Is Email Encryption Mandatory Under NIS2? What Businesses Need to Know

Is Email Encryption Under NIS2 Really Mandatory?

TL;DR: Yes, the NIS2 implementation into German law effectively makes email encryption mandatory. Section 30(2)(8) BSIG explicitly requires the use of cryptography as a risk management measure. Companies that fall under the NIS2 directive must demonstrate that they cryptographically secure the email communication channel -- ideally with end-to-end encryption via S/MIME or PGP. An automated gateway like Conbool SecureMail significantly simplifies implementation while simultaneously creating the necessary audit documentation.

The NIS2 directive (Network and Information Security Directive 2) of the European Union is the most comprehensive cybersecurity regulation in Europe to date. Since its implementation into German law through the revised BSI Act (BSIG), it affects approximately 30,000 companies in Germany. Yet while many organizations discuss network security and incident response, a central attack vector is frequently underestimated: email communication.

According to the Federal Office for Information Security (BSI), over 90 percent of all cyberattacks begin with an email. Phishing, Business Email Compromise, and man-in-the-middle attacks directly target unencrypted communication. The question is therefore not whether email encryption under NIS2 makes sense, but how companies can concretely implement the legal requirements.

What Does Section 30(2)(8) BSIG Require Regarding Cryptography?

The legislator has defined a clear catalog of risk management measures in the new BSIG. Section 30(2) lists ten areas in which essential and important entities must take mandatory action. Number 8 is unambiguous:

Section 30(2)(8) BSIG requires the "use of cryptography and encryption" as part of the mandatory risk management measures.

This specifically means: companies must demonstrate that they employ encryption in their communication processes. Email is by far the most widely used communication channel in businesses. Those who do not employ encryption are violating the BSIG requirements and risk significant fines.

The wording "use of cryptography" is deliberately technology-neutral. The legislator does not prescribe whether S/MIME, PGP, or another method must be used. What matters is that the implementation corresponds to the state of the art and is proportionate to the protection needs of the data being transmitted.

Additionally, the BSI references recognized cryptographic methods in its technical guidelines and explicitly recommends end-to-end encryption for confidential business communication.

Why Is Email Particularly Highlighted in the NIS2 Context?

Email is not just any communication channel -- it is the primary channel for business-critical information. Contracts, invoices, personal data, strategic decisions: all of this is sent via email every day. At the same time, email is the main entry point for cyberattacks.

The NIS2 directive addresses this risk on multiple levels:

1. Risk management (Section 30 BSIG): Companies must identify and mitigate risks to their communication systems. Unencrypted emails represent a documented risk.
2. Reporting obligations (Section 32 BSIG): Security incidents attributable to unencrypted email communication must be reported within 24 hours. The lack of encryption can be assessed as negligence.
3. Supply chain security (Section 30(2)(4) BSIG): Communication with suppliers and partners must also be secured. Email encryption is a central building block here.

Those who wish to explore the NIS2 obligations for email security in greater depth will find a comprehensive analysis of the regulatory requirements there.

What Is the Difference Between Transport Encryption and End-to-End Encryption?

A common misconception in practice: many companies believe that TLS transport encryption is sufficient to meet the NIS2 requirements. This is a dangerous fallacy.

Transport Encryption (TLS)

TLS (Transport Layer Security) encrypts the connection between two mail servers. This protects the email in transit but not on the servers themselves. At every stop -- the sending server, relay servers, and the receiving server -- the message is available in plain text.

• Protection: Only during transmission
• Weakness: Administrators, compromised servers, or authorities with access to the infrastructure can read emails
• NIS2 assessment: Necessary but not sufficient

End-to-End Encryption (S/MIME or PGP)

With end-to-end encryption, the message is encrypted at the sender and only decrypted at the recipient. No server, no administrator, and no intelligence agency can read the contents -- only the intended recipient with the matching private key.

• Protection: Continuously from sender to recipient
• Strength: Even if the infrastructure is compromised, contents remain protected
• NIS2 assessment: Corresponds to the state of the art for sensitive communication

For NIS2 compliance, a combination is therefore recommended: TLS as basic protection at the transport level and S/MIME or PGP as end-to-end encryption for message contents.

How Do S/MIME and PGP Meet the NIS2 Compliance Requirements?

Both methods -- S/MIME (Secure/Multipurpose Internet Mail Extensions) and PGP (Pretty Good Privacy) -- are established standards for email encryption that meet the requirements of Section 30 BSIG.

S/MIME: The Enterprise Standard

S/MIME is based on X.509 certificates issued by a recognized Certificate Authority (CA). The method offers:

• Identity verification: The CA verifies the identity of the certificate holder. This is a decisive advantage for NIS2 compliance, as the origin of an email can be proven beyond doubt.
• Native integration: S/MIME is natively integrated into Microsoft Outlook, Apple Mail, and many other clients.
• Automation capability: Via a central gateway, S/MIME can be operated in a fully automated manner.

PGP: Flexible and Open Source

PGP uses a decentralized trust model (Web of Trust) and is frequently used in technically proficient organizations and the open-source community:

• No central dependency: Keys are generated and distributed without a CA.
• Wide adoption: Particularly in technical communication and with international partners.
• Interoperability: OpenPGP is an open standard (RFC 4880).

Both methods fulfill the cryptographic requirements of the NIS2 directive. The choice depends on the existing infrastructure and communication partners. Ideally, a company uses a solution that supports both standards -- like the Conbool SecureMail Gateway.

What Audit and Documentation Obligations Exist Under NIS2?

The NIS2 directive goes far beyond mere implementation. Companies must not only encrypt but also prove that they do. Section 30 BSIG requires documented risk management that is regularly reviewed and updated.

Documentation Obligations in Detail

• Encryption policy: A written policy defining which communication is encrypted and how.
• Key management documentation: Evidence of the generation, distribution, rotation, and revocation of keys and certificates.
• Encryption logs: Comprehensive records of which emails were encrypted when and with which method.
• Incident documentation: In the event of security incidents, evidence must be provided that appropriate protective measures were in place.

Audit Requirements

The BSI can request evidence at any time. Companies must be able to answer the following questions:

• What encryption methods are in use?
• How are keys and certificates managed?
• Which communication flows are encrypted, which are not -- and why?
• How is it ensured that the methods used correspond to the state of the art?

Without automated systems, this documentation is nearly impossible to manage. Manual processes are error-prone and do not scale with the communication volume of a medium or large company.

How Does Conbool SecureMail Automate NIS2 Compliance?

This is precisely where Conbool SecureMail comes in. As a central email encryption gateway, SecureMail automates the entire encryption process while simultaneously delivering the documentation required for NIS2 audits.

Automatic Encryption Without User Interaction

SecureMail operates as a gateway between your mail server and the internet. Every outgoing email is automatically encrypted -- without the sender needing to press a button or select a certificate. The gateway automatically detects whether the recipient supports S/MIME or PGP and selects the appropriate method.

For recipients without their own encryption infrastructure, SecureMail offers a secure web portal as a fallback solution. This ensures that every email is delivered encrypted -- regardless of the recipient's technical setup.

Central Certificate Management

One of the biggest challenges in email encryption is managing certificates and keys. SecureMail handles:

• Automatic issuance of new S/MIME certificates
• Automatic renewal before expiration
• Automatic revocation of compromised certificates
• Central key store with role-based access

NIS2 Audit Dashboard

SecureMail logs every encryption operation comprehensively. The integrated dashboard provides:

• Real-time overview of the encryption status of all email communication
• Exportable reports for BSI audits and internal reviews
• Alerting for failed encryption operations or expiring certificates
• Compliance score showing the current level of NIS2 requirement fulfillment

How automated encryption additionally strengthens the digital sovereignty of German businesses is explored in detail in a separate article.

What Penalties Apply for Non-Compliance with the NIS2 Encryption Obligation?

The consequences of violating the NIS2 requirements are substantial:

• Essential entities: Fines of up to EUR 10 million or 2 percent of global annual revenue
• Important entities: Fines of up to EUR 7 million or 1.4 percent of global annual revenue
• Personal liability: Executive management is personally liable for the implementation of risk management measures

Furthermore, the BSI can issue orders that extend to the temporary prohibition of business operations. The lack of email encryption can be assessed in an audit as a violation of Section 30(2)(8) BSIG -- with the corresponding consequences.

Frequently Asked Questions

Does every email need to be encrypted?
Not necessarily. The NIS2 directive requires a risk-based assessment. Emails containing personal data, trade secrets, or confidential information must be encrypted according to the state of the art. In practice, however, encrypting all emails by default is recommended, as manual classification is error-prone and slows down workflows. A gateway like SecureMail handles this automatically.

Is TLS transport encryption sufficient for NIS2 compliance?
TLS alone is considered insufficient by experts and the BSI when sensitive data is being transmitted. Section 30(2)(8) BSIG requires the use of cryptography as a risk management measure. The BSI recommends end-to-end encryption as the state of the art. Businesses should therefore use TLS as basic protection and additionally implement S/MIME or PGP for content encryption.

Which businesses are affected by the NIS2 encryption obligation?
The NIS2 directive affects businesses in 18 defined sectors, including energy, transport, healthcare, finance, digital infrastructure, and manufacturing. Medium-sized companies (from 50 employees or EUR 10 million in revenue) and large companies are affected. Smaller companies can also be affected if they serve as suppliers to critical infrastructures. Detailed information is available on the page NIS2 email security.

How quickly can NIS2-compliant email encryption be implemented?
With an automated gateway like Conbool SecureMail, implementation can typically be completed within a single business day. The gateway is integrated as an MX relay into the existing infrastructure, existing certificates can be imported, and new certificates are automatically requested. NIS2-compliant email encryption can thus be deployed quickly and without disruption for end users.

Conclusion: NIS2 Makes Email Encryption Mandatory -- Act Now

The question of whether email encryption is mandatory under NIS2 can be answered clearly: yes. Section 30(2)(8) BSIG requires the use of cryptography as a mandatory risk management measure. Email, as the most widely used and simultaneously most vulnerable communication channel, is at the center of this.

Companies that act now not only protect themselves against fines but also effectively secure their business communication against cyber threats. With an automated solution like Conbool SecureMail, implementation is fast, sustainable, and without burden on the IT department or end users.

Ready for NIS2-compliant email encryption?

Contact us for a personal consultation or learn more about our NIS2 solution for email encryption.