SUMMARY: This guide explains how the NIS2 Directive strengthens cybersecurity requirements across the European Union and why encryption plays a central role in compliance. You’ll learn which organizations fall under NIS2, how risk-management expectations have evolved, and where encryption supports confidentiality and resilience. The article also outlines practical encryption approaches and shows how solutions such as BestCrypt help organizations protect sensitive data and demonstrate alignment with NIS2 requirements.
Network and Information Systems 2 (NIS2) is a European Union directive that provides legal measures to elevate the overall level of cybersecurity in the EU. With the frequency and magnitude of security incidents increasing, NIS2 aims to strengthen the EU’s digital infrastructure and protect citizens from malicious attacks. The regulation is an update to the original NIS directive that was enacted by the EU in 2016.
In this blog, we summarize what NIS2 says about encryption and how organizations can prepare to comply with the directive’s encryption security measures.
NIS2 in a Nutshell
- When?
NIS2 was approved by the EU in November 2022. Member states have until 17 October 2024 to start complying with the directive. - What?
NIS2 aims to establish a common level of security for network and information systems within the EU by making cybersecurity requirements mandatory for all member states. As well as outlining security requirements, the directive introduces enforcement measures and sanctions for both EU member states and entities providing essential services to member states. - Who?
Entities that provide essential services to EU member states in the following industries are all subject to following NIS2:
– Aerospace
– Banking and financial market infrastructure
– Digital infrastructure
– Digital service providers
– Energy
– Food
– Healthcare
– Manufacturing of critical products, such as pharmaceuticals or medical devices
– Postal and courier services
– Public administration
– Public electronic communications networks or services
– Transport
– Wastewater and waste management
– Water supply
How to Prepare for NIS2
By following these 5 steps, you can ensure that your organization is ready to comply with NIS2:
- Identify Obligations
Before you can do anything else, you should examine the NIS2 directive and consider where your organization’s obligations lie. - Review Policies
Next, you want to align your organizational policies, standards and procedures with the NIS2 regulation where appropriate. - Identify Owners
Appoint accountable individuals or teams to understand your organizational obligations and take necessary action. - Assess Gaps
Carry out internal or external gap assessments to understand your organization’s current state of compliance. - Implement Actions
Execute, monitor and audit the identified actions.
What Does NIS2 Say about Encryption?
If you follow the above steps in your preparation for NIS2, you will soon understand that encryption is a necessary part of your compliance efforts. Let’s take a look at what the directive has to say about encryption:
Article 21: Cybersecurity risk-management measures
“Member States shall ensure that essential and important entities take appropriate and proportionate technical, operational and organizational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services, and to prevent or minimize the impact of incidents on recipients of their services and on other services…”
- “The measures referred to in paragraph 1 shall be based on an all-hazards approach that aims to protect network and information systems and the physical environment of those systems from incidents, and shall include at least the following: …”
(h) “policies and procedures regarding the use of cryptography and, where appropriate, encryption”.
Entities that provide essential services to EU member states can meet the NIS2’s encryption requirements by using secure encryption solutions to protect the confidentiality, integrity and authenticity of data. In addition, it would be wise to implement secure key management practices and conduct regular encryption testing and training.
Encryption Requirements to Comply with NIS2
The NIS2 directive goes on to state that end-to-end encryption technology should be used by organizations “to safeguard the security of public electronic communications networks and publicly available electronic communications services”. End-to-end encryption is needed to protect data in transit between 2 different locations, such as network communications. Here’s some tips on how to protect data in transit:
- Implement secure communication protocols like HTTPS or VPNs to encrypt data during transmission
- Use email encryption to protect sensitive information in motion
- Consider using secure file transfer methods to maintain data confidentiality, such as encrypted email attachments and public key encryption
Just keep in mind that end-to-end encryption is not enough to fully protect data that hasn’t been protected at the source. Endpoint encryption provides the last line of defense for your information that’s stored on physical or electronic storage devices, while it’s also required by GDPR. To effectively protect data at rest:
- Encrypt all drives
- Store individual files and folders in encrypted containers to prevent third parties accessing data
- Use access controls and authentication mechanisms (such as multi-factor authentication) to limit unauthorized access
- Store backups in secure locations to prevent data loss
The third and final state of data is data in use, which refers to information that is being accessed by users or applications. Data in use is not traditionally protected by encryption software, so safeguarding this type of information can prove to be challenging. One solution is to implement protection techniques to safeguard sensitive data during processing.
Use BestCrypt to Comply with NIS2
The best way to comply with Article 21.2.h of the NIS2 directive is to use trusted data encryption solutions to protect the confidentiality of your data. With Jetico’s BestCrypt, you have access to 3 different solutions that set you well on the path to protecting data in all 3 states.
- BestCrypt Container Encryption to protect data in transit by securely transferring files and data at rest by encrypting selected files and folders
- BestCrypt Volume Encryption to encrypt hard drives for protecting data at rest
- BestCrypt Data Shelter, a free tool for protecting data in use
To get started with Jetico’s data encryption solutions, contact our Data Protection Specialists and request a free trial. To learn more about how to encrypt your data, read our ultimate guide.
For more information on complying with NIS2, find out how to meet the directive’s cyber hygiene security measures.
Frequently Asked Questions (FAQs)
The NIS2 Directive is an EU cybersecurity law that expands obligations for essential and important entities. It applies to sectors such as energy, healthcare, finance, transport, and digital services that are critical to the EU economy and society.
Encryption reduces the impact of unauthorized access and data breaches by ensuring information remains unreadable without proper credentials. Under NIS2, encryption supports risk reduction and operational resilience objectives.
Organizations should protect data at rest, data in transit, and where possible data in use. This may include full-disk encryption, file or container encryption, and secure communication protocols depending on risk and use case.
NIS2 does not mandate specific algorithms but expects organizations to apply widely accepted cryptographic controls appropriate to their risk profile. Solutions such as BestCrypt implement strong encryption methods and centralized management to support these expectations.
Organizations can demonstrate compliance through documented encryption policies, evidence of deployment, and centralized visibility into encrypted systems. Reporting and management features help support internal reviews and regulatory audits.