NIS2 and Email Security: The Complete Guide for Businesses 2026
The ultimate guide to NIS2 and email security: What the law requires, which businesses are affected, and how to implement §30 BSIG for email.
·4 min·NIS2 & Compliance
NIS2 and Email Security: The Complete Guide for Businesses 2026
The NIS2 Implementation Act came into force on December 6, 2025 – with no transition period. Approximately 29,500 companies in Germany must implement the new cybersecurity obligations immediately. Email is at the center: Over 90% of all successful cyberattacks start with a phishing email.
This guide explains what NIS2 specifically means for your email infrastructure, which measures are mandatory, and how to implement the requirements efficiently.
What Is NIS2?
The NIS2 Directive (Network and Information Security Directive 2) is an EU-wide regulation to strengthen cybersecurity. In Germany, it was transposed into national law through the NIS2 Implementation Act (NIS2UmsuCG) and published as the revised BSI Act (BSIG) on December 6, 2025.
At its core, NIS2 requires companies to implement specific technical and organizational measures in the area of cybersecurity – including explicitly securing email communication.
When Did NIS2 Come into Effect in Germany?
December 6, 2025: Entry into force of the NIS2 Implementation Act
January 6, 2026: Start of BSI registration via the reporting portal
March 6, 2026: Registration deadline expires (late registration still possible)
No transition period: Obligations apply from the day of entry into force
Is My Company Affected?
NIS2 applies to companies that meet at least one of the following criteria:
Size criteria:
From 50 employees or
From EUR 10 million annual revenue and EUR 10 million annual balance sheet total
Legal text:Concepts and procedures for the use of cryptographic methods.
For email, this means:
Transport encryption (TLS) for all email connections
Content encryption (S/MIME or PGP) for sensitive emails
Documented cryptography concept with key management
BSI TR-02102 compliant algorithms – outdated methods such as MD5 or SHA-1 are not acceptable
Measure No. 10: Secure Communication
Legal text:Secured voice, video, and text communication as well as secured emergency communication.
For email, this means:
Secured email communication internally and externally
Solution for recipients without their own encryption infrastructure
Verifiable delivery with audit trail
Measure No. 2: Incident Management
Legal text:Management of security incidents.
For email, this means:
Real-time detection of phishing, malware, and BEC attacks
Quarantine management for suspicious emails
Complete traceability (tracing) in case of incidents
Reporting obligations: 24h early warning, 72h report, 1-month final report
Measure No. 5: Supply Chain Security
Legal text:Security in the supply chain including communication.
For email, this means:
Encrypted communication with suppliers and partners
Ensuring email integrity across the entire supply chain
Automatic encryption even for partners without their own infrastructure
Measure No. 1: Risk Analysis
Email as attack vector No. 1 must be a central consideration in every risk analysis. Transparency across the entire mail flow is mandatory.
Measure No. 4: Business Continuity
Email availability must be ensured through appropriate measures (redundancy, SLA guarantees, failover).
The 5 Email Security Layers Under NIS2
To cover all requirements, companies need five layers of protection:
1. Spam & Phishing Protection
AI-based threat detection
SPF, DKIM, DMARC validation
URL filtering and sandbox analysis
Zero-day protection
2. Email Encryption
S/MIME and/or PGP for content encryption
TLS enforcement for transport encryption
Central certificate and key management
Fallback solution for recipients without certificates
3. Data Loss Prevention (DLP)
Detection of sensitive data in outgoing emails
Policy-based filtering and blocking
Prevention of unintentional data leaks
4. Audit Logging & Tracing
Comprehensive logging of all email events
Tamper-proof audit logs for compliance evidence
Email tracing for incident analysis
Exportable reports for BSI audits
5. Secure Emergency Communication
Redundant email infrastructure
Encrypted communication even with compromised systems
Alternative communication channels
NIS2 Email Security Checklist
Use this checklist to make your email infrastructure NIS2-compliant:
☐ Transport encryption (TLS) activated for all connections
☐ Content encryption (S/MIME/PGP) implemented for sensitive emails
☐ Cryptography concept documented and BSI TR-02102 compliant
☐ Central certificate and key management established
☐ Spam and phishing filter with AI detection active
☐ SPF, DKIM, and DMARC configured
☐ Quarantine management for suspicious emails established
☐ Audit logging and email tracing activated
☐ Solution for recipients without encryption available
☐ Reporting process for email security incidents defined
☐ Email availability ensured through redundancy
☐ Employee training on email security conducted
Fines & Executive Liability
The consequences of non-compliance are significant:
Essential entities:
Up to EUR 10 million or 2% of global annual revenue
Important entities:
Up to EUR 7 million or 1.4% of global annual revenue
Personal liability: Under §38 BSIG, management must approve risk management measures and oversee their implementation. If they fail to fulfill this duty, they are personally liable.
How to Implement NIS2-Compliant Email Security
Conbool is the only platform that combines all three email security requirements on a single platform:
Disclaimer → Compliance: Legally compliant mandatory information in every email
Setup takes minutes, not months: Register your domain, set the MX record, configure policies – done. Hosted in ISO 27001 certified data centers in Frankfurt and Berlin.
NIS2 makes email security mandatory – with personal executive liability and fines up to EUR 10 million. Companies that act now not only protect their communication but also avoid severe penalties.
The good news: With the right solution, implementation takes just a few minutes. Conbool covers all email requirements under §30 BSIG – automated, auditable, and Made in Germany.
