Encryption in NIS2: What Are the Regulatory Obligations?

With the rise of cyber threats, the Network and Information Security 2 (NIS2) directive imposes new security measures, including encryption. While the directive remains broad in its requirements, it establishes a framework that necessitates a structured approach to data protection.

NIS2 serves as a legal foundation for cybersecurity within the European Union, with specific requirements tailored to different sectors. Understanding the precise obligations regarding encryption is essential for ensuring effective compliance.

Which Sectors Are Affected by NIS2?

The NIS2 directive significantly expands the scope of affected organizations compared to NIS1. It distinguishes two categories of entities with tailored obligations:

• Essential entities, which include critical sectors such as energy, transport, banking, healthcare, drinking water, digital infrastructure, public administration, and space.

• Important entities, which encompass supporting services such as postal services, waste management, chemicals, food production, manufacturing, digital services, and research.

NIS2: What Are the Encryption Obligations?

In this context, Article 21.2(h) of the NIS2 directive explicitly mentions among the risk management measures:

"the use of cryptography and, where appropriate, encryption;"

Cette exigence de chiffrement doit donc être :

• Appropriée : adaptée aux risques spécifiques de l'entité

• Proportionnée : tenant compte de la taille et des ressources de l'organisation

• État de l'art : utilisant des technologies et standards actuels

• Économiquement viable : prenant en compte les coûts de mise en œuvre

• Efficace : assurant une réelle protection contre les risques identifiés

This requirement mandates that organizations ensure encryption is:

• Appropriate: Adapted to the specific risks of the entity.

• Proportionate: Taking into account the size and resources of the organization.

• State-of-the-art: Using current technologies and standards.

• Economically viable: Considering the costs of implementation.

• Effective: Providing real protection against identified risks.

However, NIS2 does not prescribe specific encryption methods (unlike the DORA regulation, for example). Organisations must therefore rely on recognised standards and proven solutions to ensure compliance.

Best Practices for Encryption Under NIS2

According to current industry standards, best practices in encryption are structured around three main areas:

Encryption of Data at Rest

Encryption at rest protects stored data from unauthorized access. It applies to files on servers, databases, and backups.

• Protection of stored data: Encrypting files on servers and workstations.

• Securing databases: Encryption at the column level or for the entire database.

• Encryption of backups: Protection of backup copies and archives.

Encryption of Data in Transit

Encryption in transit secures data during transmission over networks, preventing interception and modification.

• Protection of network communications: Use of secure protocols (TLS, IPsec).

• Securing data exchanges: Protection of file transfers.

• Remote access protection: Securing VPNs and external connections.

Encryption Key Management

Robust key management ensures the effectiveness of encryption. A compromised key would render encryption useless.

• Key management policies: Creation, distribution, and revocation of keys.

• Backup procedures: Recovery mechanisms in case of key loss.

• Access control: Supervision and traceability of key usage.

These measures must be proportionate to identified risks and consider the organisation's size, the nature of processed data, and the potential impact of a security incident, in accordance with the principles outlined in Article 21.1 of the directive.

DuoKey: NIS2-Compliant Encryption

DuoKey offers advanced data encryption solutions, which enable advanced control of encryption keys and ensure the protection of sensitive data at rest, in processing and in transit across major cloud environments (Microsoft 365, AWS, Vault, etc.).

These advanced encryption methods help organisations fully comply with the requirements of the NIS2 directive, while leveraging cloud capabilities confidently.

--> Learn how to protect your sensitive data in Microsoft 365 with DuoKey advanced data encryption solution.

Conclusion

The NIS2 directive requires affected organisations to implement appropriate and proportionate technical measures to secure their information systems. Among these measures, Article 21.2(h) explicitly mentions the use of encryption.

NIS2 does not impose strict technical specifications for encryption. Instead, it adopts a risk-based approach, encouraging the evaluation of appropriate technical choices and rigorous documentation.

This regulatory flexibility means that organisations must rely on best encryption practices, including protecting data at rest, securing data in transit and ensuring robust encryption key management.