Hi All
Cryptography management and cryptoagility closer to become regulation after the three European Supervisory Authorities (European Banking Authority (EBA), European Insurance and Occupational Pensions Authority (EIOPA) and European Securities and Markets Authority (ESMA) – the ESAs) published today the first set of final draft Regulatory Technical Standards (RTS) under the DORA. (Find the relevant links at the end)
DORA is the Digital Operational Resilience Act for the financial sector with rules for the protection, detection, containment, recovery and repair capabilities against IT incidents.
The draft RTS on ICT risk management framework covers encryption and cryptography in section IV (page 49). Review highlight Article 6, point 4:
"Financial entities shall include in the policy on encryption and cryptographic controls provisions to, where necessary, on the basis of developments in cryptanalysis, update or change the cryptographic technology to ensure they remain resilient against cyber threats [...]. Where the financial entity cannot update or change the cryptographic technology, it shall adopt mitigation and monitoring measures to ensure they remain resilient against cyber threats."
These final draft technical standards have been submitted to the European Commission, who will now start working on their review with the objective to adopt these first standards in the coming months. So, proper cryptography management and cryptoagility will soon be part of the regulatory compliance obligations of financial entities in Europe.
Regards
Caute_Cautim
Thanks for sharing @Caute_cautim.
Thanks for sharing @Caute_cautim . I came across this subject when I was searching for DORA related articles, webinars... but couldn't find any in the ISC2 community.
How can we have the RTS and ITS that are validated for use? Are they available for public?
Regards,
SecuFreak