What You Need to Know About NIS2 MFA Requirements

Understand the Directive and Get Ahead of the Coming Deadline

By now, you’ve probably heard about the Network and Information Security 2 (NIS2) Directive, the European Union (EU) legislation that aims to strengthen cybersecurity and protect critical infrastructure.

By October 17, 2024, NIS2 requirements will have to be transposed into the national laws of EU member states — and companies within those states will have to comply with its requirements or face steep fines. Though states don’t need to define which entities fall under the directive until April 17, 2025, most affected organizations are already aware of their status and should start crafting compliance strategies before then.

How can you ensure that your organization is prepared for NIS2 compliance? In this article, we’ll review the new directive’s requirements, focusing on the terms it sets for one of the most effective tools for preventing network intrusions: multi-factor authentication (MFA).

What is NIS2, and What’s It Designed to Accomplish? 

The NIS2 Directive was designed to build upon and modernize the legal framework first articulated in the original NIS Directive — European Union legislation that aims to improve network security and increase the resilience of critical infrastructure and essential services. 

Changes to NIS include:

1. Expanded scope — NIS2 covers a wider range of entities than the original directive. It now includes sectors like energy, transport, finance, healthcare, utilities, digital infrastructure and public administration, and it includes not just organizations but also their suppliers. Size thresholds vary by industry, but organizations with as little as €10 million in gross annual revenue will have to comply.
2. Enhanced controls — The new directive applies stricter and more comprehensive security measures. It requires organizations to implement robust controls in order to mitigate risks and protect systems and data, including the prevention of unauthorized access, phishing, ransomware and other cyberthreats.
3. Stronger reporting requirements — Organizations must report significant cybersecurity incidents within 24 hours of detection to the authority that their member state has designated. What’s “significant”? According to the NIS2 Directive, it’s any event that might cause severe damage, disruption or loss, either to your organization or to other people.
4. Stricter penalties — Fines for non-compliance are much higher than they were in the past. In fact, penalties can reach up to 10% of an entity’s annual turnover.

When Does NIS2 Go Into Effect?

Introduced in 2020, NIS2 went into effect on January 16, 2023, though it gave member states until October 2024 to incorporate the requirements into their respective national laws.

NIS2 MFA Requirements

NIS2 requires entities to implement certain baseline security measures, from cryptography to cybersecurity training. It also highlights the importance of robust identity and access management. Proceeding from an “all-hazards approach” that seeks to address a wide range of threats rather than individual ones, it specifies that organizations should: 

“Use multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.”

MFA mitigates risk by providing an additional layer of security if a password has been breached (which happens with unnerving regularity). To determine where it’s needed, NIS2 asks organizations to assess their specific exposure to risk. Where would a breach be likely to result in a critical threat? And which type of MFA is most likely to prevent that type of breach? 

According to Verizon research, MFA “goes a long way toward mitigating [credential] attacks.” However, there are a lot of different MFA solutions on the market. They range from straightforward but less secure methods like SMS authentication to highly secure passwordless methods like PKI and FIDO technology using passkeys. The kind of MFA that best fits depends on each organization’s infrastructure, needs, user preferences and budget. There are also certain constraints that companies need to address when implementing MFA, e.g. employees are not happy to use their personal mobile phones for work. The goal: to select safeguard data without standing in the way of mission-critical tasks.

Indeed, NIS2 access control and authentication requirements give organizations a much-needed opportunity to evaluate their end-to-end security journeys. A lot goes into this journey, from the systems that enable administrators to manage access to physical and digital resources to the form factors that employees use to authenticate. Adding MFA represents a chance to strengthen security without changing the way users work.

MFA and Supply Chain Security

NIS2 sets strict standards for ensuring supply chain security. That’s because smaller companies are increasingly common attack targets due to their limited security resources — and because those attacks often have cascading effects on larger enterprises. In fact, according to Verizon, 15% of network breaches were caused by vulnerabilities in partner infrastructure.

IBM, meanwhile, found that third-party and supply chain breaches increased the average cost of an attack by as much as $260,000 per incident.

To avoid supply chain related liabilities and penalties, companies must keep a constant and efficient overview of their suppliers. When it comes to authentication and identification, that means strengthening the Operational Technology (OT) environments that typically control manufacturing processes. 

Here, too, MFA is a powerful solution — one recommended as best practice by the International Society of Automation (ISA) Global Cybersecurity Alliance. Extending MFA and access policies to OT resources enables organizations to secure and monitor systems that could not be protected before.

How HID Helps Organizations Comply With NIS2 and Protect Critical Infrastructure 

Even though organizations agree on the importance of NIS2 compliance, our research shows that at least a third of them still have little to no implementation. HID has decades of experience designing MFA solutions for the highly-regulated industries that are covered by NIS2, from healthcare to government. That experience enables us to design end-to-end security solutions that enable you to comply with the new regulations and support your business goals.

Our MFA solutions encompass:

• Secure credentials that can be placed on physical devices like Crescendo Keys and Crescendo Cards with door access capabilities, as well as mobile devices
• A credential management system (CMS) that streamlines the issuance, revocation, renewal and ongoing credential life cycle management, PINs and digital certificates for employee authentication, data encryption and digital signing
• State-of-the-art readers and authentication services that are built on open standards to integrate with other systems 
• End-to-end authentication solutions that grant secure, passwordless access to applications, networks and buildings; 
• Unique user identification and accountability capabilities for shared/kiosk computers in OT environments, where users must be able to switch quickly

HID’s authentication and identity experts support each project to ensure that it powers productivity with efficiency and ease. Thanks to our award-winning physical access control technologies, we can also help you integrate MFA into broader security systems — and offer converged credentials that enable employees to unlock doors, data and business applications through a single ID badge.

Getting Ready for NIS2 

The landscape of cyberthreats is enormous and complex, but compromised credentials are still the most common launch point for cyberattacks. That’s what makes MFA so important — not just for complying with NIS2 but to avoid the staggering expense and reputational damage that come with a successful network breach.

Don’t let MFA stand in your way. Request your sample today >>