Navigating NIS2: Ensuring Compliance through Encryption

21 Feb 2024 | Hannaleena Pojanluoma
European Union flag with text about how to comply with NIS2 Directive through encryption

Network and Information Systems 2 (NIS2) is a European Union directive that provides legal measures to elevate the overall level of cybersecurity in the EU. With the frequency and magnitude of security incidents increasing, NIS2 aims to strengthen the EU’s digital infrastructure and protect citizens from malicious attacks. The regulation is an update to the original NIS directive that was enacted by the EU in 2016.  
In this blog, we summarize what NIS2 says about encryption and how organizations can prepare to comply with the directive’s encryption security measures. 

NIS2 in a Nutshell

  • When? 
    NIS2 was approved by the EU in November 2022. Member states have until 17 October 2024 to start complying with the directive.
  • What? 
    NIS2 aims to establish a common level of security for network and information systems within the EU by making cybersecurity requirements mandatory for all member states. As well as outlining security requirements, the directive introduces enforcement measures and sanctions for both EU member states and entities providing essential services to member states.
  • Who?
    Entities that provide essential services to EU member states in the following industries are all subject to following NIS2:
    - Aerospace 
    - Banking and financial market infrastructure 
    - Digital infrastructure
    - Digital service providers
    - Energy
    - Food
    - Healthcare
    - Manufacturing of critical products, such as pharmaceuticals or medical devices
    - Postal and courier services
    - Public administration
    - Public electronic communications networks or services
    - Transport
    - Wastewater and waste management
    - Water supply

How to Prepare for NIS2 

By following these 5 steps, you can ensure that your organization is ready to comply with NIS2: 

NIS2 list of 5-step compliance process

1. Identify Obligations 
Before you can do anything else, you should examine the NIS2 directive and consider where your organization’s obligations lie.  

2. Review Policies 
Next, you want to align your organizational policies, standards and procedures with the NIS2 regulation where appropriate.  

3. Identify Owners 
Appoint accountable individuals or teams to understand your organizational obligations and take necessary action.  

4. Assess Gaps 
Carry out internal or external gap assessments to understand your organization’s current state of compliance.  

5. Implement Actions 
Execute, monitor and audit the identified actions. 

What Does NIS2 Say about Encryption? 

If you follow the above steps in your preparation for NIS2, you will soon understand that encryption is a necessary part of your compliance efforts. Let’s take a look at what the directive has to say about encryption:  

Article 21: Cybersecurity risk-management measures 

Icon showing European flag with lock to represent encryption requirements for NIS2 directive

1. “Member States shall ensure that essential and important entities take appropriate and proportionate technical, operational and organizational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services, and to prevent or minimize the impact of incidents on recipients of their services and on other services...” 

2.  “The measures referred to in paragraph 1 shall be based on an all-hazards approach that aims to protect network and information systems and the physical environment of those systems from incidents, and shall include at least the following: …" 

(h) “policies and procedures regarding the use of cryptography and, where appropriate, encryption”. 
Entities that provide essential services to EU member states can meet the NIS2’s encryption requirements by using secure encryption solutions to protect the confidentiality, integrity and authenticity of data. In addition, it would be wise to implement secure key management practices and conduct regular encryption testing and training. 

Encryption Requirements to Comply with NIS2

Icons of files with arrow being transferred from one point to another with data in transit

The NIS2 directive goes on to state that end-to-end encryption technology should be used by organizations “to safeguard the security of public electronic communications networks and publicly available electronic communications services”. End-to-end encryption is needed to protect data in transit between 2 different locations, such as network communications. Here’s some tips on how to protect data in transit:  

  • Implement secure communication protocols like HTTPS or VPNs to encrypt data during transmission 
  • Use email encryption to protect sensitive information in motion 
  • Consider using secure file transfer methods to maintain data confidentiality, such as encrypted email attachments and public key encryption 
Closed computer's folder not been accessed and with data at rest

Just keep in mind that end-to-end encryption is not enough to fully protect data that hasn’t been protected at the source. Endpoint encryption provides the last line of defense for your information that’s stored on physical or electronic storage devices, while it’s also required by GDPR. To effectively protect data at rest:  

Open computer's document file been viewed by an eye and information accessed with data in use

The third and final state of data is data in use, which refers to information that is being accessed by users or applications. Data in use is not traditionally protected by encryption software, so safeguarding this type of information can prove to be challenging. One solution is to implement protection techniques to safeguard sensitive data during processing.  

Use BestCrypt to Comply with NIS2 

The best way to comply with Article 21.2.h of the NIS2 directive is to use trusted data encryption solutions to protect the confidentiality of your data. With Jetico’s BestCrypt, you have access to 3 different solutions that set you well on the path to protecting data in all 3 states. 

To get started with Jetico’s data encryption solutions, contact our Data Protection Specialists and request a free trial. To learn more about how to encrypt your data, read our ultimate guide

Hannaleena Pojanluoma photo Jetico CEO and blog writer
Hannaleena Pojanluoma

Hannaleena Pojanluoma has been leading Jetico as CEO since May 2023, bringing with her more than 20 years of sales, marketing and technology experience. Previously working for a range of international companies in her native Finland, Pojanluoma has a broad understanding of diverse international markets.

Pojanluoma has been essential in driving sales growth since joining Jetico in October 2015. Her efforts have been concentrated on boosting sales and brand awareness in key European countries such as the United Kingdom, Germany and Italy.

As a member of Jetico's Board of Directors, she joins influential figures such as Tommi Rasila and Umeshchandra Gowda.

View all blog posts

Thank you for contacting Jetico!
We will respond to you as soon as possible.

Send us a message - we'll reply within 24 business hours.

Need help now? Call Us
US: 202 742 2901 EU: +358 50 339 6388