Source: OJ L, 2024/1774, 25.6.2024
EN- Digital operational resilience in the financial sector
ICT risk management
- RTS on ICT risk management framework
Article 7 Cryptographic key management
Financial entitiesas defined in Article 2, points (a) to (t) shall include in the cryptographic key management policy referred to in Article 6(2), point (d), requirements for managing cryptographic keys through their whole lifecycle, including generating, renewing, storing, backing up, archiving, retrieving, transmitting, retiring, revoking, and destroying those cryptographic keys.
Financial entitiesas defined in Article 2, points (a) to (t) shall identify and implement controls to protect cryptographic keys through their whole lifecycle against loss, unauthorised access, disclosure, and modification. Financial entitiesas defined in Article 2, points (a) to (t) shall design those controls on the basis of the results of the approved data classification and the ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; assessment.
Financial entitiesas defined in Article 2, points (a) to (t) shall develop and implement methods to replace the cryptographic keys in the case of loss, or where those keys are compromised or damaged.
Financial entitiesas defined in Article 2, points (a) to (t) shall create and maintain a register for all certificates and certificate-storing devices for at least ICT assets means a software or hardware asset in the network and information systems used by the financial entity; supporting critical or important functions means a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law;. Financial entitiesas defined in Article 2, points (a) to (t) shall keep that register up to date.
Financial entitiesas defined in Article 2, points (a) to (t) shall ensure the prompt renewal of certificates in advance of their expiration.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.