The NIS2 Directive, or Network and Information Security Directive 2, is the European Union's updated framework for strengthening cybersecurity resilience in its member states. It aims to improve risk management, incident response, and information sharing among essential service providers and digital infrastructure.
Encryption and cryptography play a critical role in NIS2 by safeguarding sensitive data, ensuring secure communications, and protecting networks from malicious threats. By leveraging advanced cryptographic techniques, organizations can comply with NIS2 requirements and improve their overall cybersecurity posture.
Cybersecurity and risk management measures in NIS2
Article 21 of the NIS2 Directive outlines the cybersecurity and risk management measures that entities must follow in order to be compliant. It serves as a guideline for Member States to communicate in a more concrete way with the essential and important entities in their countries.
Paragraph 1 of Article 21 describes that, in order to ensure the security of network and information systems, Member States must require essential and important entities implement appropriate and proportionate technical, operational and organizational measures. These measures should not only help to manage the risks linked to the systems these entities rely on, but also work to prevent or reduce the impact of incidents on their services and users.
The required level of security should reflect the latest technological advances, relevant standards and cost considerations, while considering the size of the entity, its exposure to risk and the potential severity of incidents, including their societal and economic impact.
Paragraph 2 lists the cybersecurity risk management measures. It is important to note that these are the measures that should be followed "as a minimum".
The basic cybersecurity risk management measures include the following:
- policies on risk analysis and information system security;
- incident handling;
- business continuity, such as backup management and disaster recovery, and crisis management;
- supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;
- security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;
- policies and procedures to assess the effectiveness of cybersecurity risk-management measures;
- basic cyber hygiene practices and cybersecurity training;
- policies and procedures regarding the use of cryptography and, where appropriate, encryption;
- human resources security, access control policies and asset management;
- the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.
Access this link for the full legislative text of the NIS2 Directive
Cryptography in NIS2 – How to Achieve the Highest Level of Security
Cryptography is the backbone of information security, providing the scientific foundation for secure IT systems. It plays a critical role in achieving key security objectives such as confidentiality, integrity, authentication, and non-repudiation. Cryptographic mechanisms underlie a wide range of cybersecurity applications, including public key infrastructure (PKI), end-to-end encryption, secure communication protocols, and privileged access management. Everyday uses of cryptography include Website authentication, email encryption, and digital signature solutions, all of which rely on the secure management of cryptographic keys.
However, running cryptographic applications in software presents several challenges, including inadequate protection of key material in use, performance degradation due to cryptographic operations, limited memory space on chips, and vulnerability to side-channel attacks. These drawbacks can significantly affect the overall security and efficiency of cryptographic operations.
The solution to these challenges is to use Hardware Security Modules (HSMs) for the highest level of security and compliance with standards such as NIS2.
The benefits of using HSMs to meet the cryptographic requirements of NIS2 include:
- Sensitive key material is used only in a certified, tamper-proof environment.
- Improved performance by using specialized cryptographic chips and offloading cryptographic processes to the HSM.
- HSMs provide strong protection against side-channel attacks.
- Enable secure key generation through an embedded, true random number generator.
By using HSMs, organizations can meet the highest security policies and procedures for cryptography, ensuring that their cryptographic assets are well protected and compliant with regulatory standards such as the NIS2 Directive.
Encryption in NIS2 – Ensure Protection of Data at rest and in Motion
By transforming plain text into ciphertext using a cryptographic key, encryption ensures that sensitive information can only be accessed and processed by authorized users and services, protecting data from unauthorized access and potential breaches. This is a critical element given that the NIS2 directive also aims to strengthen the cyber resilience of organizations.
To meet these requirements, file and folder encryption solutions are needed to reliably secure data while meeting NIS2 compliance requirements.
Considerations when selecting an encryption solution for NIS2
- Ensure that the solution provides robust encryption for data at rest and in motion.
- Ease of use and management: Look for a solution that is easy to manage, integrates with existing systems, and does not disrupt employee workflows.
- Access control: The solution should provide role-based access to ensure that only authorized users can decrypt and access specific information.
- Scalability: Ensure that the solution can scale to meet growing data volumes and evolving business needs.
- Performance impact: Consider how the encryption solution will impact system performance and response times.
- Interoperability: Ensure the solution is compatible with your current hardware, software, and network infrastructure.
- Multi-platform support: Make sure the solution supports all of the operating systems and devices used in your organization.
Protecting sensitive data at various stages and in various environments, encryption is an essential tool for meeting the stringent security requirements of NIS2 and maintaining the confidentiality and integrity of critical data.
Cryptography and encryption solutions for NIS2 Compliance
NIS2 highlights the critical role of cryptography and encryption in building cyber resilience. With over 40 years of experience in this field, Utimaco offers a range of hardware security modules that help organizations implement strong cryptographic security across various business applications. We also offer file and folder encryption software that ensures data protection for NIS2 compliance.