(EU) 2024/1774 Article 7 Cryptographic Key Management

ICT Risk Management Framework - Commission Delegated Regulation (EU) 2024/1774 Article 7 Cryptographic Key Management Article 7 of the EU Regulation concerning cryptographic key management mandates that financial entities develop and implement comprehensive policies to manage cryptographic keys effectively. The article specifies that these entities must cover all stages of the key lifecycle, including generation, storage, and destruction, and must implement controls to prevent unauthorized access and ensure integrity. Additionally, it requires the maintenance of an up-to-date register for certificates related to their ICT assets, ensuring proactive certificate renewal and establishing protocols for key replacement in case of key loss or breaches. Objective: This article is focused on establishing requirements for the management of cryptographic keys throughout their entire lifecycle, ensuring their protection and proper administration by financial entities. Target Audiences: 1. Financial Entities Type: Business Entity As the primary subjects governed by this article, financial entities must adhere to the stringent requirements for cryptographic key management to safeguard digital assets and comply with regulatory standards. Key Focuses: 1. Cryptographic Key Lifecycle Management This focus addresses the need for financial entities to manage cryptographic keys from creation to destruction, ensuring robust processes are in place at each stage. 2. Protection Controls Implementation Entities must identify and implement controls tailored to the lifecycle of cryptographic keys to mitigate risks associated with loss, unauthorized access, and modification. 3. Risk Assessment Basis Controls must be based on the results of approved data classification and ICT risk assessments, promoting a risk-aware approach to cryptographic key management. 4. Certificate Register Maintenance Financial entities are required to maintain an up-to-date register of all certificates and certification devices, ensuring accountability and clarity in ICT asset management. 5. Proactive Certificate Renewal Timely renewal of certificates before expiration is mandated, which is critical for maintaining secure communications and data integrity. 6. Response Methods for Key Compromise Financial entities must develop methods to replace cryptographic keys that become compromised, which is vital for maintaining security and minimizing potential damage.