Key NIS2 Requirements for Secure Business Communications
NIS2 did not arrive as a routine policy update. It restructured who is responsible for cybersecurity failures, what counts as adequate protection, and what happens when organizations fall short. Communication platforms, long treated as productivity tools sitting outside the security perimeter, are now firmly inside it. Video conferencing systems, corporate messengers, email infrastructure, unified communications environments: each carries the same compliance weight as any other critical system in scope.
This guide covers what NIS2 actually demands, how those demands translate into specific obligations for communication infrastructure, and where most organizations currently have gaps worth closing.
Executive Summary
|
Area |
Core NIS2 Requirement |
Key Implication for Comms Platforms |
|---|---|---|
|
Encryption |
TLS 1.2+ in transit, AES-256 at rest; E2E for sensitive data |
Vendor defaults cannot be assumed, enforce and verify |
|
Access Controls |
MFA for all users; RBAC aligned to current roles |
No carve-outs for executives or legacy systems |
|
Incident Reporting |
24h early warning / 72h notification / 1-month final report |
Detection infrastructure must exist before an incident |
|
Monitoring |
Continuous logging; SIEM integration |
Communication events must feed into enterprise SOC |
|
Supply Chain |
Vendor security assessment; contractual security obligations |
Cloud vendors’ posture becomes your risk profile |
|
Governance |
Board-level accountability; documented approval of security measures |
Choosing tools is now a compliance decision, not just IT |
|
Resilience |
Tested redundancy and failover for critical comms |
Continuity plans must be exercised, not just documented |
|
Data Retention |
Technically enforced deletion policies |
Written policy alone does not satisfy the requirement |
Who is in scope: Essential entities (energy, transport, health, digital infrastructure, etc.) and important entities (manufacturing, food, digital providers, research) with 50+ employees or €10M+ annual turnover, plus any organization a national authority deems individually critical regardless of size.
Why Communication Platforms Fall Under NIS2 Risk Management
Reading NIS2 as a directive about firewalls and data centers is a mistake that compliance teams are making less often, but still making. The directive governs any digital system whose disruption or compromise would materially affect an organization’s ability to operate. By that measure, communication platforms are not peripheral. They are central.
Think about what actually travels through a corporate communication stack on a normal working day. Negotiations happen over messaging. Strategic decisions get made on video calls. Client data moves through email threads. Operational instructions flow across team channels. None of this is incidental to how organizations function, it is how organizations function. A breach or sustained outage affecting these channels does not create a communication problem. It creates an operational crisis that spreads into client relationships, regulatory standing, and financial performance before most incident response teams have finished their first call.
NIS2 is built around this understanding. The directive requires that every digital system essential to operational continuity be incorporated into an organization’s risk management framework. For covered entities, that pulls the following into scope:
- Corporate messaging platforms, including Microsoft Teams, self-hosted solutions, and on-premise deployments
- Email infrastructure, cloud-hosted and internally managed
- Video conferencing systems, including those running on private networks or dedicated hardware
- VoIP and telephony infrastructure
- Unified communications environments that bring voice, video, messaging, and collaboration into a single platform
Once an organization qualifies as an essential or important entity, and the directive’s sector and size coverage is broader than many initially expect, the entire communication stack comes into scope. There is no exception for tools that feel less technical than network equipment. If it carries business-critical communications, it carries compliance obligations.
The “productivity tool” exemption doesn’t exist.
Many organizations still categorize video conferencing and messaging platforms as employee productivity tools and manage them separately from security-critical infrastructure. NIS2 eliminates this distinction.
If a communication platform is essential to how your organization operates — and for most covered entities, it is — it must be governed by the same risk management framework as any other critical system. Organizations that haven’t yet brought their comms stack into their formal risk register are creating an audit exposure that has nothing to do with the tools’ technical configuration.
Risk Management and Security Measures
NIS2 Article 21 sets out the technical and organizational measures covered entities must implement. These are not recommendations to work toward, they are the minimum standard regulators will measure organizations against. For communication platforms, each measure translates into something concrete and auditable.
Encryption
Both transit and at-rest encryption are required, and the regulatory direction of travel is clear: end-to-end encryption is becoming the expected baseline for sensitive business communications, not a feature reserved for classified environments. The question auditors will ask is not whether a platform supports encryption somewhere in its configuration. It is whether encryption is enforced by default, applied uniformly across all communication types, and verifiable through your own systems rather than a vendor’s assurances.
For organizations running their own communication infrastructure, encryption key management is a separate and important consideration. When key management sits entirely with a third-party vendor, independent verification of your encryption posture becomes difficult, and that difficulty will be visible to regulators and auditors evaluating your compliance.
Access Controls
Compromised credentials are consistently among the most common entry points into corporate systems, and communication platforms are a frequent target precisely because access to them often carries access to sensitive conversations and data. NIS2 requires a systematic response:
- Multi-factor authentication applied to every user account, without carve-outs for senior staff or legacy systems
- Role-based access controls built around current operational reality, not the accumulated permission state that results from years of provisioning without corresponding deprovisioning
- Regular, documented access reviews with particular attention to accounts held by former employees, contractors, or partners whose engagement with your organization has ended or changed
The practical test is whether your organization can demonstrate, at any given moment, that every account with access to your communication systems belongs to someone with a current and legitimate need for that access at the level they hold.
Data Minimization and Retention
Holding communication data indefinitely creates two compounding problems. Operationally, every historical archive represents an expanded attack surface — more data to exfiltrate, more exposure in the event of a breach. From a compliance perspective, unmanaged retention generates GDPR exposure that sits alongside and intersects with NIS2 obligations.
Retention policies need to be technically enforced, not documented intentions. The gap between a policy that says data is deleted after a defined period and a system that retains everything indefinitely is the kind of discrepancy that creates significant regulatory exposure when scrutinized. Define periods, implement technical enforcement, and verify that deletion processes actually purge data rather than removing it from visible interfaces while leaving it in underlying storage.
Vulnerability Management
Every unpatched vulnerability in a communication platform is an open door that organizations leave available to adversaries through inaction. NIS2 requires a structured approach: an accurate inventory of all communication tools in use, active tracking of vendor patch releases against that inventory, and update processes that operate on timelines tied to vulnerability severity rather than administrative scheduling convenience.
Vendors who are slow to release patches, who lack a responsible disclosure program, or who fail to communicate vulnerabilities to customers in a timely way represent a supply chain risk that reflects directly on your own compliance posture, an issue addressed in detail in the supply chain section below.
Network Security
Communication platforms require integration into your broader network security architecture. Treating them as standalone applications with their own security perimeter creates gaps that adversaries will find. The integration should include:
- Network segmentation that contains the potential spread of a breach originating in or through a communication system
- Traffic monitoring capable of identifying anomalies, unexpected data volumes, unusual external connections, access patterns inconsistent with normal operational behavior
- Remote access secured through zero-trust architecture or VPN, applied consistently without exceptions made for convenience or seniority
Business Continuity
Communication infrastructure qualifies as critical for most covered entities, which means NIS2’s continuity requirements apply directly. The question your organization needs to answer, in writing, with evidence of having tested the answer, is what happens when your primary communication system fails. How do teams coordinate? How long does recovery take? What is the fallback while recovery proceeds?
Redundancy and failover capabilities are not optional enhancements to pursue when resources allow. They are part of the baseline. A continuity plan that exists as a document but has never been exercised provides limited assurance. Testing is the mechanism through which plans become reliable.
Incident Reporting and Monitoring
The incident reporting requirements in NIS2 impose operational pressure that most organizations underestimate until they try to meet the timelines in practice.
Reporting Timeline
|
Timeframe |
Required Action |
|---|---|
|
Within 24 hours |
Early warning submitted to the relevant national authority |
|
Within 72 hours |
Incident notification with initial severity assessment, estimated impact, and probable cause |
|
Within one month |
Final report with complete incident description, confirmed root cause, and remediation measures taken |
Communication platform incidents that trigger these obligations include unauthorized access to corporate messaging systems, large-scale data exfiltration from email archives, ransomware disabling unified communications infrastructure, or attacks that materially prevent an organization from coordinating its operations.
Building the Capability Before It Is Needed
The 24-hour early warning deadline cannot be met through improvisation after the fact. Detection, internal escalation, preliminary assessment, and regulatory notification all have to happen within that window, which is only possible if the detection infrastructure was already in place and functioning before the incident began.
For communication platforms, the necessary foundations are:
- Centralized logging that captures access events, authentication activity, configuration changes, and administrative actions across every communication system in scope
- Real-time alerting set up to surface specific anomalous behaviors: bulk message history exports, authentication from unexpected geographic locations, sudden shifts in data transfer patterns
- Escalation procedures with defined paths from detection to the decision-makers authorized to assess severity and initiate regulatory notification
- SIEM integration that incorporates communication platform events into your organization’s broader security monitoring picture
These capabilities should be tested through exercises that include realistic communication platform failure scenarios. The objective is to find gaps in detection coverage or escalation procedures while the stakes are low enough to fix them.
Monitoring as a Continuous Obligation
NIS2 treats security monitoring as an ongoing operational requirement, not a box to check at defined intervals. Communication infrastructure should be under continuous monitoring. Formal audits and penetration testing add structured checkpoints, but they are supplements to continuous visibility, not replacements for it.
The 24-hour clock starts at awareness, not at confirmation.
A critical operational reality that many compliance teams miss: the first NIS2 reporting deadline runs from the moment your organization becomes aware of a potentially significant incident, not from the point at which the incident has been confirmed or fully assessed. This means that the investigation process, the internal escalation chain, and the regulatory notification workflow all have to be executable within the same 24-hour window.
Organizations that have not pre-defined their notification criteria and escalation procedures in writing will almost certainly miss this deadline when a real incident occurs. Documented internal thresholds established in advance are not administrative overhead, they are the mechanism through which the deadline becomes achievable.
Management Accountability
The governance shift embedded in NIS2 has not yet fully registered in many organizations. The directive does not allow leadership to treat cybersecurity as a technical matter that IT handles while executives focus on business outcomes. Accountability is placed explicitly at the management level, with consequences that extend to individuals.
What the Directive Requires
Governing bodies (boards, executive leadership, or equivalent structures) must formally approve cybersecurity risk management measures, actively oversee their implementation, and complete training that delivers genuine understanding of cybersecurity risks. Superficial familiarity is not sufficient. The oversight obligation is substantive.
The accountability provision is direct: individual management body members can be held personally liable for negligent failures to implement required security measures. Member states are required to equip their national authorities to enforce this. Personal liability for cybersecurity governance failures is not a theoretical risk inserted into the directive’s text, it is an enforcement mechanism that regulators are expected to use.
What This Means for Communication Platforms Specifically
Every decision about which communication tools an organization deploys, and what security standards govern their use, now carries management-level accountability. Choosing a consumer-grade messaging application for sensitive business communications because it is cheaper or more familiar than a secure alternative is a governance decision. If a breach follows, that decision, and the risk assessment (or absence of one) behind it — will be part of what regulators examine.
Organizations need governance structures that treat communication platform selection, configuration standards, and periodic security review as decisions requiring formal risk assessment and documented approval at the appropriate level. Security teams need genuine escalation paths to leadership for concerns about communication infrastructure, not paths that end in delegation back to the team that raised the concern.
Supply Chain Security
Supply chain security is treated in NIS2 as a primary obligation, not an afterthought. For organizations using third-party communication platforms, the implications are direct.
When your organization deploys a cloud-based communication platform, the vendor’s infrastructure decisions, security practices, and operational choices become part of your risk profile. A vulnerability in their systems or a failure in their access controls does not stay within their perimeter. It reaches into yours. The incident reporting obligations, regulatory accountability, and reputational damage that follow land with your organization, regardless of where the failure originated.
Vendor Due Diligence
NIS2 requires covered entities to assess the cybersecurity practices of their suppliers. For communication platforms, a credible assessment addresses:
- Security certifications: ISO 27001, SOC 2 Type II, or equivalent. Are they current? Are they independently audited? Do they cover the specific infrastructure and services your organization relies on?
- Encryption practices: What standards does the vendor implement? Is end-to-end encryption enforced by default, or is it an option users must activate?
- Data residency: Where is data stored and processed? Can the vendor provide contractual guarantees of EU data residency where your regulatory or operational context requires it?
- Incident notification: What are the vendor’s contractual obligations to notify customers of security incidents? What does their track record look like in practice?
- Subprocessor chain: Who else handles your data, and under what security requirements?
- Patch and disclosure practices: Does the vendor operate a responsible disclosure program? How quickly do they patch disclosed vulnerabilities, and how do they communicate vulnerability information to customers?
Cloud vs. On-Premise: Supply Chain Risk Comparison
|
Dimension |
Cloud-Hosted Platform |
On-Premise / Self-Hosted (e.g., TrueConf Server) |
|---|---|---|
|
Data residency control |
Depends on vendor SLA and contract |
Direct, data stays within your environment |
|
Encryption key management |
Vendor controls keys unless additional config is applied |
Organization controls keys |
|
Vendor security posture as your risk |
High, vendor breach can be your incident |
Lower, core exposure is the software, not vendor infrastructure |
|
Audit evidence |
Vendor-generated attestations and certifications |
Your own logs, configs, and systems |
|
Patch management responsibility |
Vendor-managed, but timing is outside your control |
Organization-managed, giving direct control over update timing |
|
NIS2 supply chain due diligence scope |
Vendor + all subprocessors |
Software vendor; no infrastructure dependency |
|
Operational resilience dependency |
Shared with vendor uptime |
Fully within your operational control |
The Case for Infrastructure Ownership
A structural alternative to managing third-party supply chain risk is deploying communication infrastructure within your own environment. On-premise or privately hosted video conferencing and unified communications platforms, such as TrueConf Server, give organizations direct control over where data resides, how encryption is configured, how access is managed, and what is logged, independent of a vendor’s operational decisions.
This does not eliminate supply chain considerations entirely. The software still originates with vendors and requires its own diligence. But it removes the dependency on a third party’s security posture for core communication capabilities and gives organizations substantially more control over the elements of NIS2 compliance that regulators will examine most closely.
Contractual Requirements
Vendor contracts should be built around security requirements, not just commercial terms. For communication platform vendors, effective contracts include:
- Defined minimum security requirements with criteria that can be verified
- Breach notification obligations with specific timeframes aligned to your own NIS2 reporting deadlines
- Rights to audit or request compliance evidence on a defined schedule or following a material incident
- Defined consequences for security failures that materially affect your organization
Contractual protections do not transfer NIS2 obligations to vendors. Your organization remains accountable to regulators regardless of what contracts say. But strong contracts create enforceable accountability within vendor relationships and produce the documented evidence of due diligence that regulators will look for.
Ongoing Vendor Oversight
Vendor security postures are not static. Organizations should maintain ongoing awareness of developments affecting vendors whose platforms they rely on, disclosed vulnerabilities, reported incidents, regulatory actions, changes in ownership or infrastructure. When a vendor’s posture deteriorates in ways that affect your risk profile, there should be a defined process for responding, not an improvised reaction after the fact.
On-premise deployment shifts, not eliminates, the compliance burden.
A common misconception in NIS2 planning is that deploying communication infrastructure on-premise fully resolves supply chain obligations. It substantially reduces them, but it transfers direct responsibility for patch management, physical security, and operational resilience to your internal team. Organizations that move to on-premise take on these obligations in full.
The compliance burden does not decrease; it relocates. Managing it competently requires demonstrated operational capability, appropriate staffing, and sustained investment in maintaining the infrastructure. For organizations that have that capability, solutions like TrueConf Server offer a materially stronger compliance position for the vendor-dependency elements of NIS2. For those that do not, cloud solutions with robust contractual security obligations may be the more defensible path.
NIS2 Security Checklist for Communication Platforms
The following checklist covers the core NIS2 obligations for communication infrastructure. Treat it as a structured starting point for gap assessment, not a substitute for a formal compliance review with appropriate legal and technical expertise.
Encryption
- Communications in transit are encrypted using TLS 1.2 or higher
- Data at rest is encrypted with AES-256 or equivalent
- End-to-end encryption is enforced for sensitive communications
- Encryption configuration is verified at the platform level, not assumed from vendor defaults
Access Management
- MFA is enforced for all users without exception
- Role-based access controls reflect current operational roles and are formally documented
- Access rights are reviewed at least quarterly
- Offboarding procedures include immediate revocation across all communication systems
- Administrative access is restricted and logged separately
Monitoring and Logging
- Centralized logging covers access events, authentication activity, and administrative changes
- Log retention meets a minimum of 12 months
- Real-time alerts are configured for defined anomalous behaviors
- Communication platform logs feed into your SIEM
- Log integrity is protected against modification or deletion
Incident Response
- Your incident response plan explicitly addresses communication platform scenarios
- Escalation procedures for communication incidents are documented and tested
- NIS2 reporting timelines (24 hours, 72 hours, one month) are incorporated into response playbooks
- Incident exercises have included scenarios affecting communication infrastructure
Vendor and Supply Chain
- All communication platform vendors have been assessed against defined security criteria
- Vendor certifications are current and independently audited
- Contracts include enforceable security requirements and breach notification obligations with specific timeframes
- Data residency requirements are contractually confirmed
- Vendor security posture is reviewed at least annually
Governance
- Management has formally approved security measures applied to communication platforms
- Accountability for communication platform security is assigned to named roles
- A formal evaluation process governs the adoption of new communication tools
- Security requirements are documented, consistent, and enforced across all platforms in use
Resilience
- Redundancy and failover capabilities are in place for critical communication systems
- Business continuity plans address communication outages with specific procedures and owners
- Recovery objectives are defined and have been validated through testing
Best For / Strengths / Limitations at a Glance
Best for: Essential and important entities in regulated sectors that need to demonstrate rigorous, auditable control over their communication infrastructure — particularly those in healthcare, finance, public administration, energy, and critical digital services.
Strengths of a structured NIS2 approach to communications:
- Produces a defensible, auditable security posture that holds up to regulatory scrutiny
- Reduces breach impact through enforced access controls and early detection
- Aligns communication security with broader enterprise risk management frameworks
- Creates documented evidence of due diligence that regulators look for in enforcement contexts
Limitations to plan around:
- Gap assessment requires both legal expertise (jurisdiction-specific transpositions vary significantly) and technical expertise (configuration-level review of each platform in scope)
- Remediation timelines for architectural gaps, platforms structurally lacking required capabilities, can be substantial; early assessment is more valuable than late urgency
- Continuous monitoring obligations require sustained operational investment, not one-time setup
- Personal management liability provisions are not yet consistently enforced across all member states, but enforcement posture is evolving; forward-looking organizations should not calibrate their compliance posture to current minimum enforcement levels
Empower your video conferencing experience with TrueConf!
FAQ
Which organizations actually fall within NIS2 scope?
Applicability comes down to two factors: the sector your organization operates in and its size. Essential entities include those in energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space. Important entities encompass postal services, waste management, chemicals, food production and distribution, manufacturing, digital providers, and research organizations.
The baseline size threshold is 50 or more employees, or annual turnover exceeding €10 million, though national authorities can bring smaller organizations into scope where they are considered individually critical to essential service delivery. NIS2 is a directive rather than a directly applicable regulation, meaning each EU member state has enacted its own transposing legislation with differences that matter. Organizations with genuine uncertainty about their scope status should obtain legal advice from counsel experienced in the specific member state involved.
TrueConf, as an on-premise platform deployed within your own environment, can help your compliance posture once you have confirmed scope, but scope determination itself requires legal review.
Do NIS2 obligations apply to cloud-hosted communication tools like Microsoft Teams or Zoom?
Yes, categorically. The physical location of vendor infrastructure is irrelevant to where compliance responsibility sits, that responsibility belongs to your organization and extends across every communication tool in active operational use, regardless of how or where it is hosted.
Reviewing a vendor’s security marketing page or verifying a certification is not sufficient; due diligence needs to reach the underlying controls. Where a vendor’s controls fall short of what NIS2 demands, your organization carries the obligation to address that shortfall. This is one reason organizations subject to NIS2 increasingly evaluate self-hosted alternatives like TrueConf Server, where encryption configuration, key management, and access logging are directly verifiable rather than dependent on vendor-generated attestations.
What qualifies as a significant incident requiring NIS2 notification?
NIS2 defines the threshold by reference to incidents that cause, or have realistic potential to cause, severe operational disruption, substantial financial loss, or material harm to other parties. Actual damage does not need to have occurred, credible potential for serious impact is sufficient.
For communication platforms specifically, incidents that typically meet this threshold include unauthorized access to corporate messaging systems, large-scale data exfiltration from email infrastructure, ransomware attacks rendering unified communications inoperable, and prolonged outages that materially impair an organization’s ability to coordinate its operations. The 24-hour early warning clock starts at awareness, not confirmed impact, so pre-defined internal classification criteria are essential. Organizations running TrueConf Server on their own infrastructure retain full access to their own logs and can perform initial classification without waiting on a vendor.
What are the financial consequences of NIS2 non-compliance?
Penalties are calibrated to entity classification. Essential entities face fines reaching €10 million or 2% of total global annual turnover, whichever is higher. Important entities face a ceiling of €7 million or 1.4% of global annual turnover. Beyond financial penalties, NIS2 empowers national authorities to impose temporary bans prohibiting named individuals from holding management positions. Framed against those figures, the cost of properly securing communication infrastructure occupies a different order of magnitude.
The more productive analytical question is not whether compliance carries a cost, it does, but whether the full cost of non-compliance has been realistically assessed, including financial penalties, personal management liability, reputational damage, and operational breach consequences. Solutions like TrueConf Server represent a one-time licensing investment rather than ongoing per-user cloud costs, which changes the long-run economics for larger covered entities.
How should organizations handle personal devices (BYOD) used for business communications?
Written policy does not produce technical enforcement. A documented requirement for employees to apply security practices on personal devices does not activate MFA, does not enforce encryption, and does not enable remote data removal if a device is lost or compromised. NIS2 requires technical controls, and in BYOD environments those controls must be implemented at the application layer.
Three technical components define a defensible approach: authentication enforcement operating at the account level independent of device type; application-level security policies enforced through mobile application management solutions; and remote data removal configured and operationally tested in advance. Where communications regularly carry sensitive or regulated content, limiting access to organizationally managed devices is the stronger compliance position.
TrueConf’s client applications support MDM deployment and application-level policy enforcement, enabling organizations to maintain consistent security controls across managed devices without requiring full device enrollment.
How frequently should communication platform security be reviewed?
Annual review is the minimum acceptable cadence, not a sufficient one in isolation. Specific events should trigger additional reviews independently of the calendar: a significant platform update or publicly disclosed vulnerability; internal restructuring or acquisitions that alter access privilege structures; updated guidance from national authorities or ENISA; and significant developments in the threat landscape targeting communication infrastructure.
The operational model NIS2 implies is continuous monitoring as the baseline state, with formal periodic assessments functioning as structured points for deeper analysis. For organizations running TrueConf Server, centralized logging and admin-controlled audit trails make ongoing monitoring operationally straightforward — the evidence base for both continuous monitoring and formal periodic reviews sits in systems the organization directly controls.
What should an organization do when its current platform does not meet NIS2 requirements?
The necessary starting point is precision. A gap assessment that establishes, for example, that log retention is configured to 30 days rather than the required 12 months, or that MFA enforcement excludes a defined user population, produces something actionable. Configuration gaps, features that exist within the platform but are disabled by default, can frequently be resolved without significant resource expenditure.
Architectural gaps, where the platform structurally lacks capabilities necessary for compliance, point toward migration. Where remediation extends over a period of time, formal documentation of identified gaps and the concrete steps being taken to close them serves a genuine compliance function, regulators weigh demonstrated good-faith effort when determining enforcement responses.
For organizations finding that their current cloud communication platform creates irresolvable vendor-dependency issues for supply chain or data residency requirements, on-premise alternatives like TrueConf Server are worth evaluating as part of a structured remediation plan. Sequencing remediation priorities should involve legal and compliance counsel familiar with the relevant member state’s transposing legislation.








Follow us on social networks