Beta

Source: OJ L, 2024/1774, 25.6.2024

EN

Article 6 Encryption and cryptographic controls

    1. As part of their ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entitiesas defined in Article 2, points (a) to (t) shall develop, document, and implement a policy on encryption and cryptographic controls.

    1. Financial entitiesas defined in Article 2, points (a) to (t) shall design the policy on encryption and cryptographic controls referred to in paragraph 1 on the basis of the results of an approved data classification and ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; assessment. That policy shall contain rules for all of the following:

      1. the encryption of data at rest and in transit;

      2. the encryption of data in use, where necessary;

      3. the encryption of internal network connections and traffic with external parties;

      4. the cryptographic key management referred to in Article 7, laying down rules on the correct use, protection, and lifecycle of cryptographic keys.

    2. For the purposes of point (b), where encryption of data in use is not possible, financial entitiesas defined in Article 2, points (a) to (t) shall process data in use in a separated and protected environment, or take equivalent measures to ensure the confidentiality, integrity, authenticity, and availability of data.

    1. Financial entitiesas defined in Article 2, points (a) to (t) shall include in the policy on encryption and cryptographic controls referred to in paragraph 1 criteria for the selection of cryptographic techniques and use practices, taking into account leading practices, and standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). as defined in Article 2, point (1), of Regulation (EU) No 1025/2012, and the classification of relevant ICT assets means a software or hardware asset in the network and information systems used by the financial entity; established in accordance with Article 8(1) of Regulation (EU) 2022/2554. Financial entitiesas defined in Article 2, points (a) to (t) that are not able to adhere to the leading practices or standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12)., or to use the most reliable techniques, shall adopt mitigation and monitoring measures that ensure resilience against cyber threats means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881;.

    1. Financial entitiesas defined in Article 2, points (a) to (t) shall include in the policy on encryption and cryptographic controls referred to in paragraph 1 provisions for updating or changing, where necessary, the cryptographic technology on the basis of developments in cryptanalysis. Those updates or changes shall ensure that the cryptographic technology remains resilient against cyber threats means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881;, as required by Article 10(2), point (a). Financial entitiesas defined in Article 2, points (a) to (t) that are not able to update or change the cryptographic technology shall adopt mitigation and monitoring measures that ensure resilience against cyber threats means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881;.

    1. Financial entitiesas defined in Article 2, points (a) to (t) shall include in the policy on encryption and cryptographic controls referred to in paragraph 1 a requirement to record the adoption of mitigation and monitoring measures adopted in accordance with paragraphs 3 and 4 and to provide a reasoned explanation for doing so.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

dora@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod