Cryptography under NIS2: How to Align Your Crypto Policies with the Latest EU Requirements

As the enforcement of the NIS2 Directive gains momentum across the EU, organizations falling under its scope are facing new and more detailed cybersecurity obligations. One key area that is finally receiving the attention it deserves is cryptography. In this post, we dissect the cryptographic requirements outlined in point 9 of the new Commission Implementing Regulation (EU) 2024/2690, and offer practical insights on how companies can achieve compliance — and bolster their overall data security in the process.

Why Cryptography Is a Pillar of NIS2

The NIS2 Directive mandates high standards of cyber resilience, particularly for operators of essential and important services. Under Article 21(2)(h), organizations are required to use cryptography to ensure the confidentiality, authenticity, and integrity of their data — both in transit and at rest. This is no longer a vague best practice; it’s a legally binding requirement reinforced by the existing regulations. Using cryptography leads not only to obligatory documentation but also to maintaining and regularly reviewing a formal cryptography policy.

Key Elements of a NIS2-Compliant Cryptographic Policy

The point 9 to the Annex to Regulation 2024/2690 lays out what this policy must include. Here’s a breakdown:

1. Asset-Based Crypto Requirements

Encryption measures must be based on asset classification and risk assessment. For example, highly sensitive assets (e.g., PII, financial records) should be protected using stronger encryption methods than publicly available data.

2. Approved Protocols and Algorithms

Your policy must specify which cryptographic protocols, families of protocols, and algorithms are approved. This means defining acceptable:

Cipher strength (e.g., AES-256 over AES-128),

Usage practices (e.g., end-to-end encryption for specific data types),

Protocols (e.g., TLS 1.3 for communications).

Adopting a cryptographic agility approach is recommended — allowing systems to quickly adapt to new, stronger standards as they emerge.

3. Comprehensive Key Management

This is one of the most extensive parts of the regulation. Organizations must define procedures for:

Key generation,

Certificate issuance and validation,

Secure key distribution and activation,

Storage and access control,

Rotation, revocation, destruction,

Recovery and archival,

Logging and auditing of key lifecycle events,

Setting expiration dates to limit key lifespan.

4. Regular Policy Updates

Cryptographic policies must be reviewed at regular intervals and updated to reflect the state of the art — such as the emergence of post-quantum cryptography standards or new vulnerabilities in existing algorithms.

Recommendations for Organizations

To meet these requirements (and future-proof your crypto strategy), consider the following actionable steps:

Conduct a full asset classification and identify which systems and data types need encryption.

Develop or update your cryptographic policy to include detailed technical requirements aligned with the regulation.

Implement key lifecycle management tools — manual processes are no longer sufficient.

Review and document your algorithm choices — deprecate anything below current industry standards (e.g., SHA-1, RSA-1024).

Stay agile and plan for change — maintain a roadmap for cryptographic updates, including quantum-safe readiness.

Audit regularly — perform periodic cryptographic health checks and log all key management actions.

Final Thoughts

NIS2 doesn't just encourage cryptographic best practices — it demands them. But seen in the right light, this isn't just a compliance burden. It's an opportunity to standardize, modernize, and gain visibility over one of the most critical areas of your organization's security posture.

Cybersecurity starts with strong foundations. And in the digital world, those foundations are increasingly encrypted.

Need help preparing your organization for NIS2 compliance? Our consultants can help you assess your cryptographic controls and align them with regulatory expectations.

‍