diff --git a/libwvdrmengine/cdm/core/include/policy_engine.h b/libwvdrmengine/cdm/core/include/policy_engine.h
index 6cd9aad1..83214622 100644
--- a/libwvdrmengine/cdm/core/include/policy_engine.h
+++ b/libwvdrmengine/cdm/core/include/policy_engine.h
@@ -99,6 +99,10 @@ class PolicyEngine {
 
   bool CanRenew() { return policy_.can_renew(); }
 
+  bool IsSufficientOutputProtection(const KeyId& key_id) {
+    return license_keys_->MeetsConstraints(key_id);
+  }
+
  private:
   friend class PolicyEngineTest;
   friend class PolicyEngineConstraintsTest;
diff --git a/libwvdrmengine/cdm/core/src/cdm_session.cpp b/libwvdrmengine/cdm/core/src/cdm_session.cpp
index d4a12313..2e7fcb60 100644
--- a/libwvdrmengine/cdm/core/src/cdm_session.cpp
+++ b/libwvdrmengine/cdm/core/src/cdm_session.cpp
@@ -551,9 +551,14 @@ CdmResponseType CdmSession::Decrypt(const CdmDecryptionParameters& params) {
 
   // Playback may not begin until either the start time passes or the license
   // is updated, so we treat this Decrypt call as invalid.
-  if (params.is_encrypted &&
-      !policy_engine_->CanDecryptContent(*params.key_id)) {
-    return policy_engine_->IsLicenseForFuture() ? DECRYPT_NOT_READY : NEED_KEY;
+  if (params.is_encrypted) {
+    if (!policy_engine_->CanDecryptContent(*params.key_id)) {
+      if (policy_engine_->IsLicenseForFuture())
+        return DECRYPT_NOT_READY;
+      if (!policy_engine_->IsSufficientOutputProtection(*params.key_id))
+        return INSUFFICIENT_OUTPUT_PROTECTION;
+      return NEED_KEY;
+    }
   }
 
   CdmResponseType status = crypto_session_->Decrypt(params);