If you assume the second sentence explains the first, then this is correct - only websites (i.e something designed to be consumed by browsers) with HTTPS can take advantage of HTTP/2.
This is true, but no mandate on encryption in the HTTP/2 standard was an deliberate decision, one of the very few differences between HTTP/2 and SPDY. But yes, practically, you can't use HTTP/2 without encryption nowadays.