The EU's strengthened cybersecurity directive imposing risk management and incident reporting obligations on essential and important entities, with expanded scope covering 18 critical sectors.
The NIS2 Directive (Directive 2022/2555) massively expands cybersecurity obligations across the European Union. Article 21 explicitly mandates "cryptography and encryption" as a baseline security measure, making certificate and key management a regulatory imperative rather than a best practice.
The directive applies to approximately 160,000 entities across 18 critical sectors including energy, transport, banking, health, digital infrastructure, public administration, and more. Organizations must implement comprehensive risk management measures, report significant incidents within 24 hours, and ensure supply chain security.
NIS2 introduces management accountability — senior leadership must approve and oversee cybersecurity measures, and can be held personally liable for failures. With fines reaching up to 10 million euros or 2% of global annual turnover, the stakes for non-compliance are significant.
Entities must implement appropriate and proportionate technical, operational, and organizational measures to manage cybersecurity risks to their networks and information systems.
Article 21(2)(h) explicitly requires the use of cryptography and, where appropriate, encryption as a baseline cybersecurity measure for all essential and important entities.
Significant incidents must be reported to the CSIRT within 24 hours (early warning), with a full notification within 72 hours and a final report within one month.
Organizations must address cybersecurity risks in their supply chains and supplier relationships, including security requirements for direct suppliers and service providers.
Management bodies must approve cybersecurity risk-management measures, oversee their implementation, and can be held personally liable for infringements.
Entities must implement business continuity plans, disaster recovery procedures, and crisis management protocols to ensure resilience against cybersecurity incidents.
The European Commission proposes NIS2 in December 2020 to replace the original NIS Directive and significantly expand its scope and enforcement powers.
Directive (EU) 2022/2555 is formally adopted in December 2022, establishing harmonized cybersecurity requirements across 18 critical sectors.
Member states must transpose NIS2 into national law by October 17, 2024. Entities must begin complying with new obligations.
Essential and important entities register with national authorities. First compliance audits and supervisory actions begin across member states.
Full enforcement regime with penalties up to 10 million euros or 2% of global annual turnover, whichever is higher, for non-compliant organizations.
With cryptography and encryption explicitly mandated under Article 21, NIS2 places PKI and certificate management at the center of compliance. Here are the critical areas:
The explicit cryptography requirement means organizations must ensure comprehensive TLS/certificate coverage across all systems, including internal communications and data at rest.
Expired, misconfigured, or weak certificates represent cybersecurity risks. Proper certificate lifecycle management is now a demonstrable risk management measure under NIS2.
Supply chain security requirements extend to certificate validation — mutual TLS for partner communications, code signing certificate verification, and vendor certificate posture assessments.
Certificate compromises (private key leaks, CA breaches) are reportable incidents. Organizations need rapid revocation capabilities and clear incident response procedures for PKI events.
Full certificate inventory — Horizon discovers and inventories all certificates across your infrastructure, providing the encryption posture assessment that NIS2 Article 21 demands.
Automated renewal prevents outages — Automated certificate renewal eliminates expiration-related outages, which under NIS2 could trigger incident reporting obligations and management liability.
Policy enforcement for crypto standards — Enforce minimum key sizes, approved algorithms, and certificate configurations across your organization to meet NIS2 cryptography requirements.
Real-time monitoring and alerting — Detect certificate anomalies, unauthorized issuances, and approaching expirations in real time to support NIS2 incident detection requirements.
