What is the NIS2 Directive for MFA?
April 09, 2026 •
The NIS2 Directive is not a distant regulatory horizon — it is here, and enforcement is active across EU member states. For CISOs leading security programs at organizations in scope, the directive’s authentication requirements are among the most operationally demanding provisions to satisfy. Specifically, NIS2 Directive MFA mandates are embedded in Article 21’s cybersecurity risk management measures, and the consequences of non-compliance are severe: fines of up to €10 million or 2% of global annual turnover, plus personal liability for senior management. NIS2 is the first major EU directive to explicitly name multi-factor authentication as a required security control, not merely a recommended best practice. This post breaks down exactly what NIS2 requires, how the MFA mandate applies in practice, and how CISOs can build a compliant authentication architecture — including in environments where conventional cloud-based MFA solutions simply cannot reach.
What Is the NIS2 Directive and Who Does It Affect?
The Network and Information Security 2 Directive (NIS2) — officially Directive (EU) 2022/2555 — entered into force on January 16, 2023, with an implementation deadline of October 17, 2024, by which date EU member states were required to transpose it into national law. NIS2 replaces the original NIS Directive from 2016 and dramatically expands both its scope and its enforcement bite.
Scope: Essential and Important Entities
NIS2 applies to organizations across 18 sectors, divided into two tiers. Essential Entities include operators in energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space. Important Entities include postal and courier services, waste management, chemicals, food, manufacturing, digital providers, and research organizations.
The size threshold is significant: organizations with more than 50 employees and annual turnover exceeding €10 million fall within scope in most sectors. NIS2 is estimated to apply to over 160,000 entities across the EU — roughly ten times the number covered under the original NIS Directive. [Source: European Commission NIS2 impact assessment]
Management Accountability: A New Personal Liability Dimension
One of NIS2’s most disruptive provisions for CISOs is Article 20, which requires the management bodies of in-scope organizations to approve and oversee the cybersecurity risk management measures mandated under Article 21. Critically, management bodies can be held personally liable for breaches resulting from failure to comply. This is not a fine levied against the organization alone — executives who approve insufficient security controls face direct legal exposure. NIS2 effectively transforms cybersecurity governance from a technical function into a board-level legal obligation.
NIS2 Article 21 and the MFA Mandate Explained
Article 21 of NIS2 is the operational core of the directive. It requires essential and important entities to take “appropriate and proportionate technical, operational and organisational measures” to manage cybersecurity risks. Among the explicitly listed measures in Article 21(2)(j) is the use of multi-factor authentication, continuous authentication solutions, and secured voice, video and text communications — as well as secured emergency communication systems.
NIS2 Article 21(2)(j) is the first time EU law has mandated multi-factor authentication by name as a cybersecurity risk management control.
What Does “Multi-Factor Authentication” Mean Under NIS2?
NIS2 defines MFA by reference to ENISA (the EU Agency for Cybersecurity) guidance and draws on established cybersecurity frameworks. MFA requires authentication using at least two independent factors from different categories: something you know (password, PIN), something you have (hardware token, authenticator app, smart card), and something you are (biometric). The requirement is not satisfied by layering two factors from the same category — for example, a password plus a security question does not constitute MFA under any recognized interpretation.
Importantly, NIS2 guidance and its relationship with ENISA’s technical guidelines increasingly point toward phishing-resistant MFA as the gold standard. Traditional SMS-based one-time passwords (OTPs) are widely considered insufficient for high-assurance contexts because they are vulnerable to SIM-swapping and real-time phishing attacks. Phishing-resistant MFA — such as FIDO2/passkeys or hardware security keys — eliminates the shared secret that attackers can intercept, making it the most defensible choice under NIS2 for privileged access and critical systems.
Where MFA Must Be Applied
NIS2 does not provide an exhaustive list of every system requiring MFA, but ENISA guidance and national transpositions make the scope clear. MFA is expected across:
- Remote access to organizational networks (VPN, RDP, remote administration)
- Privileged and administrative accounts managing critical infrastructure
- Access to sensitive data, operational technology (OT) systems, and control environments
- Cloud service portals and administrative consoles
- Email systems and collaboration platforms for key personnel
- Customer-facing portals where personal or critical data is accessible
The proportionality principle means that a small entity classified as “important” may have somewhat different expectations than a large essential entity in energy or health — but for any organization where a breach could have cascading societal effects, the bar is consistently high.
The Case for Phishing-Resistant MFA in NIS2 Compliance
Not all MFA is equal under NIS2, and CISOs who deploy SMS OTP or email-based authentication as their primary MFA mechanism may find themselves exposed during an audit or after an incident. Regulatory guidance across EU member states increasingly mirrors the position held by CISA, NIST, and ENISA: phishing-resistant authentication methods should be the target state for critical infrastructure.
Why SMS OTP Falls Short
SMS one-time passwords remain the most widely deployed second factor globally, but they carry well-documented weaknesses. SIM-swapping attacks — where an attacker socially engineers a mobile carrier into transferring a victim’s phone number — have been used to bypass SMS OTP at scale. Real-time adversary-in-the-middle (AiTM) phishing toolkits such as Evilginx2 can intercept both passwords and OTP codes transparently. According to Microsoft, legacy MFA methods including SMS OTP are bypassed in the majority of modern account takeover attacks targeting enterprise environments. [Source: Microsoft Digital Defense Report]
FIDO2 and Hardware Security Keys as the Compliance Target
FIDO2 authentication — built on the WebAuthn standard — eliminates shared secrets entirely. Each authentication is cryptographically bound to the specific origin (website or application), meaning a phishing site cannot replay captured credentials. LoginTC’s FIDO2 authentication solution supports both platform authenticators (device-native biometrics) and roaming authenticators (hardware security keys), enabling organizations to deploy phishing-resistant MFA across the access scenarios NIS2 targets.
For environments requiring a physical, tamper-resistant second factor — particularly for privileged administrators, executives, and OT engineers — hardware security keys provide the highest assurance level currently available and align directly with what NIS2 guidance identifies as robust authentication.
FIDO2-based authentication is the only widely deployed MFA technology that is inherently phishing-resistant by design, making it the strongest technical control available for NIS2 Article 21 compliance.
NIS2 MFA in Operational Technology and Air-Gapped Environments
One of the most underappreciated compliance challenges under NIS2 affects organizations in energy, utilities, manufacturing, and critical infrastructure: how do you enforce MFA in operational technology (OT) environments and air-gapped networks where conventional cloud-based authentication services simply cannot function?
The OT Authentication Problem
OT systems — including SCADA, industrial control systems (ICS), distributed control systems (DCS), and programmable logic controllers (PLCs) — were largely designed before MFA was a concept. Many run legacy protocols and operating systems, and are intentionally isolated from internet connectivity for security reasons. Yet NIS2 explicitly covers the operational technology components of critical infrastructure operators. Ignoring OT authentication leaves a material gap in an organization’s NIS2 posture.
Over 60% of critical infrastructure operators report that OT systems represent their single largest authentication compliance gap when preparing for NIS2. [Source: ENISA Threat Landscape for Critical Infrastructure]
LoginTC’s MFA solution for operational technology is built specifically for these constrained environments. It supports authentication without requiring OT endpoints to reach cloud services, integrates with industrial protocols, and provides the audit trail required to demonstrate compliance to regulators. This is not a bolt-on cloud product retrofitted for OT — it is an architecture designed from the ground up for the realities of industrial environments.
Air-Gapped Networks and NIS2 Compliance
Air-gapped networks — systems with no network connectivity to external environments — are common in defense, critical infrastructure, and high-security government contexts. For these environments, any MFA solution that requires a real-time connection to a cloud authentication server is architecturally incompatible. The challenge for CISOs is that NIS2 does not provide exemptions for air-gapped systems; the regulation requires that authentication controls exist, regardless of network topology.
LoginTC’s air-gapped MFA solution addresses this directly. It operates entirely on-premises, with no dependency on external connectivity, enabling organizations to enforce strong multi-factor authentication across isolated networks without compromising the integrity of the air gap. This is critical not only for NIS2 compliance but for the broader security posture that NIS2 is designed to achieve.
Practical NIS2 MFA Implementation: A CISO’s Roadmap
Compliance with NIS2’s authentication requirements is not achieved by deploying a single product. It requires a structured approach that maps authentication controls to risk, ensures coverage across all in-scope systems, and produces the documented evidence regulators expect.
Step 1: Authentication Asset Inventory
Begin with a complete inventory of systems, access pathways, and user populations. Classify each by risk level: privileged accounts, remote access points, OT interfaces, cloud administration consoles, and end-user access to sensitive systems. This inventory forms the basis for your MFA coverage map and will be the first thing a NIS2 auditor requests.
Step 2: Gap Analysis Against NIS2 Requirements
Map your current authentication controls against the requirements of Article 21(2)(j). Identify where no MFA exists, where weak MFA (SMS OTP) exists, and where phishing-resistant MFA is warranted. Pay particular attention to remote access, privileged access management (PAM) integrations, and OT environments where coverage is most commonly absent.
Step 3: Select Authentication Methods by Risk Tier
Not every user needs a hardware security key, but every user needs MFA. Apply a tiered model:
- Tier 1 — Privileged and administrative accounts: FIDO2 hardware security keys or certificate-based authentication
- Tier 2 — Remote access users and sensitive data handlers: Authenticator app push notifications or TOTP
- Tier 3 — General workforce: Authenticator app or passkey, with SMS OTP only as a fallback where no alternative is feasible
- Tier 4 — OT and air-gapped environments: On-premises MFA with no cloud dependency
Step 4: Deploy On-Premises MFA Where Cloud Is Not an Option
For organizations with strict data residency requirements, highly regulated environments, or OT/air-gapped infrastructure, cloud-based MFA introduces both technical and compliance risks. LoginTC’s on-premises MFA solution provides the full functionality of an enterprise authentication platform — RADIUS integration, LDAP/AD support, detailed audit logs, and policy-based access controls — without any data leaving your controlled environment. This is particularly relevant for essential entities in healthcare, energy, and public administration where data sovereignty is non-negotiable.
Step 5: Document, Test, and Audit
NIS2 requires not just implementation but demonstrable governance. Maintain policies covering MFA enrollment, exception handling, account recovery, and periodic review. Conduct penetration tests and authentication control reviews at least annually. Produce audit logs that show authentication events, policy enforcement, and anomaly detection. Regulators assessing NIS2 compliance will look for documented evidence that authentication controls are actively managed, not just deployed and forgotten.
Frequently Asked Questions
Does NIS2 explicitly require MFA?
Yes. NIS2 Article 21(2)(j) explicitly names multi-factor authentication as a required cybersecurity risk management measure for essential and important entities. It is one of the few security controls named directly in the directive’s text, making compliance non-optional for in-scope organizations.
Is SMS OTP sufficient for NIS2 MFA compliance?
SMS OTP technically satisfies the basic definition of MFA (two factors), but ENISA guidance and national supervisory authorities increasingly treat it as insufficient for high-risk access scenarios due to its vulnerability to SIM-swapping and phishing attacks. For privileged access and critical systems, phishing-resistant MFA such as FIDO2 is strongly recommended and likely to become a regulatory expectation over time.
What is phishing-resistant MFA and why does NIS2 care about it?
Phishing-resistant MFA refers to authentication methods — such as FIDO2/WebAuthn and hardware security keys — that are cryptographically bound to the legitimate application or domain, making it technically impossible for an attacker to replay captured credentials from a phishing site. NIS2 and associated ENISA guidance reference it because traditional MFA methods are now routinely bypassed by adversary-in-the-middle attacks targeting critical infrastructure operators.
How does NIS2 MFA apply to operational technology (OT) environments?
NIS2 covers OT systems operated by critical infrastructure entities, including industrial control systems and SCADA environments. Standard cloud-based MFA products cannot be deployed in many OT environments due to network isolation requirements. Organizations must deploy purpose-built OT-compatible MFA solutions that operate without external connectivity and integrate with industrial authentication frameworks.
What are the penalties for NIS2 MFA non-compliance?
Essential entities face fines of up to €10 million or 2% of total global annual turnover, whichever is higher. Important entities face fines of up to €7 million or 1.4% of global annual turnover. Beyond financial penalties, NIS2 introduces personal liability for management bodies who fail to approve and oversee required security measures — including MFA implementation.
Can on-premises MFA satisfy NIS2 requirements?
Yes. NIS2 specifies required security outcomes, not specific deployment architectures. On-premises MFA solutions that enforce strong authentication, maintain comprehensive audit logs, and support policy-based access controls fully satisfy NIS2’s requirements — and are often the only viable option for air-gapped networks, OT environments, and organizations with strict data residency obligations.
Conclusion: NIS2 MFA Compliance Is a Technical and Strategic Imperative
NIS2’s multi-factor authentication mandate is unambiguous. For CISOs leading security programs at essential and important entities, the question is no longer whether to deploy MFA — it is whether your current MFA architecture is genuinely compliant, covers every system NIS2 requires, and can withstand the scrutiny of a competent authority audit or, worse, a post-incident investigation. SMS OTP on remote access VPNs while OT systems remain authentication-free is not a defensible NIS2 posture.
The path to compliance requires tiered, risk-based authentication — phishing-resistant FIDO2 and hardware security keys for privileged and high-risk access, robust authenticator-based MFA for the general workforce, and purpose-built solutions for OT and air-gapped environments that cloud vendors simply cannot serve. Documentation, governance, and active management of authentication controls are as important as the technology itself.
LoginTC is built for exactly these requirements. Whether you need on-premises MFA to meet data sovereignty requirements, OT-compatible authentication for industrial environments, air-gapped MFA for isolated networks, or FIDO2 phishing-resistant authentication for your highest-risk access scenarios, LoginTC has a proven deployment path.
Contact us to learn how LoginTC can close your NIS2 authentication gaps and give your board the defensible evidence of compliance they now legally require.