2025-10-07 –, Belvedere I/ Security, Compliance & the Law
For the last 6 years I've been advocating for the adoption of client side encryption, with a zero trust protocol, speaking about its technical nuances and software implementation in several IT conferences in Europe and America. This entered into my life as a broad but imperative business requirement: "avoid data leakage at any cost". I was very glad on having the opportunity to learn more deeply about cryptology and contribute some code for that purpose. However, today I would like to focus on what end-to-end encryption (E2EE) really means and how NIS2 regulation seems to be misinterpreting it. While a huge emphasis is given to E2EE, the same regulation also mentions the need of granting to the government the powers of content surveillance, and these two requirements are inescapably contradictory.
In 2021, on the verge of wide spread of teleworking due to the pandemic, I moved with my family from Brussels (where I used to live in walking distance from the office) to Namur, where I could safely connect to the internet and keep working as (or more) efficiently as before. In Namur however I came to see, again, a problem that I've had already seen in Brussels: hospitals having troubles on their IT systems, end-user-facing tools as a consequence of successfully perpetrated cyber attacks. I started to pay more attention to the problem, once it looked like a trend across several sectors in Belgium.
At every corner of the hospital where my wife delivered our second son, we could see, not without some concerns, warnings about service disruption due to cyber attacks. The nefarious effects were incredible long, lasting for years! Probably as a response to this kind of situation, the European institutions and, broadly speaking, the European society approved a new, more strict framework regulation. The adoption of the Network and Information Security Directive 2 (NIS2) became mandatory in October 2024. Replacing the previous, almost homonymous directive of 2016, NIS2 came with bold statements and penalties. Organizations over a certain size, for certain sectors, have to comply with stricter cyber security measures, including, ipsis litteris, E2EE. Not only it defines huge financial penalties for non compliance (up to 2% of global revenue, in some situations), as NIS2 also establishes the possibility of civil and even criminal responsibility of the company's directors. This is very bold. However, and here comes the contradiction: the same regulation requires the target organization to make the government capable of content surveillance.
In this session, I’ll explore this contradiction from both a technical and regulatory perspective and try to map some paths to navigate the space between legal compliance and an ethical, secure IT prevalent world.
Software engineer and consultant with 10+ years of experience in the web development industry. Passionate about client side encryption and initial poster of OEIS sequence number A342754.