NIS2 Directive: What Email Security Obligations Now Apply to Businesses

NIS2 Directive: What Email Security Obligations Now Apply to Businesses?

TL;DR: The NIS2 implementation through the BSIG obligates thousands of German companies to adopt specific email security measures: encryption under Section 30(2)(8), incident reporting within 24 hours, and documented access control. Violations can result in fines of up to EUR 10 million. Conbool SecureMail and MailGuard cover the essential requirements – automated and auditable.

The European NIS2 directive (EU 2022/2555) is the most comprehensive cybersecurity regulation the EU has ever enacted. With its national implementation through the revised BSI Act (BSIG), binding minimum standards for IT security now apply to German companies for the first time – and email communication is at the center of these requirements.

The Federal Office for Information Security (BSI) estimates that approximately 30,000 companies in Germany are affected by the regulation. Many of them have not yet fully grasped the scope of the new obligations. This article explains which email security obligations specifically apply, what penalties are at stake, and how companies can efficiently implement the requirements.

What Is the NIS2 Directive and Who Is Affected?

The NIS2 directive (Network and Information Security Directive 2) replaces the original NIS directive from 2016 and massively expands its scope. The national implementation is carried out through the revised BSIG, specifically through Sections 28-30.

Which Sectors Fall Under Section 28 BSIG?

Section 28 BSIG defines two categories of affected entities:

Essential entities (sectors of high criticality):

• Energy (electricity, gas, oil, district heating)
• Transport and traffic
• Banking and financial market infrastructures
• Healthcare
• Drinking water and wastewater
• Digital infrastructure and IT services
• Public administration
• Space

Important entities (additional critical sectors):

• Postal and courier services
• Waste management
• Chemical industry
• Food production and distribution
• Manufacturing (medical devices, electronics, mechanical engineering, automotive)
• Digital services (online marketplaces, search engines, social networks)
• Research institutions

What Company Size Does NIS2 Apply To?

The thresholds are deliberately set low: companies with at least 50 employees or annual revenue exceeding EUR 10 million in one of the listed sectors fall under the regulation. For certain digital infrastructures (DNS services, TLD registrars, trust service providers), the obligations apply regardless of size.

This means: not only large corporations but also numerous mid-sized companies must implement the new requirements. Those unsure whether their company is affected can use the BSI applicability check as an initial reference point.

What Email Security Requirements Does Section 30 BSIG Define?

Section 30 BSIG is the core of the technical requirements. It obligates affected companies to implement "appropriate, proportionate, and effective technical and organizational measures" to manage risks to the security of network and information systems. Since email remains the primary attack vector for cyberattacks – according to the BSI Situation Report, over 90% of all successful attacks begin with an email – the requirements apply particularly to email infrastructure.

Overview of the Relevant Measures

Section 30(2)(1) – Risk analysis and security concepts: Companies must conduct a documented risk analysis of their email infrastructure. What threats exist? What data is transmitted via email? What protective measures are proportionate?

Section 30(2)(3) – Supply chain security: Email communication with suppliers and service providers must be secured. This includes encrypted communication and verification of sender identities.

Section 30(2)(5) – Security in acquisition, development, and maintenance: Email systems must be regularly updated and patched. Vulnerability management is mandatory.

Section 30(2)(6) – Effectiveness assessment: The measures taken must be regularly reviewed and their effectiveness documented.

Section 30(2)(8) – Cryptography and encryption: This is the central provision for email security. Companies must implement "concepts and procedures for the use of cryptography and, where appropriate, encryption." For email, this specifically means: transport encryption (TLS) as a minimum, end-to-end encryption (S/MIME or PGP) as the state of the art for confidential communication.

Section 30(2)(9) – Access controls and asset management: Access to email systems must be protected through multi-factor authentication, role-based access control, and secure authentication procedures.

Section 30(2)(10) – Secured communication: Companies must use "secured voice, video, and text communication." Email expressly falls under this requirement.

How Do Encryption Obligations, Incident Reporting, and Access Controls Affect Email Practices?

Encryption Under Section 30(2)(8)

The encryption obligation has far-reaching consequences for email practices:

1. Transport encryption (TLS): Every email server must support TLS 1.2 or higher. Opportunistic TLS is not sufficient – companies must ensure that emails are not transmitted unencrypted.

2. End-to-end encryption: For confidential and personal data, the BSI requires the use of S/MIME or PGP. This means: encryption must remain in place from sender to recipient – even when the email is routed through multiple servers.

3. Key management: Certificates and keys must be centrally managed, regularly renewed, and immediately revocable in case of compromise.

In practice, many companies fail due to the complexity of manual encryption. This is precisely where an automated gateway solution comes in, such as the one offered by Conbool SecureMail. The gateway handles all cryptography transparently and without any action required from end users. How automated email encryption works in practice is explained in detail in our article on digital sovereignty through automated email encryption.

Incident Reporting

The NIS2 directive introduces a tiered reporting system that also applies to email-related security incidents:

• Initial report within 24 hours: In the event of a significant security incident, the BSI must be informed within 24 hours. This also includes successful phishing attacks, compromised email accounts, or data leaks via email.
• Detailed report within 72 hours: A comprehensive assessment of the incident including severity, impact, and initial countermeasures.
• Final report within one month: Complete analysis with root cause investigation and measures to prevent similar incidents.

For email infrastructure, this means: you need comprehensive logging of all email security events to be able to detect incidents and report them within the deadlines at all. An email security gateway like Conbool MailGuard automatically logs all blocked threats, quarantine decisions, and anomalies – providing the data foundation for incident reporting.

Access Controls for Email Systems

Section 30(2)(9) BSIG requires "security measures for personnel security, access control concepts, and asset management." For email systems, this means:

• Multi-factor authentication (MFA): Access to email accounts must be protected by at least two independent factors.
• Role-based access control (RBAC): Not every employee needs the same email permissions. Administrative functions must be strictly separated from standard access.
• Access logging: Who accessed which mailbox and when? This question must be answerable at any time.
• Secure authentication procedures: Password policies, regular rotation, and protection against credential stuffing attacks.

What Penalties Apply for Non-Compliance with NIS2 Requirements?

The EU Directive 2022/2555 provides for severe sanctions that are implemented into national law through the BSIG:

For essential entities:

• Fines of up to EUR 10 million or 2% of global annual revenue (whichever is higher)

For important entities:

• Fines of up to EUR 7 million or 1.4% of global annual revenue

Personal liability of executive management: Particularly significant is the personal responsibility of executive management. Section 38 BSIG stipulates that management bodies must oversee the implementation of security measures and are personally liable in case of breach of duty. Executive management cannot delegate this responsibility to the CISO or the IT department.

The BSI also receives expanded supervisory powers: unannounced audits, binding instructions, and in extreme cases, prohibition of business operations are all envisaged. The era of self-regulation in cybersecurity is over.

How Do Conbool Products Help with NIS2 Implementation?

Conbool offers SecureMail and MailGuard, two products that together cover the essential email security requirements of the NIS2 directive.

Comparison Table: NIS2 Requirements and Conbool Solutions

SecureMail: NIS2-Compliant Encryption

Conbool SecureMail fulfills the cryptography requirements under Section 30(2)(8) BSIG through:

• Automatic S/MIME and PGP encryption without manual effort for end users
• Central certificate management with automatic issuance, renewal, and revocation
• TLS enforcement to ensure transport encryption
• Comprehensive logging of all encryption operations for compliance verification
• Secure web portal for communication with external partners without their own encryption infrastructure

Learn more about NIS2-compliant encryption on our solutions page for NIS2 email encryption.

MailGuard: Threat Detection and Incident Logging

Conbool MailGuard covers the requirements for threat detection and incident documentation:

• AI-based phishing detection for spear phishing, BEC, and CEO fraud – also read our detailed article on phishing protection for businesses
• Deep link analysis and sandbox for suspicious attachments
• SPF/DKIM/DMARC verification for sender authentication
• Automatic quarantine with detailed justification for each decision
• Exportable incident reports for BSI incident reporting
• Seamless integration with Microsoft 365 and Exchange Online

Why the standard Microsoft 365 spam filter alone is not sufficient is explained in detail in our article on MailGuard spam filter for Microsoft 365.

What Should Businesses Do Now?

NIS2 implementation is not a project that can be completed in a week. But email security is one of the areas where companies can achieve measurable progress quickly:

1. Conduct an applicability check: Review the Section 28 BSIG criteria to determine whether your company falls under the regulation.
2. Create an email risk analysis: Document the current threat landscape and existing protective measures.
3. Implement encryption: Deploy at least transport encryption (TLS) and ideally end-to-end encryption (S/MIME/PGP).
4. Set up an email security gateway: Supplement your email protection with an upstream gateway for phishing detection and threat defense.
5. Define an incident reporting process: Ensure that email security incidents can be detected, documented, and reported within the deadlines.
6. Demonstrate effectiveness: Implement monitoring and reporting to be able to prove the effectiveness of your measures.

For a personalized consultation on NIS2-compliant email security, contact our team. We analyze your existing infrastructure and show you how to meet the requirements with minimal effort. A comprehensive overview of solutions is available on our page for NIS2 email security.

Frequently Asked Questions

Does the NIS2 directive also apply to companies with fewer than 50 employees?
In principle, the NIS2 regulation targets companies with at least 50 employees or EUR 10 million in annual revenue. However, there are exceptions: providers of DNS services, TLD registrars, trust service providers, and providers of public communications networks fall under the regulation regardless of their size. Additionally, smaller companies can be indirectly affected if they serve as suppliers to NIS2-regulated companies and must meet their supply chain security requirements.

Is transport encryption (TLS) sufficient to meet the NIS2 requirements?
TLS is the minimum but not sufficient for all use cases. Section 30(2)(8) BSIG requires "concepts and procedures for the use of cryptography and, where appropriate, encryption." The BSI classifies end-to-end encryption (S/MIME or PGP) as the state of the art when confidential or personal data is transmitted via email. Conbool SecureMail combines both: TLS enforcement for all emails and automated S/MIME/PGP encryption for confidential communication.

How quickly must an email security incident be reported?
The NIS2 directive provides a tiered reporting system: an initial report to the BSI must be submitted within 24 hours of becoming aware of the incident. A detailed assessment must follow within 72 hours, and a final report within one month. Significant security incidents include compromised email accounts, successful phishing attacks with data exfiltration, or the distribution of malware via the organization's own email infrastructure.

Can management delegate NIS2 responsibility to the CISO?
No. Section 38 BSIG explicitly states that executive management must oversee the implementation of security measures. Operational execution can be delegated, but the oversight obligation and thus personal liability remain with executive management. In case of breach of duty, executives are personally liable with their private assets. This makes NIS2 compliance an executive-level matter – not just an IT topic.

Conclusion: Email Security Is No Longer Optional – It Is Mandatory

The NIS2 directive fundamentally changes the rules for email security in German companies. What was previously considered best practice – encryption, phishing protection, access control – is now a legal obligation with severe penalties for non-compliance.

The good news: the technical implementation does not have to be complicated. With an integrated approach using SecureMail for encryption and MailGuard for threat detection, companies can efficiently and verifiably meet the essential NIS2 requirements for email security.

Contact us for a no-obligation consultation on NIS2-compliant email security.