Email Encryption NIS2 Requirement: S/MIME & PGP per §30 BSIG

§30 BSIG CRYPTOGRAPHY

Email Encryptionper NIS2:Implementing §30 BSIG.

Cryptography concepts are mandatory. Automated S/MIME & PGP encryption meets §30 (2) No. 8 & No. 10 BSIG – without manual effort.

Start 30-day free trial NIS2 Overview

S/MIMEPGPTLS

§30 BSIG Compliant

BSI TR-02102 Active

What NIS2 specifically requires for email encryption

The BSIG defines clear requirements for the use of cryptographic methods in companies.

§30 (2) No. 8 – Cryptography

Concepts and procedures for the use of cryptographic methods. Encryption of data in transit and at rest, key management and selection of appropriate algorithms.

Email encryption in transit (TLS) and content-wise (S/MIME, PGP)
Documented cryptography concept with key rotation
BSI TR-02102 compliant algorithms (no MD5, SHA-1)

§30 (2) No. 10 – Secure Communication

Secured voice, video and text communication and secured emergency communication within the institution.

Secured email communication with internal & external partners
Fallback solution for recipients without own encryption
Verifiable delivery and audit trail

§30 (2) No. 5 – Supply Chain Security

Security in the supply chain including communication between institutions.

Encrypted communication with suppliers and partners
Automatic encryption even without partner certificate
Compliance evidence for audits and authorities

Conbool SecureMail: NIS2 cryptography automated

Instead of manual configuration and certificate chaos – automatic encryption directly in the mail flow.

Automatic S/MIME & PGP Encryption

Outgoing emails are automatically encrypted and signed based on routing rules. No manual intervention by employees required.

Central Certificate & Key Management

PKI and MPKI integration with automatic certificate issuance, renewal and revocation. Full control over the entire lifecycle.

Message Portal for Recipients Without Certificates

Partners without S/MIME or PGP receive encrypted messages via the Secure Message Portal. No setup required at the recipient end.

BSI TR-02102 Compliant Algorithms

Exclusively state-of-the-art algorithms. Automatic updates when new BSI recommendations are released.

Complete Audit Trail

Every encryption, signature and delivery is logged in a tamper-proof manner. Compliance evidence at the push of a button.

TLS Enforcement & Transport Encryption

Configurable TLS policies per domain. Enforced TLS prevents unencrypted transport of sensitive emails.

Encryption approaches compared

	Manual Encryption	Native Microsoft 365	Conbool SecureMail
Effort per email	High – manual for each email	Medium – transport rules	Zero – automatic at gateway
Protocols	S/MIME or PGP (not both)	OME (proprietary)	S/MIME + PGP + Portal
Recipients without certificate	Not possible	Link to Microsoft portal	Own Secure Message Portal
BSI TR-02102 compliant	Depends on client	Partially	Fully
Audit trail	None	Limited	Complete & tamper-proof
NIS2 compliance evidence	Difficult to prove	Partially documentable	Full evidence

NIS2-compliant in 3 steps

Register domain

Verify domain and set MX record to Conbool. Your mail flow runs through the secure gateway from now on.

Configure encryption policies

Provision S/MIME certificates, import PGP keys and define routing rules for automatic encryption.

Activate audit logging

Enable tracing and audit logs. From now on you have complete compliance evidence for NIS2 audits.

More about NIS2 & Encryption

Encryption

S/MIME vs. PGP: Which Encryption Fits Your Company?

Both standards compared – with recommendations for different company sizes.

Encryption

NIS2 Supply Chain Security: Email Encryption for Suppliers

Why §30 No. 5 also affects companies not directly under NIS2.

Encryption

Is Email Encryption Mandatory Under NIS2?

What businesses need to know about the encryption obligation under §30 BSIG.

Frequently Asked Questions about NIS2 Email Encryption

What encryption standards does NIS2 require?

NIS2 requires the use of state-of-the-art cryptographic methods. For email, this means: S/MIME or PGP for content encryption, TLS for transport encryption. The algorithms used must comply with BSI TR-02102.

Is TLS transport encryption sufficient for NIS2?

No. TLS only protects the transport path between servers. NIS2 requires concepts for the use of cryptography – this also includes content encryption of sensitive emails with S/MIME or PGP, especially in the supply chain.

What about partners who don't use encryption?

The Conbool Secure Message Portal solves exactly this problem. Recipients without their own S/MIME certificate or PGP key receive a notification and can securely read and reply to the encrypted message in the browser.

How do I prove NIS2 compliance to the BSI?

Conbool logs every encryption, signature and delivery in a tamper-proof manner. The integrated tracing and audit logs provide complete compliance evidence for BSI audits – exportable and filterable.

Can I use Conbool with my existing Microsoft 365 environment?

Yes. Conbool integrates seamlessly with Microsoft 365 and Exchange Online. You simply set the MX record to Conbool – your existing setup remains unchanged. Entra ID and LDAP synchronization included.

NIS2-compliant email encryption starting today.

S/MIME, PGP and Secure Message Portal – automated, auditable and BSI-compliant.

Start 30-day free trial Book a consultation

Back to NIS2 Overview |Discover SecureMail

§30 BSIG CRYPTOGRAPHY

Email Encryptionper NIS2:Implementing §30 BSIG.

Cryptography concepts are mandatory. Automated S/MIME & PGP encryption meets §30 (2) No. 8 & No. 10 BSIG – without manual effort.

Start 30-day free trial NIS2 Overview

S/MIMEPGPTLS

§30 BSIG Compliant

BSI TR-02102 Active

What NIS2 specifically requires for email encryption

The BSIG defines clear requirements for the use of cryptographic methods in companies.

§30 (2) No. 8 – Cryptography

Concepts and procedures for the use of cryptographic methods. Encryption of data in transit and at rest, key management and selection of appropriate algorithms.

Email encryption in transit (TLS) and content-wise (S/MIME, PGP)
Documented cryptography concept with key rotation
BSI TR-02102 compliant algorithms (no MD5, SHA-1)

§30 (2) No. 10 – Secure Communication

Secured voice, video and text communication and secured emergency communication within the institution.

Secured email communication with internal & external partners
Fallback solution for recipients without own encryption
Verifiable delivery and audit trail

§30 (2) No. 5 – Supply Chain Security

Security in the supply chain including communication between institutions.

Encrypted communication with suppliers and partners
Automatic encryption even without partner certificate
Compliance evidence for audits and authorities

Conbool SecureMail: NIS2 cryptography automated

Instead of manual configuration and certificate chaos – automatic encryption directly in the mail flow.

Automatic S/MIME & PGP Encryption

Outgoing emails are automatically encrypted and signed based on routing rules. No manual intervention by employees required.

Central Certificate & Key Management

PKI and MPKI integration with automatic certificate issuance, renewal and revocation. Full control over the entire lifecycle.

Message Portal for Recipients Without Certificates

Partners without S/MIME or PGP receive encrypted messages via the Secure Message Portal. No setup required at the recipient end.

BSI TR-02102 Compliant Algorithms

Exclusively state-of-the-art algorithms. Automatic updates when new BSI recommendations are released.

Complete Audit Trail

Every encryption, signature and delivery is logged in a tamper-proof manner. Compliance evidence at the push of a button.

TLS Enforcement & Transport Encryption

Configurable TLS policies per domain. Enforced TLS prevents unencrypted transport of sensitive emails.

Encryption approaches compared

	Manual Encryption	Native Microsoft 365	Conbool SecureMail
Effort per email	High – manual for each email	Medium – transport rules	Zero – automatic at gateway
Protocols	S/MIME or PGP (not both)	OME (proprietary)	S/MIME + PGP + Portal
Recipients without certificate	Not possible	Link to Microsoft portal	Own Secure Message Portal
BSI TR-02102 compliant	Depends on client	Partially	Fully
Audit trail	None	Limited	Complete & tamper-proof
NIS2 compliance evidence	Difficult to prove	Partially documentable	Full evidence