• News

Governing data in motion: the major challenge of modern cybersecurity

Executive summary: In the era of hyperconnectivity, 82% of security breaches involve data stored in the cloud. While organizations invest millions in protecting data at rest, data in transit represents the most vulnerable and least governed attack surface within the enterprise ecosystem. This article analyzes why governing data in motion has become a critical challenge in modern cybersecurity and how organizations can address it strategically.

Introduction

In October 2024, the NIS2 Directive fully came into force across all European Union Member States, marking a turning point in how organizations must approach cybersecurity. However, while most companies have focused their compliance efforts on strengthening their perimeters and protecting stored data, there is one attack vector that remains critically under-governed: data in motion.The global average cost of a data breach reached $4.88 million in 2024, a 10% increase compared to the previous year. What many CISOs still do not fully realize is that a significant portion of these breaches occurs during the transfer of information—when data is most vulnerable and when traditional security controls are less effective.In this article, we will explore why governing data in motion has become the weakest link in enterprise cybersecurity strategies, how the new European regulatory framework places it at the center of compliance, and what strategic approach organizations must adopt to close this critical security gap.

The invisible problem: when data leaves the perimeter

The false sense of control

For decades, enterprise cybersecurity has been built on a fundamental principle: protect the castle. We invest in firewalls, intrusion detection systems, database encryption, and sophisticated access controls. However, this mindset assumes that data remains within controlled boundaries—an assumption increasingly disconnected from the operational reality of modern organizations.Digital transformation has radically redefined how enterprise information flows. Teams share files with external vendors, collaborate on documents with strategic partners, transmit sensitive information to international subsidiaries, and respond to client requests that require the exchange of personal data. In 2025, phishing was the initial attack vector in 16% of data breaches, but what is often overlooked is that many of these attacks succeed by exploiting file transfers as an infiltration mechanism.The problem is not only how frequently data moves, but also the near-zero visibility organizations have over this movement. According to recent research, 17% of all sensitive files are accessible to all employees, and more than 77% of organizations lack an adequate incident response plan. When this lack of internal control is combined with external transfers, the result is an exponentially larger attack surface.

The risk equation of data in transit

Data in motion has characteristics that make it inherently more vulnerable than data at rest:Extended temporal exposure: During a transfer, data passes through multiple network points, each potentially vulnerable. Unlike storage, where continuous controls can be applied, transit creates windows of opportunity for interception.Multiplicity of channels: Organizations simultaneously use email, cloud collaboration platforms, FTP, messaging services, and ad-hoc file transfer solutions. This fragmentation makes it difficult to consistently enforce security policies.User behavior: The human factor amplifies risk. Employees turn to unauthorized solutions when corporate tools are perceived as slow or complex. The “shadow IT” phenomenon in file transfer represents one of the least controlled risk vectors in modern enterprises.Loss of context: Once a file leaves the corporate environment, the organization loses visibility over who accesses it, how many times it is downloaded, who it is forwarded to, or how long it remains available. This loss of traceability is particularly critical under frameworks such as GDPR and NIS2.

The regulatory imperative: NIS2 and the new paradigm of accountability

Beyond compliance: executive accountability

The NIS2 Directive represents a fundamental shift in how Europe conceptualizes enterprise cybersecurity. Unlike its predecessor, NIS2 introduces direct accountability for senior management in cases of non-compliance with cybersecurity risk management measures, elevating security from a technical domain to the boardroom.This is not merely a matter of potential fines, although these are significant. Average GDPR fines increased by 290% between 2020 and 2024, and NIS2 introduces similarly severe penalties. The real transformation lies in the fact that CEOs and Boards of Directors must now oversee, approve, and receive training on the organization’s cybersecurity measures.For governing data in motion, this executive accountability means it is no longer acceptable to treat file transfers as a minor operational activity. Leaders must be able to confidently answer: Who in our organization is sharing sensitive information? With whom is it being shared? How long does it remain accessible? What happens if an unauthorized recipient gains access?

Specific NIS2 requirements for data in transit

NIS2 establishes baseline measures that include the use of cryptography and, where relevant, encryption. However, the directive goes far beyond simple encryption. It addresses three fundamental pillars that directly impact the governance of data in motion:Risk management based on analysis: Organizations must implement continuous risk assessments to identify vulnerabilities in systems, networks, and processes. For data in transit, this means mapping all sensitive data flows, identifying points of exposure, and quantifying the potential impact of a breach during transfer.Traceability and reporting: NIS2 imposes strict reporting timelines: an initial warning within 24 hours, a detailed report within 72 hours, and a final remediation report within one month. Meeting these deadlines requires real-time visibility over all data transfers, the ability to quickly identify what information was compromised, and audit systems capable of reconstructing the full chain of custody.Supply chain security: NIS2 requires incorporating security measures and incident reporting obligations across the supply chain. Data exchange with vendors, partners, and third parties must be governed by specific controls that ensure security standards are maintained even when data crosses organizational boundaries.

Regulatory convergence: the compliance ecosystem

NIS2 does not exist in a vacuum. European organizations must navigate an increasingly complex regulatory ecosystem where multiple frameworks overlap:GDPR: Establishes fundamental principles for the processing of personal data, including international transfers and the right to be forgotten. Organizations must be able to demonstrate that personal data transfers are technically protected and properly documented.DORA (Digital Operational Resilience Act): For the financial sector, DORA complements NIS2 with specific requirements on digital operational resilience, including strict management of third-party and ICT provider risks.ISO 27001 and ENS: Although not regulations per se, these standards provide recognized frameworks for implementing controls aligned with NIS2. In particular, ISO 27001 includes detailed controls for secure communications and information transfer.The convergence of these frameworks means that organizations need a unified approach to governing data in motion—one that simultaneously meets multiple regulatory requirements without creating unsustainable operational complexity.

Control architecture: designing an effective governance system

The five pillars of data-in-motion governance

An effective data-in-transit governance system must be built on five technical and organizational pillars:

1. End-to-end encryption as a non-negotiable foundation

Encryption is no longer optional, but its implementation determines its real effectiveness. AES (Advanced Encryption Standard) is recommended for data in transit, especially with high encryption key lengths. However, encryption must be applied in multiple layers:Encryption in transit: Protection of data while it is transmitted between systems using TLS 1.3 or higher. The adoption of TLS 1.3 offers significant advantages in performance and security over previous versions.Encryption at rest: Files must remain encrypted not only during active transfer but also while waiting to be downloaded or processed in intermediate systems.End-to-end encryption: Protection must extend from the origin to the final recipient, even when data passes through intermediate systems or temporary storage zones.Encryption key management requires equal attention. Keys must be unique per user, stored securely, rotated regularly, and immediately revocable in case of compromise.

2. Granular access control and permission management

The principle of least privilege must be rigorously applied to data transfers. Modern file management platforms should support:Role-based access control (RBAC): Users should only be able to share specific types of information according to their organizational role. A marketing employee should not have the technical capability to transfer financial data, regardless of whether they know its location.Time-based controls: Download links and shared access must have automatic expiration. The common practice of sharing “permanent” links represents an unacceptable security risk.Recipient authentication: Before allowing the download of sensitive information, recipients must verify their identity using multi-factor authentication (MFA), especially for data classified as confidential or higher.Instant revocation: Organizations must be able to revoke access at any time, even after a file has been shared. This capability is critical when an employee leaves the organization or when an unauthorized transfer is detected.

3. Full traceability and forensic auditing

Maintaining detailed audit trails and logs of all file transfer activities is crucial for compliance reporting and forensic analysis in the event of security incidents. A robust governance system must record:
  • Who initiated the transfer and when
  • What files were shared, including metadata and sensitivity classification
  • With whom they were shared (email addresses, organizational domains)
  • When files were accessed and from which geographic/IP locations
  • How many times they were downloaded
  • Whether they were forwarded to third parties (when technically detectable)
  • When access expired or was revoked
This traceability not only meets NIS2 requirements but also provides critical forensic capabilities when investigating a security incident. The ability to reconstruct the full chain of custody of a file can be decisive in understanding the scope of a breach and fulfilling regulatory notification obligations.

4. Integration with enterprise security architecture

Secure transfer solutions cannot operate as isolated silos. They must integrate deeply with the existing security architecture:Integration with Active Directory/LDAP: Automatic synchronization of users, groups, and permissions from corporate identity management systems.SIEM (Security Information and Event Management): File transfer events must feed SIEM platforms for correlation with other security events and detection of anomalous patterns.DLP (Data Loss Prevention): Transfers must be automatically scanned for patterns indicating data leakage, from credit card numbers to classified intellectual property.Third-party management: For organizations required to comply with strict vendor requirements, platforms must maintain detailed records of all transfers with external entities, including third-party risk assessments.

5. Artificial intelligence applied to anomaly detection

AI is transforming how we detect suspicious behavior in data transfers. Organizations using AI-driven security systems in 2024 were able to detect and contain data breaches 108 days faster than others.Modern systems use machine learning to establish baselines of normal behavior and alert on deviations:
  • Unusual transfer volumes or frequency for a specific user
  • Access from atypical geographic locations
  • Mass downloads outside working hours
  • Sharing with previously unused email domains
  • Patterns that precede known security breaches
This proactive detection capability is especially valuable against insider threats, where authorized users exploit legitimate credentials to exfiltrate information.

Reference architecture: from theory to implementation

The practical implementation of these five pillars requires an architecture that balances security with usability. An effective approach includes:User interface layer: Web portal and mobile applications that provide an intuitive experience for securely sharing files, without requiring specialized technical knowledge.Policy layer: Rules engine that automatically enforces security controls based on data classification, user roles, recipients, and regulatory requirements.Processing layer: Encryption services, malware scanning, DLP inspection, and integrity verification operating transparently during each transfer.Storage layer: Encrypted repository with granular access controls, automated backups, and disaster recovery capabilities.Intelligence layer: Analytics, reporting, auditing, and anomaly detection that provide continuous visibility into the flow of sensitive information.This architecture must be designed following “privacy by design” and “security by default” principles, where secure configurations are the default behavior and do not require manual intervention for each transaction.

Practical implementation: strategic roadmap

Phase 1: Assessment and mapping of the current state (Month 1–2)

The first critical step is to understand the current situation with complete clarity. Organizations should carry out:Inventory of transfer methods: Document all mechanisms currently used to share information, both authorized and unauthorized (shadow IT). This includes email, WeTransfer, personal Dropbox, Google Drive, OneDrive, FTP, and any other tools.Mapping of sensitive data flows: Identify what types of information are regularly transferred, how often, to which external recipients, and under what business justifications.Compliance gap assessment: Compare current practices against the specific requirements of NIS2, GDPR, and other applicable frameworks. This gap analysis should be documented and quantified in terms of risk.Historical incident analysis: Review security audit logs to identify transfer patterns that preceded previous incidents or represented near misses.

Phase 2: Policy design and governance (Month 2–3)

With a clear understanding of the current state, organizations must establish the governance framework:Data classification: Implement a clear classification scheme (Public, Internal, Confidential, Restricted) with objective criteria for categorization. Each level must have associated transfer controls.Transfer policies by classification: Define which transfer methods are acceptable for each classification level, what additional controls are required, and what approvals are needed.Responsibility matrix: Assign clear roles: data owners, custodians, data stewards, and end users. Each role must have documented responsibilities regarding data-in-motion governance.Incident response procedures: Specific protocols to respond to unauthorized transfers, data-in-transit compromises, and other incidents related to information movement.

Phase 3: Platform selection and implementation (Month 3–6)

Technology selection must be based on clearly defined requirements, not on available features. Evaluation criteria should include:Core technical capabilities: End-to-end encryption, granular access controls, full traceability, integration with existing architecture, and scalability to grow with the organization.Regulatory compliance: Relevant certifications (ISO 27001, SOC 2), specific capabilities to meet NIS2 and GDPR requirements, and data center locations aligned with data residency requirements.User experience: Complex solutions lead to shadow IT. The platform must be intuitive for non-technical employees without compromising security.Vendor support and maturity: Financial stability, experience in the specific sector, quality of technical support, and a product roadmap aligned with regulatory trends.Platforms like Tranxfer offer capabilities specifically designed for this purpose: centralized transfer management, full traceability, AI-driven protection, and built-in compliance with NIS2, GDPR, ISO 27001, and ENS. These solutions enable organizations to close the governance gap without adding unsustainable operational complexity.

Phase 4: Gradual deployment and change management (Month 6–9)

Implementation should be gradual, starting with pilot departments before organization-wide rollout:Departmental pilots: Select 2–3 departments with representative needs for initial implementation. Gather feedback, refine policies, and resolve issues before scaling.Role-based training: Tailored training programs for end users, system administrators, security teams, and executive leadership. Training should focus not only on “how to use the tool” but also on “why it matters.”Ongoing communication: Internal communication campaign explaining the transformation, the benefits (not only security, but also operational efficiency), and new expectations.Migration of existing data and workflows: Structured plan to migrate existing transfer processes from legacy tools and ad-hoc practices to the governed platform.

Phase 5: Operations and continuous improvement (Month 9+)

Data-in-motion governance is not a project with an end date, but an ongoing operational capability:Continuous monitoring and reporting: Executive dashboards showing key metrics: transfer volumes, policy compliance, detected incidents, and response times to anomalies.Quarterly policy reviews: Policies must evolve with changes in the business, threat landscape, and regulatory environment. Scheduled reviews ensure ongoing relevance.Compliance audits: Regular internal audits to verify policy adherence, control effectiveness, and readiness for external audits.Integration with enterprise risk management: Risks identified through the data governance system must feed into the corporate risk management process, ensuring appropriate visibility at board level.

Conclusion

Data-in-motion governance has emerged from the shadows of cybersecurity to become an unavoidable strategic imperative. The convergence of accelerated digital transformation, increasingly stringent regulatory frameworks such as NIS2, and a constantly evolving threat landscape has eliminated any room for complacency.With the average cost of a data breach reaching $4.88 million in 2024, and 82% of breaches involving data stored in the cloud, organizations can no longer treat file transfers as a minor operational activity. Data in transit represents the weakest link in the information security chain—and attackers know it.The good news is that solutions exist and are becoming increasingly sophisticated. Modern data-in-motion governance technologies combine robust encryption, intelligent access controls, forensic traceability, and AI-driven anomaly detection capabilities—all without compromising the user experience that drives adoption.The challenge is no longer technological but organizational: Does your organization have the will to address this challenge with the seriousness it deserves? Is your leadership prepared to assume the accountability required by NIS2? Do you have real visibility into how sensitive information moves within and beyond your organization?For organizations that choose to act proactively, effective data-in-motion governance delivers benefits that go beyond regulatory compliance: it reduces operational risk, protects corporate reputation, enables secure collaboration across the partner ecosystem, and builds the foundation of digital trust on which 21st-century operations depend.The time for half measures is over. The question is no longer whether to govern data in motion, but when to start and how rigorously to implement the necessary controls. For organizations that have not yet begun this journey, the time to act is now.

Additional resources

About the author: This article has been developed by the Tranxfer team, in collaboration with cybersecurity and regulatory compliance experts with over 15 years of experience implementing data governance solutions in enterprise organizations.Would you like to assess how your organization currently manages data in motion? Request a no-obligation assessment and identify your compliance gaps before they turn into security incidents.

Trazabilidad, control total y cumplimiento

en un solo entorno seguro y fácil de usar

Solicitar demo

Más artículos

H10 Tranxfer
The H10 Hotels Case: Secure Communication with Suppliers
AWS BOX Tranxfer
Tranxfer advances in the AWS BOX program as an ISV Accelerate Partner in Financial Services
Tranxfer en RSAC
Tranxfer will be attending the RSA Conference 2026 in San Francisco