12 July 2026

NIS2 and authentication: what essential and important entities must change

NIS2 turns strong authentication into a legal duty with board-level liability. What the directive expects from your logins, and how to close the gap.

The deadline has already passed. NIS2, the EU’s updated cybersecurity directive, had to be written into national law across the Union by 17 October 2024. If your organization runs essential services, or is a significant player in one of the covered sectors, the question is no longer whether the rules apply; it is whether you can show a regulator that your access controls meet them. And for the first time, that question lands on the management board, not only on the IT department.

Authentication is named in the law now, not just in the guidance

Earlier good-practice frameworks recommended multi-factor authentication. NIS2 goes further. Its baseline risk-management measures (Article 21) require organizations to put in place technical controls including access-control policies, cryptography, and — spelled out directly — the use of multi-factor authentication or continuous authentication solutions where appropriate.

In practice, a weak or optional second factor is no longer a defensible position. If an auditor asks how a privileged administrator signs in to your VPN, your Windows servers or your management console, “a password and sometimes an SMS code” is the answer that opens a finding.

Who this applies to

NIS2 divides organizations into essential and important entities across a wide set of sectors: energy, transport, banking and financial market infrastructure, healthcare, drinking and waste water, digital infrastructure, public administration and more, with a second tier that pulls in postal services, waste management, manufacturing, food, chemicals and digital providers. Many organizations that sat outside the original NIS Directive are now firmly inside its successor.

Two changes push this past a compliance checkbox:

  • Management accountability. Boards must approve and oversee cybersecurity risk-management measures, and can be held personally liable for failures.
  • Real penalties. Supervisory authorities can impose significant fines: up to €10 million or 2% of global annual turnover, whichever is higher, for essential entities.

What “NIS2-grade” authentication actually looks like

Having some MFA is not the same as meeting the intent of the directive. Three things separate a control that satisfies an auditor from one that only looks good on a slide:

  • Phishing resistance. SMS codes can be intercepted or SIM-swapped, and both they and basic one-tap push fall to adversary-in-the-middle relay. A key bound to hardware inside the user’s device, one that cannot be copied or replayed, removes that class of risk. Push-fatigue is a separate problem, and no key or biometric stops it once the prompt reaches the phone. It is beaten only by what the prompt shows: a precise, readable description of exactly what is being approved, so nothing is ever approved blindly.
  • Coverage of privileged and remote access. The requirement is not “MFA on the webmail.” It is every path an attacker would actually use: VPN, remote desktop, server logins, admin consoles.
  • Evidence. NIS2 is as much about demonstrating control as having it. Each authentication should leave an auditable, tamper-evident record of who approved what, and when.

Where Notakey fits

Notakey is built for exactly this profile of organization: regulated, security-conscious, and answerable to auditors.

  • The user’s key is generated inside the phone’s secure hardware and never leaves it. There is no shared secret to steal and nothing to phish.
  • Every login and every transaction is a cryptographically signed, timestamped event: the audit trail a NIS2 assessment asks for, produced automatically instead of reconstructed after the fact.
  • It covers the access paths that matter, over the protocols your systems already speak. See the practical guides for 2FA on a VPN over RADIUS, Windows remote desktop and Linux SSH.
  • It runs in your own infrastructure or in the cloud, so authentication data can stay under your control, with PSD2, eIDAS and GDPR alignment built in rather than bolted on.

We are deliberately not going to tell you Notakey “makes you NIS2 compliant”; no product does that on its own. What it does is close the authentication-shaped part of the gap, and hand you the evidence to prove it.

Start with a pilot, not a policy document

The fastest way to find out whether your authentication meets NIS2 is to test it against your own environment: a real VPN, a real admin login, a handful of real users. That tells you more about your gap — and your evidence — in a week than a feature matrix tells you in a quarter.

Try the live demo to sign a transaction from your own phone in about two minutes, or request a demo and we will map your VPN, SSO or Windows access to a working pilot.


This article is general information, not legal advice. NIS2 is transposed into national law separately by each EU member state; confirm the specific obligations, thresholds and deadlines that apply to your organization with qualified counsel.

← All posts

See your first passwordless login this week

A 30-minute call with an engineer, not a sales deck. We’ll map your VPN, SSO or Windows setup to a working pilot.