Contents
Protection measures of cryptographic keys
Integration into the ICT Risk Management Framework (Article 9(4) DORA)
Financial entities must implement protection measures for cryptographic keys as a mandatory component of the ICT risk management framework required under Article 6(1) DORA.
This obligation sits within the broader protection and prevention requirements in Article 9 DORA and applies to all cryptographic material used for ensuring confidentiality, integrity, authenticity and availability of data.
Mandatory Elements of Cryptographic Key Protection (Article 9(4)(d) DORA)
Financial entities must implement policies and protocols that ensure:
Strong Authentication Mechanisms
- Authentication mechanisms must be strong,
- based on relevant standards, and
- supported by dedicated control systems.
These requirements apply to the use, access, and management of cryptographic keys.
Protection Measures for Cryptographic Keys
Protection measures must:
- safeguard cryptographic keys from compromise,
- ensure secure handling and storage,
- ensure proper use for encryption operations, and
- align with the financial entity’s wider ICT security and access control policies.
Encryption Based on Data Classification and ICT Risk Assessment
Data must be encrypted based on:
- the results of the approved data classification, and
- the ICT risk assessment processes.
This creates a direct link between cryptographic controls and the entity’s risk-based security posture, ensuring proportionality and adequacy of encryption measures.
Purpose and Context
These protection measures support:
- secure encryption of data at rest, in transit and in use;
- the integrity and confidentiality of sensitive data;
- compliance with the broader encryption and key management requirements under the RTS RMF (Articles 6–7);
- resilience against unauthorised access, tampering and other ICT risks.