Navigating NIS2: Ensuring Compliance through Encryption

Network and Information Systems 2 (NIS2) is a European Union directive that provides legal measures to elevate the overall level of cybersecurity in the EU. With the frequency and magnitude of security incidents increasing, NIS2 aims to strengthen the EU’s digital infrastructure and protect citizens from malicious attacks. The regulation is an update to the original NIS directive that was enacted by the EU in 2016.  
 
In this blog, we summarize what NIS2 says about encryption and how organizations can prepare to comply with the directive’s encryption security measures. 

NIS2 in a Nutshell

• When? 
  NIS2 was approved by the EU in November 2022. Member states have until 17 October 2024 to start complying with the directive.
• What? 
  NIS2 aims to establish a common level of security for network and information systems within the EU by making cybersecurity requirements mandatory for all member states. As well as outlining security requirements, the directive introduces enforcement measures and sanctions for both EU member states and entities providing essential services to member states.
• Who?
  Entities that provide essential services to EU member states in the following industries are all subject to following NIS2:
  - Aerospace 
  - Banking and financial market infrastructure 
  - Digital infrastructure
  - Digital service providers
  - Energy
  - Food
  - Healthcare
  - Manufacturing of critical products, such as pharmaceuticals or medical devices
  - Postal and courier services
  - Public administration
  - Public electronic communications networks or services
  - Transport
  - Wastewater and waste management
  - Water supply
   

How to Prepare for NIS2 

By following these 5 steps, you can ensure that your organization is ready to comply with NIS2: 

1. Identify Obligations 
Before you can do anything else, you should examine the NIS2 directive and consider where your organization’s obligations lie.  

2. Review Policies 
Next, you want to align your organizational policies, standards and procedures with the NIS2 regulation where appropriate.  

3. Identify Owners 
Appoint accountable individuals or teams to understand your organizational obligations and take necessary action.  

4. Assess Gaps 
Carry out internal or external gap assessments to understand your organization’s current state of compliance.  

5. Implement Actions 
Execute, monitor and audit the identified actions. 

What Does NIS2 Say about Encryption? 

If you follow the above steps in your preparation for NIS2, you will soon understand that encryption is a necessary part of your compliance efforts. Let’s take a look at what the directive has to say about encryption:  

Article 21: Cybersecurity risk-management measures 

1. “Member States shall ensure that essential and important entities take appropriate and proportionate technical, operational and organizational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services, and to prevent or minimize the impact of incidents on recipients of their services and on other services...” 

2.  “The measures referred to in paragraph 1 shall be based on an all-hazards approach that aims to protect network and information systems and the physical environment of those systems from incidents, and shall include at least the following: …" 

(h) “policies and procedures regarding the use of cryptography and, where appropriate, encryption”. 
 
Entities that provide essential services to EU member states can meet the NIS2’s encryption requirements by using secure encryption solutions to protect the confidentiality, integrity and authenticity of data. In addition, it would be wise to implement secure key management practices and conduct regular encryption testing and training. 

Encryption Requirements to Comply with NIS2

The NIS2 directive goes on to state that end-to-end encryption technology should be used by organizations “to safeguard the security of public electronic communications networks and publicly available electronic communications services”. End-to-end encryption is needed to protect data in transit between 2 different locations, such as network communications. Here’s some tips on how to protect data in transit:  

• Implement secure communication protocols like HTTPS or VPNs to encrypt data during transmission 
• Use email encryption to protect sensitive information in motion 
• Consider using secure file transfer methods to maintain data confidentiality, such as encrypted email attachments and public key encryption 

Just keep in mind that end-to-end encryption is not enough to fully protect data that hasn’t been protected at the source. Endpoint encryption provides the last line of defense for your information that’s stored on physical or electronic storage devices, while it’s also required by GDPR. To effectively protect data at rest:  

• Encrypt all drives 
• Store individual files and folders in encrypted containers to prevent third parties accessing data 
• Use access controls and authentication mechanisms (such as multi-factor authentication) to limit unauthorized access 
• Store backups in secure locations to prevent data loss 

The third and final state of data is data in use, which refers to information that is being accessed by users or applications. Data in use is not traditionally protected by encryption software, so safeguarding this type of information can prove to be challenging. One solution is to implement protection techniques to safeguard sensitive data during processing.  

Use BestCrypt to Comply with NIS2 

The best way to comply with Article 21.2.h of the NIS2 directive is to use trusted data encryption solutions to protect the confidentiality of your data. With Jetico’s BestCrypt, you have access to 3 different solutions that set you well on the path to protecting data in all 3 states. 

• BestCrypt Container Encryption to protect data in transit by securely transferring files and data at rest by encrypting selected files and folders 
• BestCrypt Volume Encryption to encrypt hard drives for protecting data at rest 
• BestCrypt Data Shelter, a free tool for protecting data in use 

To get started with Jetico’s data encryption solutions, contact our Data Protection Specialists and request a free trial. To learn more about how to encrypt your data, read our ultimate guide.