GENNAIO 2025
NIS2: what changes for European companies and how to comply with encryption requirements
The NIS2 Directive (EU 2022/2555) was introduced to strengthen cybersecurity across the European Union. It establishes stricter security standards and clearer responsibilities for organisations in key sectors, requiring them to take proactive steps to prevent cyber incidents.
Who must comply with NIS2
The NIS2 Directive applies to public bodies and private companies operating in 18 strategic sectors across the EU. Its goal is to strengthen the Union’s overall digital resilience by requiring organisations in key industries to adopt enhanced cybersecurity measures. These sectors have been identified as essential to the functioning of European society and the economy. In Italy, the National Cybersecurity Agency (ACN) has been appointed as the authority responsible for implementing the directive, in line with the national transposition decree. The critical sectors include:
- Energy
- Transport
- Healthcare
- Digital infrastructure (data centers, cloud services, telecommunications)
- ICT services
- Public administration
In the private sector, medium and large companies are required to comply. Micro and small enterprises are only included if they are considered strategically important within their industry.
Finally, all affected organisations are classified into two risk categories – essential and important – based on the potential impact of their operations on national and EU-wide cybersecurity.
Key new requirements under NIS2
NIS2 introduces several important changes, including:
- Mandatory technical and organisational measures: companies must implement advanced cybersecurity protocols to safeguard critical infrastructure.
- Obligatory incident reporting: significant incidents must be reported promptly to support a coordinated EU-wide response.
- Executive accountability: company leadership can be held personally liable for failure to comply with cybersecurity obligations.
- Stricter enforcement and penalties: non-compliance may result in substantial fines, increasing pressure on organisations to meet the directive’s requirements
Encryption and NIS2: a core requirement for digital security
As part of its effort to strengthen Europe’s cybersecurity framework, the NIS2 Directive highlights encryption as a key tool for:
- Protecting corporate and personal data
- Strengthening the resilience of critical digital infrastructure
- Preventing and managing cyber risks
Specifically, Article 21 of the Directive requires both public and private entities to adopt appropriate technical and organisational measures – including encryption, digital signatures and authentication mechanisms – to ensure the confidentiality, integrity, availability and authenticity of the information they handle. Digital certificates help organisations meet the technical and organisational requirements of the NIS2 Directive:
SSL/TLS Certificates:
- Web communication security: encrypt website traffic to protect against eavesdropping and unauthorised access, ensuring data confidentiality.
- Digital channel authentication: verify the identity of websites to prevent man-in-the-middle attacks and maintain data integrity.
S/MIME Certificates:
- Email protection: encrypt messages and apply digital signatures to guarantee authenticity and prevent tampering.
- Phishing and impersonation defence: authenticate the sender’s identity to help block threats like CEO fraud and spear phishing.
Code Signing Certificates:
- Software authenticity assurance: sign code to prove it comes from a trusted source and hasn’t been modified, supporting zero-trust security models.
- Malware and code tampering prevention: secure the software supply chain by preventing the distribution of malicious or altered code.
ow Actalis Supports NIS2 Compliance
Actalis provides advanced encryption and digital identity solutions to help organisations meet NIS2 requirements:
- SSL (EV / OV / DV) and QWAC certificates: secure web communications and verify website identity.
- Business-grade and custom S/MIME certificates: protect sensitive email communications and defend against phishing and unauthorised access.
- Qualified Code Signing certificates: ensure the authenticity of distributed software and protect against supply chain attacks.
- Robust PKI infrastructure: enable secure and centralised management of digital certificates.
- Certimanager: streamline identity verification and certificate lifecycle management to support regulatory compliance.
For more information on NIS2 compliance, consult the official NIS2 compliance page or the ENISA guidelines. To learn more about Actalis solutions, visit the product pages for SSL, S/MIME, andCode Signing.