Bitte aktivieren Sie JavaScript in Ihrem Browser, um alle Funktionen dieser Seite nutzen zu können.
You need to activate JavaScript in your browser to use all the functions on this page.
DE
Zertificon Solutions GmbH
DE
Home » Secure Business Email » Email encryption and supply chain security: NIS2 compliant

NIS2 Risk Management:
Email Encryption and Signing

Enforce Security & Compliance
in your Supply Chain

This page reflects NIS2 as implemented in Germany and may differ from implementations in other European countries.

NIS2 compliance for emails and state-of-the-art supply chain security with S/MIME and OpenPGP

Cryptography and encryption are integral measures regarding NIS2 complying risk management. Companies labelled essential or important entities according to NIS2 must make use of state-of-the-art technologies to prepare for the necessary compliance requirements. When it comes to secure email exchanges with business partners, customers, and suppliers, digital signatures and message encryption are the first and foremost ways to ensure the security, authenticity, and integrity of communications.

Our solution, Z1 SecureMail, signs and encrypts emails centrally in accordance with the international standards S/MIME and OpenPGP. It ensures end-to-end content encryption according to the latest state of the art via your company’s own gateway. Z1 SecureMail runs effortlessly in the background and supplements Microsoft 365, for example, with the necessary industry-standard security for email traffic.

Implement NIS2 requirements for secure communications with Z1 SecureMail

  1. Cryptography and encryption: signing and message encryption with S/MIME and OpenPGP
  2. Enforce policies automatically: The gateway automatically encrypts email according to pre-defined rules; compared to other solutions, this means up to 80% less effort for admins
  3. Supply chain security: Secure communications throughout the entire supply chain – even for small suppliers with our gateway variant for SMEs
  4. Access control: roles and rights system for administrators
  5. Proof of effectiveness: Encryption is automatically implemented using policies and you can prove whether and how each email was protected. This allows you to pass audits with ease..
Learn more about Z1 SecureMail

Zertificon is also affected by NIS2 – here’s a brief insight into how we approach supply chain security (only in German)

Video (15 min): Our NIS2 plan: email encryption, supply chain security & co. (inside Zertificon)

What is NIS2?

NIS2 is an EU Directive that requires companies and organizations providing essential services and critical infrastructure to improve their cyber and information security measures. The acronym NIS stands for Network and Information Security. As the name suggests, NIS2 is not a completely new regulation, but an evolution of the 2016 EU Directive NIS1.

The increasing number of cyberattacks on a global economy (see supply chain attacks) as well as Russia’s war against Ukraine show why this administrative act is important and urgent. It is not an abstract problem, but something many business owners experience firsthand.

NIS2UmsuCG: Implementation of NIS2 in Germany

EU member states have to implement the EU NIS2 Directive into national law by October 17, 2024. The draft bill for the so-called “NIS2-Umsetzungs- und Cybersicherheitsstärkungsgesetz (NIS2UmsuCG)” has already been passed in Germany. However, it has not yet been promulgated. Here you can find the current draft bill of the Federal Government (German) from July 2024. Implementation will be mandatory for affected companies as of October 18, 2024. Companies are therefore well advised to get familiar with the obligations, guidelines, and resulting measures as soon as possible.

Official information on NIS2:

Which companies have to implement NIS2 regulations?

The NIS2 Directive significantly expands the number of companies that are subject to security requirements. NIS2 will not only oblige operators of critical infrastructures, but also numerous small companies and suppliers (keyword: supply chain security) to fend off cyber threats.

In addition to the industries already covered by NIS1, such as energy, transport, and health, NIS2 also affects companies in sectors such as wastewater, public administration, space, and food supply. In general, companies with at least 50 employees or an annual turnover and an annual balance sheet total of more than 10 million euros must adhere to NIS2 regulations. Exceptions are organizations operating in areas such as telecommunications services, trust services, critical infrastructure, as well as central government, which are affected by the NIS2 Directive regardless of their size or turnover/annual balance sheet.

The NIS Directive categorises the criticality of companies according to sector (‘essential entities’ and ‘important entities’) and company size (number of employees or turnover), whereas some exceptions are also being taken into account. The type of categorisation has a significant influence on the fines to be paid in case of non-compliance and the type of authority supervision.
Financial service providers are an exception to this Directive; the Digital Operational Resilience Act (DORA) will apply to them from January 17, 2025. DORA is a specific regulation on IT security standards and cyber security for the financial sector and it takes priority over NIS2 as a special law.

In Germany, an estimate of 30,000 companies will be affected by NIS2. By way of comparison: until now, around 2,000 critical infrastructure companies had to implement increased cyber security measures in accordance with the KRITIS umbrella law.

Lists of affected sectors and industries

Companies operating in the following sectors and associated industries are considered essential entities:

  • Energy – Power supply, district heating and cooling supply, fuel and heating oil supply, gas supply
  • Transport and Traffic – Air transport, rail transport, shipping, road transport
  • Finance and Insurance – Banking and Financial Market Infrastructures
  • Health
  • Water – Water Supply and Sewage Disposal
  • Information Technology and Telecommunications
  • Space

Companies operating in the following sectors and associated industries are considered important entities:

  • Transport and Traffic – Postal and courier services
  • Waste Management
  • Manufacture, production and distribution of chemicals
  • Production, processing and distribution of food
  • Manufacturing – Manufacture of medical devices and in vitro diagnostic medical devices, manufacture of computers, electronic and optical products, manufacture of electrical equipment, manufacture of machinery, manufacture of motor vehicles, trailers and semi-trailers, manufacture of other transport equipment
  • Digital Providers
  • Research

Self-registration required

With the introduction of NIS2, companies are obliged to classify themselves. From October 18, 2024, those affected by NIS2 must submit the following information to a registration facility set up jointly by the Federal Office for Information Security and the Federal Office of Civil Protection and Disaster Assistance: Company name, legal form, contact details, mail/telephone, IP address ranges, sector and sub-sector, EU countries with business activities. Details on registration will follow once the legislative procedure for the NIS2UmsuCG has been finalised.

Tip: Companies that require more legal certainty regarding NIS2 categorisation are well advised to obtain information from their industry associations.

Overview of the most important new features of NIS2

10 risk management measures (§ 30 Draft Bill)

The requirements are listed in the NIS2 draft law (July 22, 2024, page 40, only in German) Part 3, Chapter 2, § 30 in points 1-10, whereby measures to undertake these requirements should comply with the state of the art and take the relevant European and international standards into account. The NIS2 Directive lists ten subject areas that companies must implement as risk management measures:

  1. Policies on risk analysis and information system security
  2. Incident handling
  3. Business continuity, such as backup management and disaster recovery, and crisis management
  4. Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers
  5. Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure
  6. Policies and procedures to assess the effectiveness of cybersecurity risk-management measures
  7. Basic cyber hygiene practices and cybersecurity training
  8. Policies and procedures regarding the use of cryptography and, where appropriate, encryption
  9. Human resources security, access control policies and asset management
  10. The use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communications systems within the entity, where appropriate

Focus: Supply Chain Security – Secure communications within your own business network

Particular attention should be paid to above-mentioned issue no. 4, the demand for supply chain security measures. Affected companies are expected to make clear contractual agreements with their providers in order to comply with the upcoming NIS2 regulations.

Achieve NIS2 compliant supply chain security with Z1 SecureMail: protecting confidential communications with cryptographic means

  1. With Z1 SecureMail, you are equipped with the necessary encryption technology.
  2. Z1 SecureMail contains pre-defined security rules, for example:
    • signing each email
    • always encrypting messages if a certificate can be detected
    • blocking a confidential email if it cannot be encyrpted
  4. Expand these settings with just a few clicks directly in the admin interface.
  5. To announce NIS2 compliance, we provide you with a communications template as part of the onboarding process, which you can use to inform your customers and contacts about the introduction of email encryption measures.
  6. Whether you are a Zertificon customer or not, with Z1 Global TrustPoint you find the necessary e-mail certificates of your contacts for encryption and signature verification.
Z1 SecureMail – Overview of Features and Prices
Secure your business network and your supply chain with NIS2-compliant Z1 SecureMail

For some time, we have been receiving enquiries from bigger companies asking for a solution they can recommend to their smaller business partners. Members of the same business network draw benefits from using the same technology. Just in time for NIS2 coming into effect, we are therefore launching our new product Z1 SecureMail ONE – our encryption gateway for SMEs.

Top-down compliance with discount for SMEs

The recommendation of Z1 SecureMail ONE to SMEs can help essential and important entities affected by NIS2 to extend security measures top-down across their entire network. Consult us: In many cases we are able to offer your SME partners favourable conditions, therefore allowing you to protect your entire supply chain. To specify your request, use the ‘Your message’ section in the enquiry form.

Direct purchase for SMEs affected by NIS2

SMEs with 50 or more employees that require a NIS2 compliant email encryption solution themselves can use Z1 SecureMail ONE immediately after purchase.

Increased fines in case of non-compliance

The NIS2 Directive stipulates significantly higher penalities for violations than the ones previously applied. Fines can amount up to 10 million euros or up to 2% of the annual turnover. In summary, significantly more companies than before will have to take comprehensive cyber security measures and face severe penalties in case of non-compliance. Early preparation for the new requirements is therefore urgently advised.

NIS2 is a managerial responsibility

According to NIS2, a company’s management is responsible for the implementation and monitoring of risk management measures in compliance with § 30, as well as for regularly undergoing training in risk management. In case of a cyber attack, a breach of duty in this context may result in liability consequences.

FAQ about NIS2 and secure email communications

NIS2 obliges essential and important entities to enhance their safeguards against cyber threats, especially in the area of email communications. If you are affected by NIS2, your company will require an email encryption solution. In addition, entities indirectly affected, i. e. suppliers and service providers of a NIS2-affected company, are likely to also be required to ensure email encryption in the near future. Investing in a central email encryption solution is therefore beneficial in many respects, not least to fulfil other legal requirements such as the GDPR.

Email encyrption is one of many NIS2 risk management measures. This means that you are obliged to encrypt your emails in accordance with state-of-the-art technologies if you are affected by NIS2 (also indirectly as a supplier or service provider).

The NIS2 directive does not stipulate any concrete technical measures. The technical specifications will presumably result from the national implementation of NIS2 and the corresponding industry standards. Not least, the choice of encryption technology always depends on the required level of data protection.

However, it is certain that TLS is not sufficient in all cases. Some industry standards, e. g. KRITIS, energy and automotive, do not accept TLS encryption as the sole means of protection for email security. In addition, auditability also plays an important role with NIS2: with TLS, the sender and recipient can’t easily prove if each email was encrypted throughout its entire journey. This poses a challenge when conducting audits.

Furthermore, email signatures cannot be created with TLS. A digital email signature is used to check whether the sender of an email is genuine and if the email has been altered.

Companies are therefore well advised to ensure content encryption (also known as ‘end-to-end encryption’) in addition to TLS encryption. With our gateway solution, signature and content encryption of emails with S/MIME or OpenPGP certificates can be realised with little effort.

More on the topic ‘Is TLS sufficient?’

Violations of risk management measures or the obligation to report security incidents will be penalised with high fines. The amount of the fine depends on the respective classification of the company (company size, turnover, and sector).

It is expected of NIS2-affected companies to make clear contractual agreements with their service providers, suppliers, and partners in order to comprehensively implement cyber security in their supply chain, including, for example, agreements on confidential and secure communications. This means that investments in cyber security, such as email encryption, are also an essential basis for future business success.

Both NIS2 and the GDPR oblige companies to secure electronic communications. However, NIS2 emphasises general cybersecurity, while the GDPR focuses on data protection. Nevertheless, cybersecurity and data protection are closely linked, which is why there are overlaps in the measures, such as the use of encryption technologies to protect sensitive data. Therefore, if you use email encryption to fulfil the data protection regulations of the GDPR, you are also well prepared for the respective NIS2 policy.

NIS2 email compliance made easy with Z1 SecureMail

Also adheres to the standards of KRITIS, GDPR, TISAX, HIPAA, etc.

Join our Z1 SecureMail live webinar with a product demonstration and ask your questions (currently only available in German).

Upcoming webinar dates
WordPress Cookie Plugin by Real Cookie Banner