9. CRYPTOGRAPHY
9.1.1. For the purpose of Article 21(2), point (h) of Directive (EU) 2022/2555, the relevant entities shall establish, implement and apply a policy and procedures related to cryptography, with a view to ensuring adequate and effective use of cryptography to protect the confidentiality, authenticity and integrity of information in line with the relevant entities’ information classification and the results of the risk assessment.
9.1.2. The policy and procedures referred to in point 9.1 shall establish:
(a) in accordance with the relevant entities’ classification of assets, the type, strength and quality of the cryptographic measures required to protect the relevant entities’ assets;
(b) based on point (a), the protocols to be adopted, as well as cryptographic algorithms, cipher strength, cryptographic solutions and usage practices to be approved and required for use in the entities, following, where appropriate, a cryptographic agility approach;
(c) the relevant entities’ approach to key management, including methods for the following:
(i) generating keys for different cryptographic systems and applications;
(ii) issuing and obtaining public key certificates;
(iii) distributing keys to intended entities, including how to activate keys when received;
(iv) storing keys, including how authorised users obtain access to keys;
(v) changing or updating keys, including rules on when and how to change keys;
(vi) dealing with compromised keys;
(vii) revoking keys including how to withdraw or deactivate keys;
(viii) recovering lost or corrupted keys;
(ix) backing up or archiving keys;
(x) destroying keys;
(xi) logging and auditing of key management-related activities;
(xii) setting activation and deactivation dates for keys ensuring that the keys can only be used for the specified period of time according to the organization's rules on key management;
(xiii) handling legal requests for access to cryptographic keys.
9.1.3. The relevant entities shall review and, where appropriate, update their policy and procedures at planned intervals, taking into account the state of the art in cryptography.
Navigieren Sie sicher durch die NIS2-Richtlinie!
Holen Sie sich den NIS2-Umsetzungs-Fahrplan und unseren Newsletter!