• Turul, Tresorit has passed NIS2 certification audit this July, scoring an impressive 95%. What does this milestone mean for the company?

This is a huge milestone for us and a proud moment for everyone at Tresorit. The NIS2 Directive sets a new benchmark for cybersecurity across the EU – especially for sectors that are critical or heavily digitally connected. It also places obligations on IT service providers and manufacturers, which makes it a significant shift in expectations.

As a leading provider of end-to-end encrypted content collaboration solutions, Tresorit already had a solid foundation. But passing the audit with a remarkable 95% score, conducted by Ernst & Young, takes things to the next level. It places Tresorit among the first organizations in Europe to achieve official certification under the newly implemented NIS2 framework.

For us, this isn’t just a technical achievement. It validates our entire security ecosystem – our technology, internal processes, risk management strategies, and incident response capabilities. Most importantly, it reassures our clients that their data is protected by one of the most secure platforms available.

• Lots of companies claim NIS2 compliance. Why did Tresorit pursue official certification, and why should customers care?

Because certification brings clarity and trust. When companies say they are “working in compliance”, that’s vague – it leaves room for interpretation. Official certification removes the ambiguity. It’s a transparent, verifiable demonstration of our security and operational maturity.

For our customers, especially those in regulated industries like finance, IT, or the public sector, this matters a lot. They’re under pressure to meet strict compliance standards themselves. By proving that our products not just support NIS2 compliance but along with our entire operation meet NIS2’s rigorous requirements, we lift part of their burden. They don’t have to audit us; they can trust that we’re secure by design. By proving that our products and our entire operation meet NIS2’s rigorous requirements, we lift part of that burden. They don’t need to audit us; they can simply trust that Tresorit is secure by design.

• Tresorit chose a rigorous primary jurisdiction for the NIS2 audit. Why does that matter?

That was a strategic decision. While NIS2 sets a common cybersecurity framework, each EU country has to translate it into national law, and not all countries have done so at the same pace. To simplify the certification journey for multinational companies, NIS2 allows you to choose a primary jurisdiction and undergo one comprehensive audit. The results are then recognized across the entire EU – even in countries where adoption is still ongoing.

Tresorit saw this as an opportunity to lead. We selected a jurisdiction with a particularly stringent interpretation of NIS2. The audit involved 2,000+ granular requirements derived from 3,000+ pages of regulations and guidance. It examined everything – from incident response and risk assessments to system-level security controls.

Why does this matter? Because for our international customers, no matter where they operate, it means they can trust that Tresorit meets Europe’s highest cybersecurity standards.

• Security has always been central to Tresorit’s DNA. But what did it actually take to achieve full certification?

It’s true that we didn’t start from scratch, but it was far from a box-ticking exercise. NIS2 is incredibly comprehensive, the entire project took 18 months of intense, cross‑functional collaboration.

It’s not just about encryption or access controls. NIS2 touches everything: organizational resilience, incident reporting, risk assessments, security training, supply chain management, and even detailed system documentation. We had to make many of our processes more structured and fully auditable – not because they were insecure, but because certification demands transparency. That’s the real difference between “secure” and “certified.”

• What does this mean for organizations using Tresorit now, in terms of their own NIS2 compliance?

In short: we’ve got their back covered. By working with Tresorit, organizations get a platform that actively supports their own NIS2 implementation. They benefit from end-to-end encryption, tamper-proof audit trails, granular access controls, and a provider that is itself on solid regulatory ground. On top of that, our tools help them secure their own external communication channels – whether they’re exchanging data with vendors or reporting incidents to authorities.

• What did we learn from the NIS2 project – especially with DORA, CRA, or other international standards in mind?

A great deal. NIS2 aligns closely with other key standards, particularly around risk management, incident response, and security architecture. By passing the NIS2 audit, we’ve already laid the groundwork for DORA (Digital Operational Resilience Act), CRA (Cyber Resilience Act), and other regulations. This project didn’t just validate our processes – it made them stronger.

• Finally, what’s your advice for organizations preparing to tackle NIS2 requirements? Any key takeaways?

Don’t wait. The biggest mistake companies make is underestimating the scope. NIS2 doesn’t just apply to large corporations – small and mid-sized organizations classified as essential or important entities are affected too. My advice? Don’t try to boil the ocean. Start where you are, identify the gaps, build structure into your processes – and find partners who can help. Whether internally or externally, sharing responsibility will help you build a stronger, more resilient security posture.

• Thanks for the insights, Turul!
  

Want to strengthen your cybersecurity and compliance strategy?
Our new on-demand webinar “NIS2 in Action: Key learnings and best practices for effective implementation - 1 year on” is now live. Hear from our experts – Turul Balogh, Group Information Security and Data Protection Officer at Tresorit and Koen Verbeke, Lecturer & Researcher at Howest and Lead Auditor– as they share lessons learned from the first year of NIS2 implementation and practical steps to improve resilience.

Watch on  YouTube or Listen on Spotify.