NIS2 Directive (part 2): Strong authentication requirements for employees in critical industry sectors in Europe
In part one of this blog series, we provided an overview of the NIS2 Directive. Here in part two, we cover a specific aspect of NIS2: Requirements and timelines for compliance as it relates to strong authentication for employees.
In the spotlight: Strong authentication for the workforce
Article 21 of NIS2 specifically addresses multi-factor authentication, saying:
The measures […] shall be based on an all-hazards approach that aims to protect network and information systems and the physical environment of those systems from incidents, and shall include at least the following:
- the use of multi-factor authentication (MFA) or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.
- “All-hazards approach” means the organization should consider all possible security risks in its risk assessment.
In other words, NIS2 requires companies to consider multi-factor authentication as a key security measure when authenticating their workforce. Companies should invest in MFA solutions to authenticate workforce members when they remotely access their company network, log on to their workstations, access privileged accounts, and so on.
NIS2 does not provide a definition of what constitutes MFA. We can assume it refers to an authentication mechanism built from at least two authentication elements that are taken from three possible authentication categories, namely the possession category (something only the user has, such as a hardware token), the knowledge category (something only the user knows, like a password or PIN) or the inherence category (something only the user is, or a biometric characteristic such as a fingerprint or face scan). In addition, the mechanism should generate one-time, dynamic authentication codes.
From a security best practices perspective, we recommend adopting phishing-resistant MFA mechanisms that offer full protection against phishing attacks. Phishing-resistant authentication methods generate authentication codes that are useless to fraudsters, and are typically implemented using authentication protocols standardized by the FIDO Alliance.
Timelines
NIS2 came into effect on 16 January 2023. As the next step, EU member states need to transpose NIS2 into their national law. This transposition is expected to be completed by 17 October 2024. As a result, companies need to comply with the NIS2 requirements as of 18 October 2024.
As of the date this blog was published, only Hungary had completed the transposition process. Other member states, such as Germany, Czech Republic, and Belgium, published draft transposition laws. Other countries, such as France, Spain, and Italy were engaged in public consultations with industry sector organizations.
By 17 April 2025, member states have to establish a list of the essential and important entities in their country. Member states can enable entities to register themselves. Therefore, entities will have to determine if their services fall within the scope of NIS2, identify the list of member states where they provide in-scope services, and register before the deadline in each member state. In Belgium, for example, the registration deadline is expected to be 18 March 2025.
Enforcement and sanctions
Authorities have a wide spectrum of enforcement measures and sanctions at their disposal.
For both essential and important entities, authorities can impose on-site inspections, targeted security audits, technical vulnerability scans, and more. Random checks further expand the list, together with ad hoc audits in the case of essential entities.
If an infringement is discovered, authorities can exercise further enforcement powers, such as issuing warnings, imposing binding instructions to prevent or remedy a security issue, or ordering entities to cease conduct of activities. Authorities may also designate a monitoring officer to oversee the entity until it achieves compliance.
Finally, authorities can also impose various types of sanctions, such as the suspension of certifications required to operate, as well as administrative fines. These fines depend on the type of entity:
- Essential Entities: Up to the greater of €10M or 2% of global annual revenue
- Important Entities: Up to the greater of €7M or 1.4% of global annual revenue
Management bodies of essential and important entities may also be held personally liable, with temporary prohibition of exercise of managerial functions.
Conclusion
The clock is ticking for European companies to comply with the NIS2 cybersecurity requirements. Essential and important entities need to ensure compliance by 18 October 2024.
To move toward compliance, companies should identify the critical services, processes, and assets that underpin their essential service. They should establish an information security management system (ISMS) to identify, treat, and monitor the company’s information security risks. Standards such as ISO/IEC 27001/27002, NIST Cybersecurity Framework (CSF), and CIS 18 can help companies to establish a control framework.
NIS2 also encompasses authentication, particularly multi-factor authentication for the workforce of covered entities. Essential and important entities should make sure they equip their workforce with modern, user-convenient authentication technology to ensure compliance with NIS2. Phishing-resistant authentication technology based on FIDO standards is a natural choice.