Beta

Source: OJ L, 2024/1774, 25.6.2024

EN

Recital 9 Encryption and cryptographic controls

Cryptographic controls can ensure the availability, authenticity, integrity, and confidentiality of data. Financial entitiesas defined in Article 2, points (a) to (t) referred to in Title II of this Regulation should therefore identify and implement such controls on the basis of a risk-based approach. To that end, financial entitiesas defined in Article 2, points (a) to (t) should encrypt the data concerned at rest, in transit or, where necessary, in use, on the basis of the results of a two-pronged process, namely data classification and a comprehensive ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; assessment. Given the complexity of encrypting data in use, financial entitiesas defined in Article 2, points (a) to (t) referred to in Title II of this Regulation should encrypt date in use only where that would be appropriate in light of the results of the ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; assessment. Financial entitiesas defined in Article 2, points (a) to (t) referred to in Title II of this Regulation should, however, be able, where encryption of data in use is not feasible or is too complex, to protect the confidentiality, integrity, and availability of the data concerned through other ICT security measures. Given the rapid technological developments in the field of cryptographic techniques, financial entitiesas defined in Article 2, points (a) to (t) referred to in Title II of this Regulation should remain abreast of relevant developments in cryptanalysis and consider leading practices and standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12).. Financial entitiesas defined in Article 2, points (a) to (t) referred to in Title II of this Regulation should hence follow a flexible approach, based on risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; mitigation and monitoring, to deal with the dynamic landscape of cryptographic threats, including threats from quantum advancements.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

dora@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod