The enforcement landscape for European financial institutions changed significantly once the Digital Operational Resilience Act (DORA) came into force.
Today, supervisory authorities such as BaFin, ACPR, and the Central Bank of Ireland are moving beyond reviewing compliance roadmaps and increasingly evaluating operational reality across ICT systems, third-party providers, incident response processes, and governance controls.
For organizations using Google Workspace, traditional perimeter security is no longer enough. Browser activity, external sharing, OAuth-connected applications, delegated access, and operational workflows all require stronger visibility and ongoing oversight.
This checklist breaks down the core DORA operational areas into practical actions financial institutions can review today, while also highlighting where Google Workspace environments commonly create operational blind spots.
What Is DORA and Who Does It Apply To?
The Digital Operational Resilience Act (DORA) is an EU regulation designed to improve ICT risk management, operational resilience, incident reporting, and third-party oversight across the financial sector.
It applies to banks, insurers, investment firms, payment institutions, fintech organizations, crypto-asset service providers, and other regulated financial entities operating within the European Union.
DORA focuses on five major operational areas:
- network and information systems security
- ICT risk management
- incident reporting and response
- digital operational resilience testing
- third-party ICT risk management
1. ICT Risk Management Checklist
DORA requires financial institutions to continuously identify, assess, and manage ICT risk across their environment.
For organizations using Google Workspace, this often includes reviewing external sharing, delegated access, OAuth-connected applications, browser activity, and administrative permissions regularly.
What financial institutions should review
- – Maintain an updated inventory of users, applications, and connected services
- – Review external sharing and sensitive file exposure regularly
- – Audit OAuth-connected applications and third-party access permissions
- – Document operational recovery and remediation procedures
- – Maintain centralized audit trails for administrative actions
Many organizations now also review browser extension risks, unmanaged AI tools, and dormant user accounts as part of broader operational resilience assessments.
GAT+ can help security and compliance teams audit external sharing, delegated access, administrative activity, and OAuth-connected applications across Google Workspace environments.
Related Resources
2. Incident Reporting & Response Checklist
DORA requires financial institutions to detect, classify, investigate, and report major ICT incidents within strict operational timeframes.
Many organizations struggle with delayed visibility during incidents, especially when browser activity, file movement, and third-party applications are involved.
DORA Incident Reporting Timeframes
| Report | Deadline |
|---|---|
| Initial Notification | Within 4 hours of classifying an incident as major |
| Intermediate Report | Within 72 hours |
| Final Report | Within 1 month |
What financial institutions should review
- – Define internal criteria for major ICT incidents
- – Configure real-time alerting for suspicious behavior
- – Improve visibility into browser-based activity and file movement
- – Document incident response workflows clearly
- – Test escalation and reporting procedures regularly
Phishing response procedures, browser upload monitoring, and suspicious download activity are now increasingly important operational areas within cloud-first environments.
GAT Shield helps organizations monitor browser activity across managed Chrome environments, while GAT+ can assist with Gmail investigations and centralized audit visibility.
Related Resources
3. Digital Operational Resilience Testing Checklist
DORA requires organizations to regularly test operational resilience controls and review whether governance processes function effectively during disruptions or security incidents.
For Google Workspace environments, this often includes testing onboarding and offboarding workflows, access governance procedures, incident response processes, and operational recovery plans.
What financial institutions should review
- – Test operational workflows regularly
- – Review user lifecycle controls and offboarding processes
- – Verify governance and escalation procedures
- – Document testing findings and remediation actions
- – Engage external testers where required for TLPT exercises
Organizations should also review whether administrative approvals, delegated access reviews, and automated workflows are functioning consistently across departments and business units.
GAT Flow can help automate operational workflows and provide centralized visibility into onboarding, offboarding, remediation, and workflow monitoring processes.
4. ICT Third-Party Risk Management Checklist
Third-party ICT risk remains one of the most overlooked operational areas in many Google Workspace environments.
DORA requires financial institutions to maintain visibility into connected ICT providers, SaaS platforms, and external services that interact with company data or operational systems.
For many organizations, this includes OAuth-connected applications added directly by users without centralized IT review.
What financial institutions should review
- – Maintain an updated inventory of connected applications
- – Identify Shadow IT and unauthorized SaaS tools
- – Review application permissions and access levels
- – Monitor newly connected applications regularly
- – Review operational dependencies and provider contracts
Many institutions discover dozens or even hundreds of OAuth-connected applications across their environment that were never formally reviewed by security or compliance teams.
GAT+ helps organizations audit connected applications, identify Shadow IT, review OAuth permissions, and maintain ongoing visibility into third-party access across Google Workspace.
Related Resources
5. Network & Information Systems Security Checklist
DORA requires financial institutions to maintain strong operational and security controls that protect sensitive systems and data from unauthorized access and cyber threats.
For organizations using Google Workspace, browser activity, external sharing, delegated access, and unmanaged data movement have become major operational visibility challenges.
What financial institutions should review
- – Identify and classify sensitive financial data
- – Monitor browser-based uploads and downloads
- – Strengthen governance around sensitive file and email access
- – Review privileged administrative access regularly
- – Apply Zero Trust principles across cloud environments
Many organizations are also increasing oversight of browser extensions, unmanaged AI platforms, and external collaboration workflows as part of broader operational resilience initiatives.
GAT Shield extends visibility into browser activity across managed Chrome environments, while GAT Unlock adds Multi-Party Approval workflows around sensitive administrative actions and data access.
Related Resources
Ongoing DORA Compliance Reviews
Most financial institutions now review operational resilience controls throughout the year to maintain visibility into new risks, connected applications, administrative activity, and governance gaps.
| Frequency | Recommended Review Areas |
|---|---|
| Monthly | Third-party applications, browser alerts, DLP activity, suspicious behavior |
| Quarterly | Lifecycle workflows, delegated access, operational governance reviews |
| Yearly | ICT risk assessments, resilience testing, provider contract reviews |
Frequently Asked Questions About DORA Compliance
1. What are the five pillars of DORA?
The five core DORA operational areas are ICT risk management, incident reporting and response, digital operational resilience testing, ICT third-party risk management, and network and information systems security.
2. Is DORA still being enforced after January 2025?
Yes. January 2025 was the implementation deadline. DORA is now continuously enforced across the EU financial sector.
3. Does DORA apply to Google Workspace?
Yes. If Google Workspace supports regulated business operations, communications, or operational data handling within a financial institution, it falls within DORA operational scope.
4. What is Shadow IT and why does it matter for DORA?
Shadow IT refers to applications and services connected without centralized IT oversight. Under DORA, organizations are expected to maintain visibility into third-party ICT providers and operational dependencies, including connected SaaS applications.
5. Can GAT Labs make an organization DORA compliant?
No platform alone can guarantee DORA compliance. GAT Labs helps organizations strengthen operational resilience, improve visibility, support audit readiness, and reduce operational blind spots across Google Workspace environments.
Insights That Matter. In Your Inbox.
Join our newsletter for practical tips on managing, securing, and getting the most out of Google Workspace, designed with Admins and IT teams in mind.
