nexalign

Glossary term

HSM / KMS

Also: Hardware Security Module, Key Management System

HSM = tamper-resistant hardware for cryptographic operations (FIPS 140-2/3, Common Criteria). KMS = software layer for key management, often with an HSM backend. Mandatory components for regulated encryption.

HSM classes: network HSM (Thales Luna, Entrust nShield, Utimaco), cloud HSM (AWS CloudHSM, Azure Dedicated HSM, Google Cloud HSM), USB HSM. Important: FIPS 140-2 Level 3 or higher for regulated workloads.

Cloud KMS: AWS KMS, Azure Key Vault, Google Cloud KMS. Bring-Your-Own-Key (BYOK) allows import of a customer key. Hold-Your-Own-Key (HYOK) keeps the master key with the customer; cloud KMS cannot decrypt.

Audit cases: BAIT BTO 5 (cryptography), DORA Art. 9 (ICT security measures), NIS2 Art. 21 (h) (cryptography), BSI TR-02102 (cryptographic guidance). Key sovereignty and rotation discipline are classic audit focal points.

Related terms

BYOK / HYOK (Bring/Hold Your Own Key)

Schlüssel-Management-Modelle in Cloud-Umgebungen: BYOK bedeutet, der Kunde bringt seinen eigenen Sch

Sovereign cloud

A cloud deployment model that guarantees operational, legal and technical control of data and worklo

Confidential Computing

Hardware-based isolation that keeps data encrypted during processing (data-in-use). Complements encr

AI Act Conformity Assessment

Procedure to demonstrate that a high-risk AI system complies with the EU AI Act before being placed

AI Act Risk Categories

Four-tier classification under the EU AI Act: prohibited (Art. 5), high-risk (Annex I/III), limited

Audit-ready decision

A decision whose record is structured, evidence-backed and stakeholder-signed to a level that a thir

BAIT

BaFin circular that concretises IT requirements for credit institutions. Specifies MaRisk AT 7.2 for

BCM

Discipline for maintaining critical business processes during disruptions. Standards: ISO 22301, BSI

← All termsBook a demo →