Cryptographic Keys complete

• No encryption policy or standard is documented.
• The organisation cannot articulate who holds key material or under which jurisdiction keys reside.
• Key rotation does not occur, or occurs solely at provider discretion without organisational awareness.
• There is no distinction between encryption of data at rest, in transit, or in use.
• CLOUD Act exposure through US-headquartered providers is neither assessed nor mitigated.

• Absence of encryption-related policies in the information security management system.
• Interview responses indicating encryption is "handled by the cloud provider" with no further detail.
• No key management entries in asset inventories or configuration management databases.

Organisations at Level 0 face significant regulatory exposure. GDPR Art. 32 requires encryption as a technical safeguard, and the inability to demonstrate deliberate encryption governance undermines compliance posture. In the event of a breach, the inability to confirm encryption status (GDPR Art. 34) may trigger mandatory notification to data subjects. Under NIS2, the absence of cryptography policies constitutes a direct compliance gap for entities in scope.

• A formal encryption policy mandates encryption for data at rest and in transit.
• Provider-default encryption mechanisms are identified and mapped to workloads.
• Key generation, storage, rotation, and destruction are entirely provider-managed.
• The provider retains technical capability to access key material.
• Key custody is documented as a known dependency but no mitigation is in place.

• Approved encryption policy with scope covering production systems.
• Configuration evidence showing provider-managed encryption enabled (e.g., AWS SSE-S3 bucket policies, Azure Storage Account encryption settings).
• Risk register entry acknowledging provider key custody as a dependency.
• No BYOK or customer-managed key configurations present.

The primary risk at Level 1 is the CLOUD Act exposure. When a US-headquartered provider holds key material, law enforcement requests under the CLOUD Act can compel the provider to produce decrypted data without customer notification. This applies regardless of where the data or keys physically reside. Organisations processing sensitive personal data or operating in regulated sectors (financial services under DORA, essential services under NIS2) should prioritise advancing beyond this level.

• The DPA includes specific clauses on key management, custody, and access conditions.
• BYOK or customer-managed key options are contractually available.
• A formal key management procedure covers generation, rotation, revocation, and destruction.
• The organisation understands that cloud BYOK typically means the provider wraps customer keys within their KMS, retaining technical access during cryptographic operations.
• Residual risk of provider access to key material is formally documented and accepted.

• DPA with key management annexes or clauses specifying custody and access conditions.
• Service agreement addenda enabling BYOK/CMK capabilities.
• Key management procedure aligned to industry standards (e.g., NIST SP 800-57).
• Risk assessment documenting the technical limitations of cloud BYOK (provider access to key material in memory).
• Partial implementation of customer-managed keys on high-sensitivity workloads.

The critical limitation at Level 2 is the gap between contractual and technical control. Cloud KMS BYOK implementations (AWS KMS CMK, Azure Key Vault BYOK, Google Cloud KMS) typically import customer key material into the provider's HSM infrastructure, where the provider's platform retains access during cryptographic operations. While contractual clauses restrict how the provider may use this access, they do not prevent compelled access under legal instruments such as the CLOUD Act or national security letters. Organisations handling particularly sensitive data (health, financial, classified) should advance to Level 3 to close this gap.

• Customer-managed keys (BYOK/HYOK) are deployed across all critical workloads.
• HSM-backed key storage ensures key material never exists in plaintext outside the HSM security boundary.
• Key material resides exclusively in EU/Swiss jurisdiction with verified residency.
• Automated key rotation operates on customer-defined schedules, differentiated by data classification.
• Envelope encryption separates data encryption keys from key encryption keys.
• The provider is technically unable to decrypt customer data without customer cooperation.

• Architecture diagrams showing HSM-backed key management (e.g., AWS CloudHSM clusters, Azure Dedicated HSM, Thales Luna Network HSM in cloud).
• HSM deployment certificates confirming EU/Swiss data centre locations.
• Automated key rotation logs showing customer-triggered rotations on defined schedules.
• Envelope encryption design documentation with clear DEK/KEK separation.
• Penetration test or architecture review confirming provider cannot access plaintext key material.
• Key ceremony records for root key generation.

While Level 3 provides strong cryptographic sovereignty, residual risks remain. The underlying HSM platform (hardware, firmware, operational management) is still controlled by the cloud provider in cloud-hosted HSM deployments. Physical security of the HSM hardware, firmware integrity, and side-channel protections depend on the provider's operational practices. For organisations subject to the most stringent sovereignty requirements (defence, intelligence, critical national infrastructure), these residual dependencies may necessitate advancing to Level 4.

Level 3 is appropriate for organisations that process sensitive personal data, financial data under DORA, or data subject to sector-specific regulations where provider access to plaintext key material is unacceptable. It is also warranted when a CLOUD Act risk assessment identifies provider-held keys as a significant exposure, or when clients or regulators require evidence of technical key control beyond contractual assurances.

Organisations handling general-purpose business data, where contractual safeguards at Level 2 are proportionate to the risk profile, may not need HSM-backed key management. Small and medium organisations without the operational capacity to manage HSM infrastructure, key rotation automation, and envelope encryption should weigh the operational burden against the incremental sovereignty gained.

At Level 3, CLOUD Act risk is substantially mitigated. Even if a US-headquartered provider receives a lawful data production request, the provider cannot produce decrypted data because it lacks access to the plaintext key material. The requesting authority would need to compel the customer directly through mutual legal assistance treaties (MLATs) or equivalent instruments, which are subject to jurisdictional safeguards.

• Self-hosted HSM infrastructure operates in customer-controlled data centres or on-premises facilities.
• Root key ceremonies are conducted on-premises with multi-custodian controls and tamper-evident procedures.
• Key material is generated, stored, used, rotated, and destroyed entirely within customer-controlled boundaries.
• A centralised key management platform governs keys across hybrid and multi-cloud deployments.
• No cloud provider, managed service provider, or third party has technical access to plaintext key material.
• Post-quantum cryptographic readiness is assessed and migration planning is underway.

• On-premises HSM deployment documentation with physical security audit reports.
• Key ceremony records with witness logs, custodian sign-off, and tamper-evident bag serial numbers.
• Architecture documentation demonstrating end-to-end key material isolation from provider infrastructure.
• Centralised key management platform (e.g., HashiCorp Vault Enterprise, Thales CipherTrust Manager, Fortanix DSM) deployed on customer-owned infrastructure.
• Independent audit report confirming zero provider access to key material.
• Cryptographic algorithm inventory and post-quantum migration roadmap.

Achieving Level 4 requires significant operational maturity. The organisation must maintain:

• HSM operations: Hardware lifecycle management including firmware updates, certificate renewals, capacity monitoring, and disaster recovery for HSM clusters.
• Key custodian programme: Trained personnel for key ceremonies with documented succession planning and segregation of duties.
• Cryptographic expertise: In-house or retained expertise for cryptographic architecture decisions, algorithm selection, and incident response.
• Compliance monitoring: Continuous verification that no key material leaks into provider-accessible infrastructure through configuration drift or architectural changes.

Level 4 is the target state for organisations in defence, intelligence, or critical national infrastructure where no residual provider dependency for key management is acceptable. It is also warranted when the threat model includes the cloud provider itself as a potential adversary or as a party that could be compelled to act against the organisation's interests.

For most commercial organisations, Level 3 provides strong cryptographic sovereignty with significantly lower operational overhead. Level 4 requires sustained investment in HSM operations, key custodian programmes, cryptographic expertise, and post-quantum migration planning. Organisations should pursue Level 4 only when driven by a specific threat model and regulatory requirement, not as a default aspiration.

At Level 4, the organisation is effectively immune to CLOUD Act compelled access through providers. Since no provider holds or can access key material, a CLOUD Act request directed at a provider cannot yield decrypted data. Any government seeking access to the encrypted data must engage directly with the organisation through the applicable legal framework (Swiss IMAC, EU MLAT processes), which are subject to full jurisdictional safeguards and judicial oversight.

Organisations at Level 4 should actively monitor NIST post-quantum cryptography standards and begin assessing the impact of quantum computing on their cryptographic estate. Key management infrastructure should be evaluated for crypto-agility - the ability to migrate to post-quantum algorithms without architectural redesign. This includes inventorying all cryptographic algorithms in use, identifying harvest-now-decrypt-later risks for long-lived data, and planning HSM firmware upgrades to support post-quantum algorithms.