Contents
- Policy on encryption and cryptographic controls
- Integration into ICT Security Policies (Article 6(1) RTS RMF; Article 9(2) DORA)
- Basis for the Policy (Article 6(2) RTS RMF)
- Mandatory Content Elements (Article 6(2)(a)–(d) RTS RMF)
- Criteria for Selection of Cryptographic Techniques (Article 6(3) RTS RMF)
- Updating Cryptographic Technology (Article 6(4) RTS RMF)
- Recording of Mitigation and Monitoring Measures (Article 6(5) RTS RMF)
- Cryptographic Key Management Requirements (Article 7 RTS RMF)
- Article 6 and 7 RTS RMF
- Article 9 (2) DORA
Policy on encryption and cryptographic controls
Integration into ICT Security Policies (Article 6(1) RTS RMF; Article 9(2) DORA)
- The policy on encryption and cryptographic controls forms part of the ICT security policies, procedures, protocols and tools required under Article 9(2) DORA.
- Financial entities must develop, document, and implement this policy to ensure resilience, continuity and availability of ICT systems and to maintain high standards of availability, authenticity, integrity and confidentiality of data at rest, in use and in transit.
Basis for the Policy (Article 6(2) RTS RMF)
- The policy must be designed on the basis of the results of:
– an approved data classification, and
– an ICT risk assessment.
Mandatory Content Elements (Article 6(2)(a)–(d) RTS RMF)
Encryption of Data at Rest and in Transit
Rules must be defined for the encryption of data at rest and data in transit.
Encryption of Data in Use
Rules must be defined for encryption of data in use, where necessary.
If encryption of data in use is not possible, the policy must prescribe that data in use be processed in a separated and protected environment, or that equivalent measures be taken to ensure the confidentiality, integrity, authenticity, and availability of data.
Encryption of Network Connections
Rules must be defined for the encryption of internal network connections and of traffic with external parties.
Cryptographic Key Management (Article 7 RTS RMF)
The policy must contain rules governing cryptographic key management, covering the correct use, protection and lifecycle of cryptographic keys, including their:
- generation,
- renewal,
- storage,
- backup,
- archiving,
- retrieval,
- transmission,
- retirement,
- revocation, and
- destruction.
Criteria for Selection of Cryptographic Techniques (Article 6(3) RTS RMF)
- The policy must include criteria for selecting cryptographic techniques and use practices, taking into account:
– leading practices, and
– standards as defined in Article 2(1) of Regulation (EU) No 1025/2012,
– and the classification of ICT assets under Article 8(1) DORA. - Where a financial entity is not able to adhere to leading practices or use the most reliable techniques, it must adopt mitigation and monitoring measures that ensure resilience against cyber threats.
Updating Cryptographic Technology (Article 6(4) RTS RMF)
- The policy must include provisions for updating or changing cryptographic technology, where necessary, based on developments in cryptanalysis.
- Such updates or changes must ensure that cryptographic technology remains resilient against cyber threats, as required by Article 10(2)(a) RTS RMF.
- If a financial entity is unable to update or change cryptographic technology, it must adopt mitigation and monitoring measures that ensure resilience against cyber threats.
Recording of Mitigation and Monitoring Measures (Article 6(5) RTS RMF)
- The policy must require the financial entity to record the adoption of mitigation and monitoring measures taken under Article 6(3) and (4).
- The policy must require a reasoned explanation for adopting such measures.
Cryptographic Key Management Requirements (Article 7 RTS RMF)
Full Lifecycle Management (Article 7(1))
The policy must include requirements for managing cryptographic keys throughout their entire lifecycle, including:
- generating,
- renewing,
- storing,
- backing up,
- archiving,
- retrieving,
- transmitting,
- retiring,
- revoking,
- destroying.
Protection of Cryptographic Keys (Article 7(2))
- The policy must require controls to protect cryptographic keys against loss, unauthorised access, disclosure, and modification.
- These controls must be designed based on:
– the approved data classification, and
– the ICT risk assessment.
Replacement of Cryptographic Keys (Article 7(3))
- The policy must prescribe methods to replace cryptographic keys where they are lost, compromised, or damaged.
Certificate Register (Article 7(4))
- The policy must require the creation and maintenance of a register for all certificates and certificate-storing devices, at least for ICT assets supporting critical or important functions.
- The register must be kept up to date.
Prompt Renewal of Certificates (Article 7(5))
- The policy must require the prompt renewal of certificates in advance of their expiration.