Legal requirement: Vulnerability management and disclosure.

Email relevance: Email systems must be regularly checked for vulnerabilities and updated. Gateway solutions handle updates automatically.

No. 6: Effectiveness Assessment

Legal requirement: Concepts for assessing the effectiveness of risk management measures.

Email relevance: The effectiveness of spam filters, encryption, and access controls must be regularly evaluated. Audit logs and reports are essential for this purpose.

No. 7: Cyber Hygiene and Training

Legal requirement: Basic cyber hygiene practices and cybersecurity training.

Email relevance: Employee training on phishing detection is mandatory. Technical measures like MailGuard complement the human line of defense.

No. 8: Cryptography

Legal requirement: Concepts and procedures for the use of cryptographic methods and, where applicable, encryption.

Email relevance – THE central measure for email:

• Encryption in transit: TLS for all email connections, configurable per domain
• Content encryption: S/MIME and/or PGP for sensitive emails
• Key management: Secure generation, storage, distribution, and destruction
• Cryptography policy: Documentation of all methods in use
• BSI TR-02102: Only current, considered-secure algorithms

Conbool solution: SecureMail automates all email encryption. Central certificate and key management with MPKI integration. BSI TR-02102 compliant algorithms.

No. 9: Personnel Security and Access Control

Legal requirement: Personnel security, access control concepts, and asset management.

Email relevance: Access to email administration and quarantine must be role-based. MFA for administrative access.

Conbool solution: Role-based access management with Entra ID/LDAP integration and SAML SSO.

No. 10: Secure Communication

Legal requirement: Use of multi-factor authentication solutions, secured voice, video, and text communication, as well as secured emergency communication.

Email relevance:

• Secured email as the primary text communication channel
• Encryption solution for recipients without their own infrastructure
• Verifiable delivery with audit trail
• Alternative communication when the email system is compromised

Conbool solution: Gateway encryption + Secure Message Portal for external recipients. Verifiable delivery with complete audit trail.

BSI TR-02102: The Permitted Algorithms

The cryptographic methods used must reflect the state of the art. The BSI Technical Guideline TR-02102 defines the approved algorithms:

Permitted:

• AES-128, AES-192, AES-256 (symmetric)
• RSA from 2048 bit (asymmetric)
• ECDSA with at least 250 bit
• SHA-256, SHA-384, SHA-512

No longer permitted:

• MD5, SHA-1 (for security-critical applications)
• RSA below 2048 bit
• 3DES (no longer recommended since 2023)

Conbool SecureMail exclusively uses BSI TR-02102 compliant algorithms and automatically updates when new recommendations are issued.

Documentation Requirements

§30 BSIG requires not only the implementation but also the documentation of measures. For email, this means:

1. Cryptography policy: Which methods are used, for which communication?
2. Key management documentation: How are keys generated, distributed, and revoked?
3. Incident response plan: How are email security incidents handled?
4. Audit logs: Tamper-proof logs of all security-relevant events

Conclusion: Email Is the NIS2 Focal Point

Of the 10 mandatory measures under §30 BSIG, at least 6 directly affect email security. Email is not a peripheral topic of NIS2 compliance – it is the central attack point where encryption, threat protection, and auditing converge.

Conbool makes implementation simple: One platform for all email requirements, set up in minutes and auditable.

Try for free →

Further reading:

• NIS2 and Email Security: The Complete Guide
• NIS2 Executive Liability
• NIS2 Email Encryption in Detail