supporting a stronger European cyber ecosystem: To help combat the threat of online data theft, the EU passed the Network and Information Security Directive 2.0 (NIS2), which outlines new security requirements for companies operating in critical sectors. Google Cloud is committed to ensuring that our cloud platform and security tools support the highest standard of compliance. Read more. Introducing Google Workspace security guidance to address Canadian data security requirements: New security guidance can help Canadian government agencies introduce Google Workspace tools while adhering to Canadian government compliance standards. Read more. Google Cloud Security Podcasts We launched a weekly podcast focusing on Cloud Security in February 2021. Hosts Anton Chuvakin and Timothy Peacock chat with cybersecurity experts about the most important and challenging topics facing the industry today. This month, they discussed: How Google does vulnerability management: Vulnerability prioritization, impact assessment, vulnerability management processes unique to Google, and the vital metrics it all gets measured by are the hot topics discussed with Ana Oprea, the European lead for our Vulnerability Coordination Center. Listen here. Hunting in the clouds: Threat hunting lessons, learned the hard way: From defining what it means to hunt threats online to what threat detection specialists can learn from threat hunters, we dive deep into this often-misunderstood world with John Stoner, principal security strategist, Google Cloud. Listen here. How Google Cloud secures its usage at massive scale: Security team, secure thyself. How does Google Cloud secure its own massive, diverse use of its own resources? Karan Dwivedi, security engineering manager for enterprise infrastructure protection explains how we do what we do for you, for ourselves. Listen here. High-velocity detection, high-complexity response: Tim and Anton argue a lot about what kind of detection is best: fully bespoke and homemade or scalable off-the-shelf. David Seidman, head of detection and response at Robinhood, helps them settle that debate and others including: What matters more, detection skills or cloud skills? What’s most effective to focus on when building a team? And what are your favorite telemetry data sources for detection in the cloud? Listen here. To have our Cloud CISO Perspectives post delivered every month to your inbox, sign up for our newsletter. We’ll be back next month with more security-related updates.

Online data theft is a significant risk for organizations around the world and in Europe. European businesses stand to lose roughly 10 terabytes of data each month to cyber theft, according to a July 2022 report from the European Union Agency for Cybersecurity (ENISA). Meanwhile, cyberattacks cost European businesses and consumers an estimated €180 billion to €290 billion annually. To help combat this threat, the EU passed the Network and Information Security Directive 2.0 (NIS2), a signature policy response that took effect in January. NIS2 builds on the EU’s previous efforts to raise the baseline level of cybersecurity throughout the region. NIS2 outlines new security requirements for companies operating in critical sectors, such as energy, healthcare, financial services, and digital infrastructure. The directive will introduce new obligations for cloud service providers such as Google Cloud. We recognize NIS2 as an essential step forward in Europe’s strategy to protect consumers, administrations, and businesses from threats such as ransomware and industrial espionage. Now that NIS2 has been adopted by the European Council and Parliament, the process shifts to the EU’s 27 member states, which must codify the directive into national law by October 2024. But the road ahead is far from straightforward. Compared to the original NIS Directive, NIS2 may expand the number of regulated organizations by 10 times or more. This expansion may lead to new compliance challenges for organizations of all sizes and place additional strain on national cybersecurity authorities tasked with oversight and enforcement. As a regulated entity under NIS2, Google Cloud is committed to ensuring that our cloud platform and security tools support the highest standard of compliance. We’ve spent more than a decade developing mature processes for risk governance, incident reporting, and vulnerability management to support our compliance journey. And we’re committed to partnering with national authorities to share knowledge and best practices in areas including Zero Trust architecture, software supply chain security, compliance automation, and threat intelligence to help facilitate NIS2’s implementation at the national level. As part of our Cloud On Europe’s Terms initiative, we will continue to focus on building trust with European governments and enterprises by delivering cloud solutions that meet their regulatory, digital sovereignty, sustainability, and economic objectives. What does NIS2 mean for our customers? NIS2 builds on the 2016 NIS Directive with a broader scope and set of requirements. We see higher cybersecurity standards as a necessary and positive step forward for the European digital ecosystem. But for many European businesses, including Google Cloud customers, NIS2 compliance may require new investments in security tools and processes to achieve a higher overall security baseline – a challenge for mid-sized, resource-constrained organizations. As part of our shared fate model, we will support our customers with the tools and expertise they need to help improve their cybersecurity maturity and meet stricter NIS2 incident reporting and risk management requirements. Rather than facing their compliance journey alone, customers of all sizes can look to Google Cloud as a trusted advisor and partner for secure-by-default infrastructure, deployable blueprints and frameworks, training resources and workshops, and streamlined compliance tools and processes. Incident reporting: NIS2 establishes a framework for notifying competent national authorities and relevant customers of any cyber incident with a significant impact in terms of operational disruption, financial loss, or physical harm. In the event of a significant incident, covered organizations will be required to file an initial report within 24 hours, a requirement that will test their reporting capabilities. Organizations will then be required to file a more detailed report within 72 hours, and a final, comprehensive report within one month. Google Cloud is working to help you meet NIS2’s stricter reporting requirements through our industry-leading incident response function that combines rigorous processes, world-class talent, and multi-layered information security and privacy infrastructure. We routinely review our approach to incident management based on industry best practices and evolving regulations like NIS2. Customers who must meet the same requirements can depend on our sophisticated tools like Security Command Center that help enable them to independently monitor for misconfigurations or vulnerabilities, generate automated compliance reports, and share data with SIEM/SOAR platforms, such as Chronicle Security Operations, to accelerate incident reporting. Risk management and liability: Compared to the 2016 NIS Directive, NIS2 is far more prescriptive in terms of the risk management measures that regulated entities must implement. NIS2 will require covered organizations to develop (if they haven’t already) policies on risk analysis, incident handling, supply chain security, vulnerability management, encryption, security awareness training, access management, multi-factor authentication, and many other areas. Further, NIS2 requires that these policies must be ratified by the organization’s highest governing body – a move aimed at boosting internal transparency of cyber risks and mitigations. NIS2 assigns accountability for implementing cybersecurity and compliance requirements directly to the senior management of regulated organizations. In certain cases, accountability could mean holding managers directly liable for negligence or failure to comply with key risk management requirements. The possibility of being held personally liable for poor cyber risk management may be a source of particular concern. By partnering with the Google Cybersecurity Action Team (GCAT), managers and their boards can take advantage of premier strategic advisory services to help build confidence and mature their cybersecurity teams. GCAT offers comprehensive security advisory and training resources, including online courses, compliance support, security solutions engineering, deployable blueprints and frameworks, as well as interactive workshops and incident response exercises to help prepare managers to face cyber threats. Vulnerability management: Under NIS2, vulnerability management and supply chain security become core risk management responsibilities for regulated entities and their managers. In addition, the directive tasks ENISA with building a cyber vulnerabilities database and overseeing a European coordinated vulnerability disclosure program. A key benefit of partnering with global cloud providers like Google Cloud is that we can eliminate much of the guesswork for our customers when it comes to monitoring for vulnerabilities and implementing new security patches. Together with Mandiant, a global leader in security operations and incident response, we’re helping our customers assess risks to their cloud environments, battle test their systems for vulnerabilities, and quickly remediate incidents. We are also committed to working with ENISA to support a European coordinated vulnerability disclosure program that ensures transparency without putting users at risk. Coordination and capacity building: NIS2 establishes a European Cyber Crises Liaison Organisation Network, or EU-CyCLONe, overseen by ENISA, as the principal intergovernmental body supporting management of major cyber incidents targeting critical infrastructure. EU-CyCLONe will operate as a central coordination point between national computer security incident response teams (CSIRTs) and serve as a link between technical and political stakeholders responding to future crises. We are committed to partnering with cybersecurity coordination bodies such as EU-CyCLONe, CERT-EU, and the European Cybercrime Centre (EC3), and supporting joint preparedness exercises. Similarly, we welcome the opportunity to work with national regulatory authorities to support their capacity building efforts in cooperation with customers and partners facing new regulatory obligations under NIS2. We’re equipping our customers and regulators with insights into the threat landscape through our quarterly Threat Horizons reports, and we will continue to make our cybersecurity leaders available to understand the needs of EU and Member State authorities and to share expertise. Looking ahead As EU member states start the process of NIS2 transposition, there are still outstanding questions about the sector-specific schemes that organizations will use to certify compliance with NIS2, which could substantially impact how the legislation operates in practice. Similarly, the work of EU legislators is not finished yet. There are important details still to be clarified through Delegated and Implementing Acts, such as the threshold for triggering incident reporting obligations. It’s essential that these details are aligned wherever possible to globally-established cybersecurity best practices so that critical entities have a clear pathway to compliance. As EU member states take up the task of transposing NIS2 into their national laws, it’s important to keep in mind that digital transformation and cybersecurity go hand-in-hand. We urge lawmakers and national cybersecurity authorities to promote innovation and resilience through adoption of modern IT infrastructures that protect citizens' data using globally-distributed networking, secure-by-default hardware and software, Zero Trust architecture, and customer-managed encryption tools, rather than restrictive data localization measures. Now more than ever, governments around the world are taking steps to protect their citizens and critical infrastructures from cyber threats. As an industry leader in security we will do our part to support our European partners working hard to implement these evolving requirements. Related Article Google Cloud’s preparations to address the Digital Operational Resilience Act As the EU’s proposed DORA regulation reaches a major milestone, Google Cloud details our approach to its new rules and rule changes. Read Article

European legislators came to an inter-institutional agreement on the Digital Operational Resilience Act (DORA) in May 2022. This is a major milestone in the adoption of new rules designed to ensure financial entities can withstand, respond to and recover from all types of ICT-related disruptions and threats, including increasingly sophisticated cyberattacks. DORA will harmonize how financial entities must report cybersecurity incidents, test their digital operational resilience, and manage ICT third-party risk across the financial services sector and European Union (EU) member states. In addition to establishing clear expectations for the role of ICT providers, DORA will also allow financial regulators to directly oversee critical ICT providers. Google Cloud welcomes the agreement on DORA. As part of our Cloud On Europe’s Terms initiative, we are committed to building trust with European governments and enterprises with a cloud that meets their regulatory, digital sovereignty, sustainability, and economic objectives. We recognize the continuous effort by the European Commission, European Council, and European Parliament to design a proportionate, effective, and future-proof regulation. We have been engaging with the policymakers on the DORA proposal since it was tabled in September 2020, and appreciate the constructive dialogue that the legislators have held with ICT organizations. Google Cloud’s perspective on DORA We firmly believe that DORA will be crucial to the acceleration of digital innovation in the European financial services sector. It creates a solid framework to enhance understanding, transparency, and trust among ICT providers, financial entities, and financial regulators. Here are a few key benefits of DORA: Coordinated ICT incident reporting: DORA consolidates financial sector incident reporting requirements under a single streamlined framework. This means financial entities operating in multiple sectors or EU member states should no longer need to navigate parallel, overlapping reporting regimes during what is necessarily a time-sensitive situation. DORA also aims to address parallel incident reporting regimes like NIS2. Together these changes help get regulators the information they need while also allowing financial entities to focus on other critical aspects of incident response. New framework for digital operational resilience testing: Drawing on existing EU initiatives like TIBER-EU, DORA establishes a new EU-wide approach to testing digital operational resilience, including threat-led penetration testing. By clarifying testing methodology and introducing mutual recognition of testing results, DORA will help financial entities continue to build and scale their testing capabilities in a way that works throughout the EU. Importantly, DORA addresses the role of the ICT provider in testing and permits pooled testing to manage the impact of testing on multi-tenant services like public clouds. CoordinatedICT third party risk management: DORA builds on the strong foundation established by the European Supervisory Authorities’ respective outsourcing guidelines by further coordinating ICT third-party risk management requirements across sectors, including the requirements for contracts with ICT providers. By helping to ensure that similar risks are addressed consistently across sectors and EU member states, DORA will enable financial entities to consolidate and enhance their ICT third-party risk management programs. Direct oversight of critical ICT providers: DORA will allow financial regulators to directly oversee critical ICT providers. This mechanism will create a direct communication channel between regulators and designated ICT providers via annual engagements, including oversight plans, inspections, and recommendations. We’re confident that this structured dialogue will help to improve risk management and resilience across the sector. How Google Cloud is preparing for DORA Although political agreement on the main elements of DORA have been reached, legislators are still finalizing the full details. We expect the final text to be published later this year and that there will be a two-year implementation period after publication. While DORA isn’t expected to take effect until 2024 at the earliest, here’s four important topics that DORA will impact and what Google Cloud does to support our customers in these areas today. Incident reporting: Google Cloud runs an industry-leading information security operation that combines stringent processes, a world-class team, and multi-layered information security and privacy infrastructure. Our data incident response whitepaper outlines Google Cloud’s approach to managing and responding to data incidents. We also provide sophisticated tools and solutions that customers can use to independently monitor the security of their data, such as the Security Command Center. We continuously review our approach to incident management based on evolving laws and industry best practices, and will be closely following the developments in this area under DORA. Digital operational resilience testing: We recognize that operational resilience is a key focus for the financial sector. Our research paper on strengthening operational resilience in financial services by migrating to Google Cloud discusses the role that a well-executed migration to Google Cloud can play in strengthening resilience. We also recognize that resilience must be tested. Google Cloud conducts our own rigorous testing, including penetration testing and disaster recovery testing. We also empower our customers to perform their ownpenetration testing and disaster recovery testing for their data and applications. Third-party risk: Google Cloud’s contracts for financial entities in the EU address the contractual requirements in the EBA outsourcing guidelines, the EIOPA cloud outsourcing guidelines, the ESMA cloud outsourcing guidelines, and other member state requirements. We are paying close attention to how these requirements will evolve under DORA. Oversight: Google Cloud is committed to enabling regulators to effectively supervise a financial entity’s use of our services. We grant information, audit and access rights to financial entities, their regulators and their appointees, and support our customers when they or their regulators choose to exercise those rights. We would approach a relationship with a lead overseer with the same commitment to ongoing transparency, collaboration, and assurance. We share the same objectives as legislators and regulators seeking to strengthen the digital operational resilience of the financial sector in Europe, and we intend to continue to build on our strong foundation in this area as we prepare for DORA. Our goal is to make Google Cloud the best possible service for sustainable, digital transformation for European organizations on their terms—and there is much more to come. Related Article Helping build the digital future. On Europe’s terms. Cloud computing is globally recognized as the single most effective, agile and scalable path to digitally transform and drive value creat... Read Article