NIS2 without illusions: why certificates and cryptography are a real problem for companies today

NIS2 changes how organizations in the EU must think about cybersecurity. Not through new algorithms or trendy tools — but through accountability.

And that’s exactly why one area keeps showing up in audits, incidents and reviews, over and over again: certificates and cryptography.

NIS2 doesn’t tell you how. It says: you are responsible.

Myths about NIS2

A lot of myths grew around NIS2. The most common is:

“NIS2 imposes specific technical solutions.”

That’s not true.

NIS2:

• does not define your policies,
• does not describe step-by-step processes,
• does not prescribe specific technologies.

But it does say something much harder:

Your organization must demonstrate that it consciously manages cybersecurity risk.

Certificates — small items, big consequences

Certificates are one of the first places where lack of control becomes obvious.

In most companies, certificates:

• are “somewhere”,
• “someone takes care of them”,
• “it’s never been a problem… yet”.

Until:

• a certificate expires at night → a system stops working,
• a private key circulates in emails or repositories,
• nobody knows how many certificates exist at all,
• a vendor still has access they should have lost long ago.

From a NIS2 perspective, these aren’t minor oversights. They are lack of risk management.

The most common pain points auditors see

1️⃣ Visibility gaps

“We don’t know how many certificates we have and where they’re used.”

2️⃣ Manual processes

Excel, calendar entries, and reminders in an admin’s head.

3️⃣ Diffused responsibility

“It’s probably IT… or DevOps… or the vendor?”

4️⃣ Incident risk

Certificate expires = service interruption = incident to report.

5️⃣ Missing evidence for audit

“We know we do this, but we can’t show it.”

Why NIS2 “hits” cryptography so hard

Because certificates are:

• the foundation of secure communication,
• the bedrock of trust between systems,
• a critical element of access management.

And NIS2 requires:

• control,
• accountability,
• continuity of operations,
• resilience to incidents.

If certificates are managed “by gut feel”, you can’t defend that in an audit.

A new approach: management, not firefighting

Instead of:

• reacting to expired certificates,
• relying on admins’ memory,
• explaining yourselves after an incident,

Companies start to:

• centralize certificate management,
• automate rotation and renewals,
• establish clear ownership and reporting,
• treat cryptography as a business process, not a technical detail.

This is exactly where modern certificate management solutions make sense.

How a good solution aligns with NIS2

Without going into deep technical details, a solid solution in this space:

• provides full visibility of certificates and keys,
• automates their lifecycle,
• minimizes human error risk,
• delivers compliance evidence (logs, reports, auditability),
• materially reduces incident risk.

In other words, it does what NIS2 expects:

conscious, documented risk management.

NIS2 isn’t a threat. It’s a chance to clean up chaos.

Reactive organizations will:

• put out fires,
• react to inspections,
• explain themselves after incidents.

Organizations that treat this as a catalyst will:

• organize certificates,
• automate cryptography,
• build system resilience.

These are the organizations that pass audits calmly — not nervously.