Commission Delegated Regulation that supports DORA regulation
Full Text of CDR 2024-1774
Regulatory technical standards specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework
Article 7 – Cryptographic key management
- Financial entities shall include in the cryptographic key management policy referred to in Article 6(2), point (d), requirements for managing cryptographic keys through their whole lifecycle, including generating, renewing, storing, backing up, archiving, retrieving, transmitting, retiring, revoking, and destroying those cryptographic keys.
- Financial entities shall identify and implement controls to protect cryptographic keys through their whole lifecycle against loss, unauthorised access, disclosure, and modification. Financial entities shall design those controls on the basis of the results of the approved data classification and the ICT risk assessment.
- Financial entities shall develop and implement methods to replace the cryptographic keys in the case of loss, or where those keys are compromised or damaged.
- Financial entities shall create and maintain a register for all certificates and certificate-storing devices for at least ICT assets supporting critical or important functions. Financial entities shall keep that register up to date.
- Financial entities shall ensure the prompt renewal of certificates in advance of their expiration.