The obligation in one sentence
Article 21(2)(j) of the NIS2 Directive (Directive (EU) 2022/2555) requires essential and important entities in 18 EU sectors to use 'multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate'. Essential entities that ignore it risk fines of up to EUR 10 million or 2% of worldwide annual turnover.
Article 21(2) lists ten minimum cybersecurity risk-management measures, points (a) to (j), that every in-scope entity must implement on an 'all-hazards' basis. Point (j) — quoted verbatim above from the official EUR-Lex text [1] — is the only item on that list that names a specific class of business application: voice, video and text communication. Interception of internal communications is treated as a first-order risk, on the same list as incident handling and supply-chain security.
The qualifier 'where appropriate' is a proportionality clause, not an exemption. Article 21(1) requires measures 'appropriate and proportionate' to the entity's risk exposure, its size, and the likely severity of incidents, including their societal and economic impact [1]. An entity that decides secured communications are not appropriate for it carries the burden of documenting that reasoning — and of defending it before a supervisory authority, possibly after an interception has already happened.
Who is in scope: two tiers, 18 sectors
NIS2 applies to 'essential' and 'important' entities, determined by sector, criticality and, as a rule, company size. Annex I lists eleven sectors of high criticality: energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, ICT service management (business-to-business), public administration and space. Annex II adds seven other critical sectors: postal and courier services, waste management, chemicals, food, manufacturing, digital providers and research [1].
The calendar is no longer theoretical. Member States had to transpose the directive by 17 October 2024 and apply the measures from 18 October 2024 (Article 41); national lists of essential and important entities had to be established by 17 April 2025 (Article 3(3)) [1]. Transposition ran late across much of the Union: on 28 November 2024 the European Commission opened infringement procedures against 23 Member States for failing to fully transpose NIS2 on time [4]. Late national laws shifted enforcement start dates in some countries — they did not change the content of the obligations.
Italy: Legislative Decree 138/2024 and the ACN
Italy transposed ahead of the deadline. Legislative Decree No 138 of 4 September 2024 was published in Gazzetta Ufficiale No 230 of 1 October 2024 and entered into force on 16 October 2024 [3]. Its list of risk-management measures mirrors Article 21(2), including 'comunicazioni vocali, video e testuali protette' — the official Italian rendering of secured voice, video and text communications.
The Agenzia per la Cybersicurezza Nazionale (ACN) is Italy's national competent NIS authority. In-scope entities must register, or update their registration, on ACN's digital portal between 1 January and 28 February each year, with annual information updates between 15 April and 31 May; according to the ACN portal, incident-notification duties for registered entities apply from January 2026 [5]. Registration is the trigger of the whole Italian mechanism: an organisation that has not yet assessed whether it belongs on that list is already behind.
Implementing Regulation 2024/2690: precise on MFA, silent on voice
For digital-infrastructure entities — DNS service providers, TLD name registries, cloud and data-centre providers, CDNs, managed (security) service providers, online marketplaces, search engines, social networking platforms and trust service providers — the Commission adopted Implementing Regulation (EU) 2024/2690 on 17 October 2024; it entered into force on 7 November 2024 [2]. Its Annex translates each Article 21(2) measure into auditable technical requirements.
The mapping for point (j) is revealing. Annex section 11 ('Access control') covers points (i) and (j) and specifies multi-factor authentication in detail (point 11.7) — yet contains no further technical specification of 'secured voice, video and text communications' at all [2]. Even for the most digitally mature category of regulated entities, there is no EU-level checklist defining what 'secured' means for a phone call. That is not a loophole; it is a delegation. Each entity must construct its own definition through its risk assessment and be ready to defend it to its supervisor.
What non-compliance costs
Article 34 makes infringements of Article 21 — the list containing point (j) — directly fineable. Essential entities face administrative fines of a maximum of at least EUR 10,000,000 or 2% of the total worldwide annual turnover of the undertaking in the preceding financial year, whichever is higher; for important entities the ceiling is at least EUR 7,000,000 or 1.4% [1].
Money is not the only lever. Supervisors can issue binding instructions and order audits; for essential entities they can temporarily suspend certifications or authorisations and request a temporary ban on managerial functions at chief-executive or legal-representative level [1]. And under Article 20(1), management bodies must approve the cybersecurity risk-management measures, oversee their implementation, and can be held liable for infringements. Choosing the corporate telephony and messaging stack is now, legally, a board-level decision.
What 'secured voice' means in practice
The directive does not define 'secured'. Read against the purpose of Article 21 — protecting network and information systems and the services they deliver — four criteria emerge that a supervisor can reasonably be expected to probe.
First, end-to-end encryption. If voice is encrypted only in transport (TLS or SRTP to a PBX or conferencing server), the content exists in cleartext at the server, and whoever controls that server — the provider, its cloud operator, or an attacker inside it — can listen. For conversations whose interception would amount to a significant incident, transport-only encryption is difficult to defend as 'secured'. Second, key custody. Who can decrypt is the real question: if the provider holds the keys, confidentiality is a contractual promise, not a technical property. The words 'within the entity' in point (j) sit naturally with key material under the entity's own control — on-premises, sovereign-hosted, or anchored in hardware.
Third, authenticated identity. Point (j) couples secured communications and multi-factor authentication in the same sentence: knowing who is on the call is part of the measure. With voice-cloning fraud now practical, speaker authenticity — not just channel encryption — belongs in the threat model. Fourth, out-of-band capability. 'Secured emergency communication systems' points to a channel that remains available and trustworthy when the primary infrastructure is down or compromised. During ransomware response, coordinating recovery over the very network the attacker controls can expose the response itself — while the 24-hour early-warning and 72-hour notification clocks of Article 23 keep running [1].
One forward-looking consideration beyond the letter of NIS2: encrypted calls can be recorded today and decrypted years from now, once quantum computers break classical key exchange — the harvest-now-decrypt-later scenario. For communications whose confidentiality must survive a decade, post-quantum key establishment such as NIST-standardised ML-KEM is a rational addition to a point (j) implementation, even though the directive does not yet require it.
A practical checklist
1) Determine your status — essential, important, or out of scope — and complete national registration (in Italy: the ACN portal, 1 January to 28 February) [5]. 2) Inventory every voice, video and messaging channel actually in use, including the unofficial ones on employees' phones. 3) Classify conversations by the impact of their interception and decide, in writing, where secured channels are required — documenting the proportionality reasoning behind every exclusion.
4) For each retained channel, verify end-to-end encryption and identify who holds the keys; prefer custody under your own control. 5) Bind access to communications to MFA-backed identities. 6) Stand up an out-of-band emergency channel, independent of the corporate network, and test it in business-continuity exercises (Article 21(2)(c)). 7) Flow the requirements into supplier contracts under supply-chain security (Article 21(2)(d)). 8) Put management-body approval, training and review dates on record (Article 20).
Where hardware-anchored voice fits
Much of the market answers point (j) with software: end-to-end encrypted apps running on the same smartphone OS that hosts everything else. That holds until the endpoint itself is compromised — a scenario NIS2's all-hazards approach explicitly contemplates. This is the gap BCrypto's Q-Audion is built for: a hardware-encrypted anti-interception voice system combining an encrypted earbud, Android/iOS/desktop apps, a sovereign server and a post-quantum VPN. Key establishment uses ML-KEM-1024 (NIST FIPS 203) implemented in a hardware crypto accelerator, with AES-256-GCM and an ARM TrustZone-M TEE. The patent-pending DMA Air-Gap galvanically isolates the audio path from the host phone: a dedicated MEMS microphone sits inside the secure enclave and the host operating system is never in the audio path, so spyware on the phone has nothing to record. On-device TinyML performs anti-deepfake speaker verification — the authenticity half of point (j). The system is BYOD-compatible, with an EU-designed supply chain.
Honesty matters in a regulatory context: Q-Audion is at TRL 6 — firmware feature-complete, with KAT-gated cross-platform CI — with three patents filed at UIBM in 2026, and it holds no certifications yet: no FIPS 140-3, no Common Criteria, no ANSSI, BSI or ACN approval. Organisations that need certified products today should weigh that. Organisations designing their Article 21(2)(j) architecture for the next decade — key custody, out-of-band capability, harvest-now-decrypt-later — may find hardware isolation the more durable foundation. Either way, the obligation is already in force: the right moment to decide what 'secured voice' means for your entity was 18 October 2024.