Requirements
What the regulation expects
Customer-controlled keys under NIS2
Documented measures matter—custody of keys is part of defensible security, not vendor boilerplate.
Risk management and proportionate measures
You must implement appropriate technical and organisational measures. For sensitive data in SaaS and public cloud, external key management is often proportionate because it reduces operator overreach and jurisdiction risk.
Business continuity and crisis management
Resilience includes maintaining access to critical data *without* depending on a single vendor’s good faith during a crisis. Key custody you control supports orderly recovery and key rotation scenarios.
Supply chain and ICT provider oversight
You remain responsible for critical services even when ICT is outsourced. Cryptographic separation limits how much trust you must place in any one provider.
Solutions
Relevant DuoKey products
Standardise how applications and cloud services consume keys under governance you define.
Learn moreBind AWS encryption to keys materialised outside the cloud’s core trust boundary.
Learn moreCustomer Key and DKE for tenants that need keys off Microsoft’s administrative plane.
Learn moreKeep key fragments or operational modes where the app vendor never holds usable keys alone.
Learn moreKey themes
Where customer-controlled keys fit
DuoKey enables essential and important entities to demonstrate proportionate technical measures by placing encryption key governance under your organisation's control — not the cloud operator's.
Article 21-style measures (technical & organisational)
Pair encryption at rest and in transit with key governance you can document, test, and audit.
Incident handling readiness
Key disablement, rotation, and break-glass procedures you control support response playbooks.
Related links
Useful resources