NIS2 compliance: Microsoft 365 and email security

The NIS2 Directive, a pivotal piece of cybersecurity legislation in the EU, sets stringent standards for the use of encryption and authentication to protect sensitive data. These requirements are especially pertinent for the use of email. 

Email is still by far the most important tool organizations use to share information. However, it is also a common vector for data loss incidents and cyber-attacks. 

With NIS2 fast approaching, organizations across the EU are reassessing their cybersecurity strategies. A critical aspect of this involves evaluating the capabilities of existing tools, including Microsoft 365 (M365), in meeting new requirements. 

So, what are the limitations of M365 in the context of NIS2, and does it adequately protect sensitive information shared via email? Let’s investigate. 

Security limitations in M365

Key requirements of the NIS2 directives, outlined in article 21, include implementing policies and procedures regarding the use of cryptography and, where appropriate, encryption, multi-factor authentication or continuous authentication solutions to ensure the protection of data and secure communications solutions where appropriate.

By default, email lacks any form of encryption and authentication. Measures required to ensure emails are protected in transit, to the right server, include enforcing transport encryption and authenticating the recipient's email server. 

DANE, which combines TLS and DNSSEC is globally considered the only truly secure protocol for email. However, while M365 does support DANE, it lacks a crucial fallback mechanism. For instance, if DANE is not supported by the recipient, there is no option in M365 to automatically use an alternative secure method, such as Purview Message Encryption. This is also the case when using TLS or MTA-STS only. 

This means that, with M365, organizations must choose between either sending the email with lower security, which compromises compliance with NIS2 and the security of information, or have the email bounce back to the sender, leading to communication disruptions. In practical terms, this means important messages might not reach their destination securely or quickly, impacting business operations and compliance efforts.

Limitations in automated processing of emails

When emails are sent using Purview Message Encryption, either by a user action or a DLP-rule, another challenge arises. In case a recipient opens a message encrypted with Purview and decides to reply to it, responses are also encrypted with Purview Message Encryption. 

This poses a significant challenge for many organizations. Encrypted replies cannot be automatically processed in a readable form by automated systems used by many large organizations for tasks such as loading messages into CRM systems, or for routing and processing messages. This means that workflows are significantly disrupted; emails need to be manually opened in the receiving mailbox and manually sent or imported into the subsequent processing system. You can imagine the additional costs, time and room for error associated with this.

What else you need to know about email security and NIS2

Beyond these limitations, M365 lacks other critical functionalities that are essential in preventing data leaks and unauthorized access to data:

• Prevention of human error: Misaddressed emails are a leading cause of data breaches, and M365 lacks robust functionality to prevent such errors.
• Recipient multi-factor authentication: NIS2 specifies the need for multi-factor authentication for recipients, a feature not supported by M365.
• Revoking access to messages: With M365, you can only revoke messages when using Purview Advanced Message Encryption, and only for recipients outside the Microsoft ecosystem. 
• Secure file transfer: Purview only supports encrypting messages if file size does not exceed 25MB
• Zero-access encryption: Purview offers advanced functionality such as Double Key Encryption. However, this cannot yet be applied to email encryption via Outlook.
• Recipient-friendly access: Purview allows easy message access through Microsoft accounts. However, outside of the Microsoft ecosystem, access to encrypted messages is far less user-friendly.

How to comply with NIS2 

Navigating the complex landscape of NIS2 compliance requires more than just opportunistic email protection. It demands elevated and enforced levels of data security. This is where email data protection platforms play a crucial role, bridging the gaps left by mainstream platforms like Microsoft 365, offering advanced features designed to support compliance with the stringent requirements of NIS2. 

Zivver provides robust encryption and authentication mechanisms that go beyond standard offerings, ensuring that sensitive information remains secure at all times. Organizations can enforce stricter control over data flows, mitigate the risk of human error, and enable multi-factor authentication where necessary. This not only elevates the security posture of an organization but also aligns it seamlessly with NIS2 mandates, ensuring compliance while maintaining operational efficiency.

Recognized by Gartner and working in partnership with Microsoft, Zivver enhances M365 with MFA, human error prevention tools and advanced encryption. To find out more about how our secure email and file transfer solutions can support your organization in complying with NIS2, get in touch.