Blog

NIS2 Article 21.2 h:

The key cabinet: when cryptography is routine, not magic.

I often describe cryptography as a key cabinet. Not like a dramatic safe in an action film, but rather the somewhat dull yet vital box where an organisation stores its keys. If the keys are scattered, copied without permission, or if no one knows who holds which key, it matters little how expensive the door is. It can still be opened.

NIS2 Article 21.2 h addresses exactly this: the organisation must have policies and procedures for how cryptography and, where appropriate, encryption are used. It is not a call to "encrypt everything all the time." It is a demand for control, judgement, and traceability.

Robert Willborg

Co-founder and Chief Security Officer at OneMore Secure.

What point h actually says

Article 21.2 lists ten areas (a to j) that must be covered by risk management measures. Point h concerns policies and procedures for the use of cryptography and, where appropriate, encryption. This means NIS2 does not mandate a specific algorithm or product. It requires you to demonstrate that you use cryptography proportionately to the risk and impact.

Swedish implementation: from EU text to supervision

In Sweden, NIS2 is implemented through the Cybersecurity Act (2025:1506) and Cybersecurity Ordinance (2025:1507), which came into force on 15 January 2026. This makes cryptography a practical part of the requirements for affected operators. It is no longer a future "should do," but something to be demonstrated in practice and evidence.

A clarification: cryptography, encryption, and signing are not the same

I often see these terms confused, so let me keep it simple.

Cryptography is the umbrella term: methods for mathematically protecting information.
Encryption is a part of cryptography: it makes content unreadable without the correct key.
Digital signing is another part: it helps us verify who created something and whether it has been altered.

In practice, they often go hand in hand. But they are different tools in the key cabinet.

Why point h becomes business-critical

Cryptography quickly becomes a matter of trust. When data moves between parties, when suppliers are involved, and when remote access is used, the question is not if someone "wants" to steal data, but whether you have made it sufficiently difficult and can prove it.

This directly relates to several other points in Article 21.2: access control and asset management (i), strong authentication (j), the supply chain (d), and continuity (c). Cryptography is rarely an isolated technical issue. It is part of how you build trust across the entire chain.

Data protection and GDPR: what's true and what's often overstated

I want to be clear and factual here. The General Data Protection Regulation (GDPR) does not require all personal data to always be encrypted at rest and in transit. However, GDPR states that appropriate technical and organisational measures should be implemented, and encryption is mentioned as an example of such a measure when relevant. In other words: encryption is often wise, sometimes necessary, but risk and context still govern.

This aligns well with the NIS2 approach: proportionality and effect, not reflexes.

The most common failure: key management

I have seen organisations do "everything right" on paper yet fail because of keys. Key management is the dull reality behind all cryptography: who creates keys, where they are stored, who has access, how they are rotated, what happens when someone leaves, and how you detect something has gone wrong.

If keys are managed poorly, cryptography is little more than a false sense of security. The key cabinet is open.

Three things that make point h real

I stick to three things that are easy to understand, hard to cheat on, and in line with point h.

· Classify data and flows.

· Control keys as access rights.

· Monitor and rotate keys.

Classifying data and flows means knowing what is sensitive and where it moves. Then you can choose the right level of protection.

Controlling keys as access means treating crypto keys as your most privileged rights. Minimal access, clear owners, and traceability.

Monitoring and rotating keys means having routines for rotation, revocation, and checks, and testing that it works. Just as you test that the key cabinet actually locks.

Final thoughts

Article 21.2 h is not a demand for cryptographic perfection. It is a demand for order in the key cabinet. When cryptography becomes routine, not magic, something important happens: trust becomes easier to build and harder to lose. And in a digital world, trust often equals business capability.