LEGAL REQUIREMENTS 20. SEP 2024
NIS2: How to implement email encryption in the supply chain
From October 18, 2024, the EU Directive NIS2 requires companies in certain sectors to comply with measures for a high common level of cybersecurity – including their supply chain. Companies affected by NIS2 must make cybersecurity measures mandatory for their business partners and suppliers. Failure to do so can result in fines.
The Directive does not narrow down which companies fall into the supply chain. These can be suppliers of machines or components or IT service providers, among others. This means that many small businesses, such as companies with less than 50 employees or an annual turnover of less than 10 million euros, are likely to be indirectly affected by NIS2.
Here you can find more important information about the scope, risk management measures and sanctions of NIS2.
Zertificon is also impacted by NIS2:
See how we implement measures to secure our supply chain
Video (15 min, German): Our NIS2 plan: Email encryption, supply chain security, and more (inside Zertificon)
NIS2 requires email encryption in the supply chain
Unprotected emails are a major security risk in the supply chain. The use of cryptography and encryption as well as secure written communication are therefore key risk management measures according to NIS2 (see EU Directive dated December 14, 2022, Article 21, page 29). For the companies directly affected, it will be necessary to include these measures in the contracts with their suppliers. This means that enforcing secure communications in business relationships will soon become standard practice.
Many companies, for example in the automotive or retail sectors, already insist on encrypted email communication in accordance with the international standards S/MIME or OpenPGP. Companies are therefore well advised to invest quickly in a secure infrastructure or to broadly utilise existing solutions.
Which email encryption is NIS2-compliant?
All EU members must follow Article 21 from the original NIS2 directive to ensure network security by ‘taking into account the state-of-the-art and relevant European and international standards […] based on an all-hazards approach.’
For email security, this means the use of digital signatures and encryption in accordance with the internationally recognised standards S/MIME and OpenPGP. For businesses, managing email security centrally via an email gateway such as Z1 SecureMail is considered best practice.
Is email encryption with TLS sufficient for NIS2?
The sole use of TLS (Transport Layer Security) for email encryption is not a secure solution. We have already described the shortcomings of TLS in connection with the GDPR in this article. When TLS is used, the sender and recipient can’t see or prove if each email was encrypted throughout its entire journey. Furthermore, it is not possible to sign emails with TLS.
Companies are therefore well advised to encrypt their electronic communication not only with TLS encryption but also with content encryption (also known as ‘end-to-end encryption’). With our gateway solution Z1 SecureMail, you can easily automate signature and content encryption of emails with S/MIME and OpenPGP.
How to protect communications in the supply chain as a NIS2-affected company
Our Z1 SecureMail solutions offer you the necessary encryption technology in accordance with NIS2. The version Z1 SecureMail Gateway is designed for companies with special requirements. Many large companies in the critical infrastructure sector have been using this solution for years to protect their email communication.
With Z1 SecureMail ONE, Zertificon has developed a special product version: the encryption gateway for SMEs with up to 100 email inboxes. Z1 SecureMail ONE is a comprehensive gateway solution with simplified administration. This enables smaller suppliers and service providers to comply to the state of the art and the required standards – all of that at an attractive price from 5 euros/user per month, including S/MIME certificates.
30 euro discount for the first month
Code: NIS2
Buy Z1 SecureMail ONE with the promo code and save 30 euros on your first month’s subscription. This offer is valid until December 31, 2024. Apply your discount at checkout.
Enforce email compliance in the supply chain – without the need for regular security checks on your suppliers
Email inbox with successfully decrypted email
including valid signature
With Z1 SecureMail, you don’t need to put in extra effort to ensure your suppliers comply with NIS2 when communicating with you. Predefined rules, known as Z1 Policies, are an effective way of enforcing compliance standards. In our encryption software, you can centrally define that emails to certain external service providers are automatically signed and encrypted.
Similarly, you can set a Z1 policy to block unencrypted emails from specific service providers and suppliers. In this case, the respective sender is notified that the email has been blocked due to your security policy. Recipients can also see whether an email has been signed and encrypted in the subject line and in the footer of every incoming email, see illustration.
NIS2-compliant email encryption for your supply chain security
Source: Original EU Directive (27.12.22)
