Source: OJ L, 2024/1774, 25.6.2024

Current language: EN

Article 7 Cryptographic key management

Summary What does Article 7 of the RTS on ICT risk management framework say?

This article drills down into the practical requirements for cryptographic key management, directly building on Article 6 which establishes the overarching encryption and cryptographic controls policy.

Where Article 6 sets the strategic framework, Article 7 focuses on the operational detail: financial entities must govern cryptographic keys across their entire lifecycle, from generation through to destruction, and must have contingency methods in place if keys are lost, compromised, or damaged.

The article also extends these obligations to certificate management, requiring financial entities to maintain an up-to-date register and ensure certificates are renewed before they expire.

Important points:

  • Manage cryptographic keys across their full lifecycle, with controls designed on the basis of your data classification and ICT risk assessment.
  • Develop and implement methods to replace cryptographic keys if they are lost, compromised, or damaged.
  • Create and maintain an up-to-date register of all certificates and certificate-storing devices, at minimum for ICT assets supporting critical or important functions, and ensure certificates are renewed before expiration.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

    1. Financial entities shall include in the cryptographic key management policy referred to in Article 6(2), point (d), requirements for managing cryptographic keys through their whole lifecycle, including generating, renewing, storing, backing up, archiving, retrieving, transmitting, retiring, revoking, and destroying those cryptographic keys.

    1. Financial entities shall identify and implement controls to protect cryptographic keys through their whole lifecycle against loss, unauthorised access, disclosure, and modification. Financial entities shall design those controls on the basis of the results of the approved data classification and the ICT risk assessment.

    1. Financial entities shall develop and implement methods to replace the cryptographic keys in the case of loss, or where those keys are compromised or damaged.

    1. Financial entities shall create and maintain a register for all certificates and certificate-storing devices for at least ICT assets supporting critical or important functions. Financial entities shall keep that register up to date.

    1. Financial entities shall ensure the prompt renewal of certificates in advance of their expiration.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

springlex@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod