Picture this: it is 4:30 PM on a Friday. You are auditing your Google Workspace domain when you discover an unapproved generative AI browser extension. Over the last three months, a group of financial analysts has been using it to summarise sensitive portfolio data. It has full OAuth access to their Google Drive accounts.
Under the Digital Operational Resilience Act, this is not just a Shadow IT headache. It is a serious operational resilience issue with potential reporting obligations attached to it.
For Google Workspace administrators, DORA fundamentally changes how cloud environments must be managed. Compliance is no longer about configuring settings once and walking away. It requires continuous oversight across users, files, third-party applications, browser activity, and operational workflows.
DORA came into force on 17 January 2025. If regulators audited your cloud environment tomorrow, here is how the five pillars translate directly to Google Workspace operations.
For a broader operational overview, see our DORA Compliance Checklist for Financial Institutions and the DORA & Google Workspace: The Operational Risks Financial Institutions Often Miss.
How the 5 Pillars of DORA Apply to Google Workspace
| DORA Pillar | Google Workspace Focus |
|---|---|
| ICT Risk Management & Governance | Permissions, sharing, data exposure, governance |
| Incident Reporting & Response | Investigations, reporting timelines, operational visibility |
| Operational Resilience Testing | Offboarding, recovery procedures, workflow validation |
| ICT Third Party Risk Management | OAuth applications, Shadow IT, AI tools, SaaS governance |
| Network & Information Systems Security | Browser activity, DLP, access controls, data protection |
Pillar 1: ICT Risk Management and Governance
DORA requires financial institutions to establish strong frameworks for identifying, managing, and reducing ICT risk across their environments.
Historically, this focused heavily on networks, endpoints, and infrastructure. In cloud collaboration environments like Google Workspace, the operational risk surface shifts toward user behaviour, permissions, SaaS usage, and external collaboration.
In practice, exposure often comes from Shared Drives with inherited permissions, delegated inbox access, public links, and files shared externally to personal accounts. These are not dramatic security failures. They are the normal accumulated drift of a busy organisation using a powerful collaboration platform without continuous oversight.
The Google Cloud Shared Responsibility Model is worth understanding here. Google secures the underlying infrastructure. Your organisation is responsible for how users, applications, and workflows interact with sensitive data within that infrastructure. DORA makes that responsibility explicit and enforceable.
To address this, institutions are expanding visibility through dedicated tooling. GAT+ Advanced Auditing and Reporting provides continuous oversight of user activity, file permissions, external sharing, and delegated access across your domain. Google Drive Auditing lets you surface sharing exposure at scale, including files shared outside the organisation, files with public links, and folders with permissions that no longer reflect who should have access.
GAT Unlock introduces Multi-Party Approval workflows for sensitive actions such as file access, mailbox access, ownership transfers, and delegated access requests. Every action is recorded in the GAT+ Admin Log, creating the evidence trail that DORA governance requirements depend on.
Data Discovery and DSPM locate and classify sensitive financial data across Drive, Gmail, and shared drives so your risk assessments are based on where data actually lives, not where you think it lives.
Pillar 2: Incident Reporting and Response
Under DORA, financial institutions must detect, classify, investigate, and report major ICT incidents within defined regulatory timelines.
For Google Workspace administrators, the biggest challenge is often investigation speed.
Cloud security incidents rarely happen in isolation. A single data leak may involve a Drive file shared externally, a compromised OAuth-connected application, and a rogue browser extension scraping data from an active browser session, all at the same time. Traditional infrastructure monitoring captures authentication events and admin logs. It typically misses operational behaviour happening directly inside the browser layer, which is where most of the action is.
GAT Shield monitors browser activity across Chrome, detecting and logging file uploads, downloads, clipboard events, browser activity, and site access activity as they occur. This is the layer that fills the gap between what the Google Admin Console sees and what is actually happening in your users’ browsers. See the Google Chrome DLP knowledge base for full configuration guidance.
Alert Rules in Shield let you configure automated notifications to admins and delegated auditors the moment a defined behaviour pattern appears. This removes the lag between an event occurring and your team becoming aware of it, helping security teams investigate and respond more quickly.
Gmail Phishing Audit and Remediation addresses the most common initial attack vector. It lets you identify, quarantine, and remove malicious emails across the entire domain with a documented audit trail that maps directly to DORA’s incident reporting structure.
GAT Flow lets you build and automate incident response workflows in advance. Building those workflows before an incident, and testing them regularly, is what makes the difference between a response that meets DORA’s timelines and one that does not. See Creating a Workflow in GAT Flow to get started.
For institutions aligning operational resilience strategies with broader frameworks, the NIST Cybersecurity Framework 2.0 provides a useful complement to DORA’s incident response requirements.
Pillar 3: Digital Operational Resilience Testing
DORA requires organisations to regularly test whether operational controls actually function during disruptions, outages, and security incidents. This extends well beyond annual penetration testing.
Financial institutions are increasingly reviewing how operational workflows behave during access failures, SaaS outages, and internal disruptions. In Google Workspace environments, this includes reviewing how quickly teams can investigate suspicious activity, identify external exposure, revoke application access, and restore operational visibility.
Organisations also test whether onboarding and offboarding workflows remove permissions consistently or leave orphan accounts active across the domain. An account that remains active after an employee leaves is not just an IT oversight. Under DORA, it is a governance failure with documented compliance implications.
The goal is not simply identifying technical vulnerabilities. It is understanding how operational processes function across constantly evolving cloud ecosystems, and proving that they work when tested.
Google Workspace Automation and User Lifecycle Management enforce consistent offboarding and access governance across the user lifecycle. For a practical operational framework, see Zero Trust Offboarding in Google Workspace.
The Workflows Monitoring Dashboard gives compliance leads visibility into whether governance workflows are completing correctly, and flags stalled or failed processes before they become gaps in your testing record.
Pillar 4: ICT Third-Party Risk Management
Third-party ICT risk management is one of the fastest-growing operational concerns across cloud-first environments.
Every time a user connects a SaaS application, authorizes an OAuth integration, or installs a browser extension, another operational dependency enters the environment. Over time, organisations lose visibility into which applications remain connected, what permissions they hold, and how those services interact with sensitive financial data.
This is why Shadow IT has become such a significant operational resilience challenge under DORA.
According to ENISA, unmanaged cloud services and decentralised SaaS usage significantly increase operational and security complexity when governance visibility is limited. For financial institutions, operational resilience increasingly depends on understanding the full SaaS ecosystem connected to the organisation, including the parts that IT did not authorise.
Audit and Manage Third-Party Applications in Google Workspace walks through how to use GAT+ to surface every OAuth-connected application across your domain, including the permissions each application holds against your Google Workspace APIs. GAT+ automatically scores each application with a Scope Risk Score, giving your team a prioritised view of which connections carry the greatest compliance exposure.
Shadow IT and App Risk go further, surfacing every application connected to your domain, not just those IT-approved. This is the tool that closes the most common Pillar 4 gap. Without visibility into connected applications, maintaining a complete and accurate Register of Information becomes significantly more difficult.
For a practical introduction to the problem this creates, see What Is Shadow IT? Its Impact on Google Workspace Domains
Pillar 5: Network and Information Systems Security
The fifth pillar of DORA focuses on protecting the availability, integrity, confidentiality, and authenticity of systems and information.
For cloud-first organisations, this increasingly includes activity happening directly through Google Chrome and cloud collaboration platforms. Users upload files, share externally, access SaaS applications, interact with AI platforms, and transfer operational data through browser sessions every day. The traditional network perimeter has effectively disappeared. Old-style network monitoring loses visibility into operational behaviour happening at the browser layer, creating blind spots around unmanaged downloads, browser extensions, SaaS interaction, AI platform usage, and external data movement.
Data Loss Prevention for Google Chrome is where this pillar becomes concrete in a Google Workspace environment. GAT Shield provides browser-layer visibility and policy enforcement for Chrome, helping organizations monitor uploads, downloads, browser activity, and behaviors associated with data loss risk.
Data Discovery and DSPM give security teams a current, accurate map of where sensitive data lives across Drive, Gmail, and shared drives. You cannot protect what you cannot find, and a DORA review will ask you to demonstrate both.
GAT Unlock enforces access controls over sensitive files and emails through a multi-party approval layer. Every access event is authorised, documented, and auditable.
Zero Trust for Google Workspace provides the architectural model that ties all of this together. Many financial institutions use Zero Trust principles to strengthen the access control and continuous verification requirements that support Pillar 5 objectives.
DORA Is Expanding the Scope of Operational Resilience
The five pillars of DORA reflect a broader shift happening across the financial sector.
Operational resilience is no longer limited to infrastructure protection. Financial institutions must now maintain stronger visibility into cloud collaboration, SaaS ecosystems, browser activity, third-party applications, operational workflows, and governance processes that evolve continuously.
For organisations using Google Workspace, that means understanding how operational activity behaves across the full collaboration ecosystem, not just within traditional network boundaries.
To conclude, the institutions best positioned in supervisory reviews are not necessarily those with the most complex security stacks. They are the ones that have continuous visibility, documented evidence of their controls, and workflows that consistently enforce the governance their policies describe.
Frequently Asked Questions
1. What are the five pillars of DORA?
The five pillars of DORA are ICT Risk Management and Governance, Incident Reporting and Response, Digital Operational Resilience Testing, ICT Third Party Risk Management, and Network and Information Systems Security. Together, they create a framework for managing operational resilience across financial institutions.
2. Which DORA pillar covers third-party applications?
Third-party applications fall under Pillar 4: ICT Third Party Risk Management. This includes SaaS applications, OAuth-connected tools, browser extensions, AI platforms, and other external services that interact with operational systems or sensitive data.
3. Which DORA pillar covers incident reporting?
Incident reporting falls under Pillar 2: Incident Reporting and Response. Financial institutions must detect, classify, investigate, and report major ICT incidents within the timeframes defined by the regulation.
4. How does DORA apply to Google Workspace environments?
DORA applies to any cloud platform supporting operational processes, communications, collaboration, or sensitive financial data handling within financial institutions. For Google Workspace environments, this includes external sharing, browser activity, SaaS applications, delegated access, third-party integrations, and operational workflows.
5. What operational blind spots commonly affect Google Workspace environments under DORA?
Common blind spots include external file sharing, unmanaged SaaS applications, excessive permissions, browser-based data movement, orphan accounts after offboarding, delegated inbox access, and limited visibility into OAuth-connected applications.
Insights That Matter. In Your Inbox.
Join our newsletter for practical tips on managing, securing, and getting the most out of Google Workspace, designed with Admins and IT teams in mind.
