To guide you along the path to NIS2 compliance, we’ve put together a checklist of seven comprehensive steps. From advanced encryption to data loss prevention, here’s how to align your email security with the requirements of NIS2.

1. Implement robust encryption protocols

Encryption is a cornerstone of NIS2 compliance. According to Article 21 of the NIS2 Directive, policies and procedures regarding the use of cryptography including, where appropriate, encryption, are required.

While Microsoft 365 (M365) supports transport encryption through TLS, integrating DNS-based Authentication of Named Entities (DANE) can enhance security. 

M365’s DANE implementation, however, lacks fallback mechanisms, making supplementary encryption solutions necessary.

Actions:

• Enable TLS for all email communications
• Implement DANE for domain-level encryption
• Use supplementary encryption tools to provide fallback mechanisms

How Zivver can help

Zivver provides advanced encryption protocols for email and file transfers, ensuring that sensitive information remains protected from unauthorized access during transmission and storage. 

2. Enforce multi-factor authentication (MFA)

MFA is critical in preventing unauthorized access to data. In addition to encryption, Article 21 of the NIS2 Directive specifies the use of multi-factor authentication. 

While M365 supports MFA, it is limited in scope. Implementing MFA for both internal and external recipients ensures comprehensive protection.

Actions:

• Enable MFA for all users within M365
• Integrate third-party MFA solutions for external recipients
• Regularly review and update MFA policies

How Zivver can help

Zivver integrates MFA into email, enhancing the security of user access to sensitive communications, wth flexible authentication methods for third-party recipients including SMS codes, passwords, or email authentication.

3. Automatic email classification and data loss prevention (DLP)

Effective data classification and data loss prevention protocols are vital to protecting your data. The NIS2 Directive emphasizes the importance of approved data classification and appropriate protection measures. 

M365’s native tools for email classification and DLP are often inadequate for NIS2 standards, necessitating advanced classification tools.

Actions:

• Set up automatic classification rules in M365
• Integrate advanced DLP solutions that go beyond keyword matching
• Conduct regular audits of classification and DLP policies

How Zivver can help

Zivver’s data loss prevention features help organizations avoid the accidental or malicious sharing of sensitive information. Zivver integrates advanced DLP solutions that go beyond keyword matching, aligning with NIS2's focus on preventing cybersecurity incidents that could disrupt critical infrastructure operations.

4. Secure handling of sensitive attachments

Attachment security is crucial. M365 limits encrypted attachments to 25MB, which may not be sufficient for all needs. Consider supplementary solutions for handling larger files securely.

Actions:

• Use Purview Message Encryption for attachments up to 25MB
• Implement integrated secure file transfer solutions for larger attachments
• Ensure all attachments are scanned for sensitive information before sending

How Zivver can help

Zivver integrates with email clients to enable secure large file sharing, up to 5TB. No more switching to third party platforms!

5. Prevent human error

Human error is a leading cause of data breaches. Misaddressed emails, one of the most common causes of data loss globally, can lead to significant data leaks. Article 21 of the NIS2 Directive stresses the importance of procedures to prevent such mistakes.

Actions:

• Use email verification tools to confirm recipient addresses
• Integrate solutions that prompt users to verify sensitive information before sending
• Train employees regularly on the importance of email security

How Zivver can help

Arm people with tools to prevent data loss in the moment it matters. Zivver integrates seamlessly with email and notifies users in the moment a mistake is about to happen, so they can take action to revoke sensitive data, encrypt their email before sending, or correct recipients in the ‘to’ or ‘bcc’ fields.

6. Revocation and tracking of emails

The ability to revoke access to and track emails is important for compliance. While M365 allows message revocation through Purview Advanced Message Encryption, it is limited and unreliable, particularly outside of the Microsoft ecosystem.

Actions:

• Enable message revocation within M365 where possible
• Use supplementary tools that allow for broader message revocation capabilities
• Implement tracking systems to monitor the delivery and opening of sensitive emails

How Zivver can help

Zivver enables recall emails without limits, and provides insights into the status of emails including whether they have been opened. This means users can navigate potential data incidents and take action accordingly. 

7. Regular security audits and updates

Regular audits ensure continuous compliance. Article 21 of the NIS2 Directive requires ongoing monitoring and updates to security protocols.

Actions:

• Schedule regular security audits of your email systems
• Update security protocols and tools in response to new threats and regulations
• Keep documentation of all compliance measures and audits for regulatory review

How we can help

Zivver provides auditing and logging capabilities, allowing organizations to track and report on communication activities. Zivver can help with regular audits of email systems, updates to security protocols in response to new threats, and support in documentation of compliance measures. 

Do your tools support NIS2 compliance?

Traditional email falls short when it comes to securely handling sensitive data. The introduction of NIS2 increases the responsibilities of organizations, and in many cases, prompts them to review suppliers of security solutions, ensuring their tools do indeed support in meeting their compliance responsibilities. 

It’s time to take action; compliance is no longer about ticking a box and doing “just enough” to get by. The data protection landscape is changing, offering organizations an opportunity to leverage data governance as a competitive advantage in the marketplace. 

What next?

We take the complexity out of compliance. 

Adaptable, user-friendly, and powered by contextual machine learning, Zivver integrates with email clients (M365 and Gmail) to prevent the leading causes of data leaks. Our suite of email security tools empower users to share sensitive data by email safely and with confidence, with unparalleled encryption and human error prevention tools. Get in touch to find out more.