From Scrambled to Provable: Encryption Grows Up

The hand of an AI robot touches the hand of an ancient marble statue in a museum gallery. This striking scene creates a contrast between past and future.

DORA enforcement is live. NIS2 obligations are tightening. GDPR penalties keep rising. For security executives and managers at regulated institutions, one assumption no longer holds: that calling a message “encrypted” is the same as proving it was governed.

Regulators want evidence — documented, timestamped, and retrievable. Every message leaving your perimeter is now a control you must be able to defend under audit. That shift has moved secure communication onto the board agenda, alongside operational resilience, data sovereignty, and defensible governance.

The Echoworx Email Encryption July 2026 release was built for this environment. It strengthens the audit trail, raises the cryptographic baseline, and tightens the operational controls that regulated institutions rely on daily. Here is what it delivers, and why it matters beyond the spec sheet.

The Strategic Backdrop: Compliance Is the Catalyst

For global banks, financial services firms, regulated institutions, and critical infrastructure operators, compliance is not a consideration — it is the primary driver behind every modernization decision. The institutions moving quickly share a common realization: legacy encryption tools were built to scramble a message, not to prove it was governed. They cannot always show an auditor who received it, when it was opened, or what happened next.

That gap is where compliance risk becomes board risk. The latest Echoworx Email Encryption release addresses it directly — delivering enhanced visibility into your SIEM environment and stronger auditability across secure message flows, so your governance posture is easier to demonstrate and defend.

Full Audit Visibility, Straight Into Your SIEM

A meaningful capability for security teams is the new Audit API endpoint for Web Portal message events.

It streams the events auditors ask about — notifications, message reads, attachment downloads, replies, and antivirus activity — directly into your SIEM. What was a blind spot in your reporting chain becomes a reviewable, timestamped trail of evidence.

The outcome: DORA and NIS2 require continuous, demonstrable oversight of how sensitive data moves. With recipient interactions captured and correlated in real time, audit readiness becomes a more consistent posture — not a pre-review scramble. Compliance teams get the evidence they need without chasing it. Security leaders gain visibility where they previously had limited insight.

A Stronger Cryptographic Baseline, Without the Rework

This update makes S/MIME and PGP key size configurable at the profile level, with 2048-, 3072-, or 4096-bit RSA options. The default has moved from 2048-bit to 3072-bit.

The outcome: A stronger default brings your cryptographic baseline closer to current guidance — without a manual re-key project. For institutions already planning for post-quantum readiness, it is one less legacy default to justify at your next assessment. You raise the floor across the board while retaining the flexibility that policy demands.

Taming the Operational Drag of Key Management

Managing S/MIME and PGP at scale carries a real cost: manual key exchange, mismatched lookups, and the risk of a missing key disrupting a critical message flow. This release addresses that drag directly.

  • Dynamic Recipient Key LDAP Lookups let your gateway discover PGP keys at a standard URI on the recipient’s domain, reducing manual back-and-forth.
  • Separate S/MIME and PGP LDAP Lookups give you independent control over external key server discovery — matching policy to protocol rather than forcing a single setting across both.
  • PGP Sender-Only Signing bounces a message when the gateway has no valid signing key for the sender and cannot generate one, addressing the same assurance gap that already exists for S/MIME.
  • Self-Service PGP Decryption lets users route legacy endpoint-encrypted messages through the gateway for decryption — without a help-desk ticket.

The outcome: Governance and efficiency are often framed as a trade-off. Here they move in the same direction. More automated key management means fewer failed messages, fewer manual interventions, and security teams with more time for higher-value work.

Tighter Control Over the Recipient Experience

Governance does not end when a message is encrypted. It extends to what recipients can do next. Three portal updates give security managers more precise containment without adding friction for legitimate users.

  • Reply-All Controls automatically strip unrecognized domains from replies, keeping sensitive threads inside approved boundaries.
  • Secure Portal Message Forwarding permits forwarding only to domains a recipient is already authorized to message.
  • Per-Recipient Notification Controls let registered recipients manage their own reminders and final notifications, reducing noise without affecting the audit record.

The outcome: For trust-dependent institutions, a secure experience that creates friction can undermine the confidence it is meant to build. These controls align security with usability — the boundaries stay firm while the experience stays clean. Data loss prevention becomes a design decision, not a policing exercise.

Proof, Not Promises

A digital-first Irish commercial bank saw a 63% increase in encryption adoption after removing customer registration friction. That improvement did more than move a metric — it supported a more continuous, provable compliance posture aligned with DORA and GDPR. A control only counts when people actually use it.

At a Top 5 Canadian bank, Echoworx supported mandatory two-factor authentication for every external contact by leveraging the bank’s existing Sinch subscription for text verification — strong authentication delivered without adding to the technology budget. Automated certificate lifecycle management resolved long-standing S/MIME operational issues at the same time. Two meaningful problems addressed. No net-new spend required.

That is what practical governance looks like when it respects the capital discipline regulated institutions operate under.

Built on What Regulated Institutions Actually Need

Encryption that supports demonstrable governance is not the result of a single update. It is the result of a development pattern shaped directly by the institutions using it. This release reflects what compliance teams, security managers, and enterprise architects at regulated institutions have identified as practical gaps between existing tools and what regulators now expect.

The question for regulated institutions is no longer whether encryption belongs on the compliance agenda. It is whether your encryption was built with that agenda in mind.

If you want to assess whether your secure communication layer meets the standards your regulators now expect, speak with an Echoworx expert. We can help you identify the gaps — before your next audit does.