EU Directive 2022/2555 on Network and Information Systems, also known as NIS2, entered into force on Jan 16, 2023 and the Danish implementation Act - NIS2-Act - (Lov nr. 434 af 06/05/2025 – Lov om foranstaltninger til sikring af et højt cybersikkerhedsniveau) came into force on 1 July 2025.
NIS2 and the NIS2-Act builds on NISD (EU Directive 2016/1148) but is more stringent and expands the set the entities affected by this new set of rules. Specifically, the NIS2-Act affects all medium-sized and large enterprises that belong to one of the sectors classified as ‘of high criticality’ or as ‘critical’ in schedules to the NIS2-Act.
The NIS2-Act imposes onto affected entities a comprehensive set of cybersecurity risk-management measures well as reporting obligations, and entities covered by the NIS2-Act, as well as their suppliers, must implement and document a variety of measures to avoid, detect, and report cybersecurity incidents.
For comparison, the 2016 NISD left it to the member states to assess and identify which entities were subject to the NISD regulations, and it included only 6 sectors; this approach led to significant differences in the application of NISD across member states. Meanwhile, the new scope definition implies a significant increase in affected enterprises. For example, the Belgian Centre for Cyber Security forecasts for Belgium an increase from about 100 entities affected by NISD to about 2500 entities affected by NIS2.
Depending on sector (of high criticality or critical) and size (large or medium), the NIS2-Act classifies entities as ‘essential’ or ‘important’, which implies differentiation in the specified supervisory and enforcement measures. Entities that fall within scope of the NIS2-Act must – based on a self-assessment – register with the relevant authorities in Denmark. Cryptomathic has performed such a self-assessment and has completed a registration with the Danish Agency for Digital Government.
The measures required under the NIS2- Act include incident handling plans, crisis management plans, policies on the use of crypto, access control policies, use of state-of the art authentication, supply chain security, and cybersecurity training. The NIS2-Act also brings higher and more specific fines and penalties for entities that infringe the NIS2-Act.
In Cryptomathic we believe that our Key Management Solution (KMS) – which is built to comply with ISO/IEC 27001 and a wide range of key management standards – can support some of the compliance demands requested under the NIS2-Act. The NIS2- Act to some extend links to ENISA controls and in the table below we illustrate how the Cryptomathic KMS supports compliance with the ENISA controls across all four ENISA security domains.
Compliance requirements mapped to Cryptomathic's key management system's features:
| ENISA Security Domain | ENISA Security Subdomain | ENISA Security Measure | How Cryptomathic's Key Management (KMS) Solution Can Help |
|
Defense |
Detection |
Logging |
Cryptomathic KMS provides extensive and secure logging. All logs are chained and integrity-protected; each log entry is assigned a MAC value and time stamp. These logs can be used as evidence in court. |
|
Defense |
Detection |
Logs correlation and analysis |
Cryptomathic KMS provides correlated logs. |
|
Defense |
Detection |
Detection |
Cryptomathic KMS creates integrity-protected audit logs, which contain information on all security-related events in the key management system, including all operations on system keys. |
|
Defense |
Computer Security Incident Management |
Information system security incident response |
Cryptomathic KMS enables fast and easy renewal and update of key values. It is crypto agile by design allowing for quick algorithm updates. |
|
Governance and Ecosystem |
Information System Security Governance & Risk Management |
Information system security audit |
Cryptomathic KMS (incl. 3rd party libraries) goes through vulnerability analysis using CVE methodology. |
|
Governance and Ecosystem |
Ecosystem Management |
Ecosystem mapping |
Cryptomathic KMS is the backbone for safeguarding many applications, while managing user privileges and enforcing a centralized crypto policy. |
|
Governance and Ecosystem |
Information System Security Governance & Risk Management |
Information system security policy |
Cryptomathic KMS is the backbone for enforcing an information system security policy (ISSP): role- and privilege-based access control, and centralized policy enforcement. |
|
Protection |
Identity and access management |
Authentication and identification |
User access and privileges are managed with centralized crypto policies, signed under dual control. |
|
Protection |
IT Security Architecture |
Cryptography
|
Cryptomathic KMS uses of state-of-the-art cryptography to protect the confidentiality, authenticity and integrity of information. The connected HSMs (Hardware Security Modules) are FIPS certified. |
|
Protection |
IT Security Maintenance
|
Industrial control systems |
Cryptomathic KMS (incl. 3rd party libraries) goes through vulnerability analysis using CVE methodology. |
|
Protection
|
IT Security Administration |
Administration accounts |
Cryptomathic KMS helps with account management and access control. |
|
Protection |
Identity and access management |
Access rights |
Cryptomathic KMS implements a fine-grained access management. |
|
Protection |
IT Security Administration |
Administration information systems |
Cryptomathic KMS allows for heavily improved protection of crypto assets, storing keys in HSMs and centrally enforcing crypto policies even in distributed architectures.
|
|
Resilience
|
Continuity of operations
|
Disaster recovery management
|
Cryptomathic KMS is designed and built with high resiliency, including back-up and disaster recovery. It also allows for hot swaps of HSMs with zero downtime. |
|
Resilience |
Continuity of operations |
Business continuity management |
With its centrally enforced crypto policy and being crypto agile by design, Cryptomathic KMS supports your defined strategies for business continuity in case of an IT security incident. |
Contact us to discuss with one of our security experts if you want to know more and if one of the Cryptomathic products can help facilitate your enterprise’s compliance with NIS2!