Technology to comply with NIS2

Ann Keefe at Kingston Technology describes the requirements to meet NIS2 regulations with E2EE and hardware-encrypted external drives

 

Cybersecurity legislation that will become law in October of this year across all EU member states, also has implications for UK companies. The Network and Information Security (NIS) 2 Directive is aimed at addressing the security of network and information systems, streamlining reporting and introducing stringent enforcement. If an organisation based in the UK supplies, or has business dealings, in the European Union, the regulations will also apply.  

 

The idea behind NIS2 is to harmonise legislation and boost the overall level of cybersecurity employed by organisations. According to the NIS2 Directive, it ‘involves stricter requirements for risk management and incident reporting, wider coverage of sectors, and more penalties for non-compliance’.  

 

This means that businesses working in any one of the 15 industries that the directive now includes, are liable for a maximum fine of 10 million Euros if they fail to comply. Given that the sectors include energy, health, transport, finance, digital infrastructure and public administration, it’s not surprising that more than 160,000 companies are likely to be impacted.   

 

What are the requirements? 

There are four overarching areas to the legislation:  

1. Risk management – This includes incident management, stronger supply chain security, enhanced network security, better access control and encryption. 
2. Corporate accountability – Management must oversee, approve and be trained on the company’s cybersecurity measures and how it addresses cyber risks. Penalties can be awarded to management. 
3. Reporting obligations – Processes must be in place for prompt reporting of security incidents that have a significant impact on how they provide services. 
4. Business continuity – If a major cyber incident should occur, organisations must have a plan to include system recovery, emergency procedures and setting up a crisis response team.  

At the very minimum, companies are required to have in place baseline security measures that help to manage cyber security threats.  

 

Importance of end-to-end encryption  

A significant part of the legislation relates to the protection of sensitive corporate data.  Network security, strict access controls, and data back-up are key elements of the fundamental security measures that need to be put in place.     

 

End-to-end encryption (E2EE), the process that encrypts data on a sender’s device until it reaches the recipient’s device for decryption, will be an indispensable component for complying with NIS2. E2EE’s process of making data inaccessible to any intermediaries, including service providers, network administrators, or cyber attackers during transmission automatically ensures compliance. Encryption keys are only held by the communicating parties, ensuring that only they can access the contents of the messages. Even if data is intercepted during transmission, it remains unintelligible to unauthorised parties.  

 

Beyond confidentiality, NIS2 also emphasises the importance of data integrity. Any tampering with data during transmission could have catastrophic consequences, especially in sectors like transportation or energy. E2EE plays a pivotal role here by ensuring that data cannot be altered without detection. Since any modification to the encrypted data would render it unusable, E2EE effectively safeguards the integrity of the transmitted information. 

 

When it comes to the strict reporting requirements of NIS2, organisations must demonstrate that they have implemented appropriate security measures, including encryption, to protect against breaches. To this end, E2EE delivers a strong foundation for compliance.  

 

The role of hardware-encrypted external drives 

While E2EE is fundamental, there is another layer that can be added which has the potential to remove one area of weakness – an employee storing highly sensitive data on a laptop or PC. Hardware-encrypted external drives are portable devices that have built-in encryption mechanisms.  

 

These drives have several features that reinforce security for firms that need to tick all boxes when it comes to the NIS2 regulations: 

 

1. Enhanced data security - Hardware-encrypted external drives use dedicated encryption chips that automatically encrypt all data stored on the drive, ensuring it remains secure even if the drive is lost or stolen. When data is transferred to or from the drive, end-to-end encryption ensures that it remains protected during transmission.  
2. Protection against physical and cyber threats – Physically, these drives resist tampering, with some models featuring tamper-evident enclosures and self-destruct mechanisms that activate if unauthorised access is detected. Cyber-wise, since the encryption process is handled by the hardware itself, it is immune to software-based attacks such as keylogging, brute force attacks, or malware that targets software encryption methods. 
3. Demonstrating compliance - Hardware-encrypted drives offer a clear, auditable method of data protection that demonstrates a commitment to data security, helping businesses avoid potential legal repercussions and maintain the trust of their clients. 
4. User-friendly security - Despite their advanced security features, the drives are user-friendly, often featuring built-in keypads for PIN entry, biometric authentication, or smart card access, eliminating the need for complex passwords or software-based encryption tools.  
5. Scalability for enterprise use – For organisations that handle large volumes of sensitive data, scalability is essential. Hardware-encrypted external drives can be easily deployed across an enterprise, offering a consistent level of security regardless of the scale of operations.   

In today’s digital landscape protection of sensitive data is not just a priority—it is a regulatory necessity. End-to-end encryption provides a powerful defence against unauthorised access during data transmission, while hardware-encrypted external drives ensure that data remains secure, whether in-transit or at rest.

 

Together, they offer companies a comprehensive solution for safeguarding sensitive information, complying with NIS2 and delivering peace of mind for both businesses and their employees.  

 

---

 

Ann Keefe is Regional Director – UK and Ireland at Kingston Technology EMEA

 

Main image courtesy of iStockPhoto.com and arsenisspyros