Cryptographic key management


  1. Financial entitiesas defined in Article 2, points (a) to (t) shall include in the cryptographic key management policy referred to in Article 6(2), point (d), requirements for managing cryptographic keys through their whole lifecycle, including generating, renewing, storing, backing up, archiving, retrieving, transmitting, retiring, revoking, and destroying those cryptographic keys.

  2. Financial entitiesas defined in Article 2, points (a) to (t) shall identify and implement controls to protect cryptographic keys through their whole lifecycle against loss, unauthorised access, disclosure, and modification. Financial entitiesas defined in Article 2, points (a) to (t) shall design those controls on the basis of the results of the approved data classification and the ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; assessment.

  3. Financial entitiesas defined in Article 2, points (a) to (t) shall develop and implement methods to replace the cryptographic keys in the case of loss, or where those keys are compromised or damaged.

  4. Financial entitiesas defined in Article 2, points (a) to (t) shall create and maintain a register for all certificates and certificate-storing devices for at least ICT assetsmeans a software or hardware asset in the network and information systems used by the financial entity; supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law;. Financial entitiesas defined in Article 2, points (a) to (t) shall keep that register up to date.

  5. Financial entitiesas defined in Article 2, points (a) to (t) shall ensure the prompt renewal of certificates in advance of their expiration.