Understanding NIS2 MFA Requirements With ENISA Guidance

Last updated on July 29, 2025

The European Union Agency for Cybersecurity (ENISA) has recently released the 1.0 version of the NIS2 Technical Implementation Guidance on Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024 laying down rules for the application of NIS2 Directive as regards technical and methodological requirements of cybersecurity risk-management measures.

This guidance aims to enhance cybersecurity posture across the EU by guiding organizations on the best practices for NIS2 compliance, including the deployment of Multi-Factor Authentication (MFA). In this article, we delve into the MFA requirements and recommendations outlined in ENISA’s NIS2 implementation guidance and explore how Rublon MFA can help organizations achieve compliance with NIS2.

Key ENISA NIS2 MFA Requirements

• MFA or Continuous Authentication – § 11.7.1: critical assets must be protected by multiple factors or a risk‑based continuous‑auth mechanism.
• Strength Matches Asset Sensitivity – § 11.7.2: choose methods whose assurance level corresponds to the data/system classification; phishing‑resistant options (FIDO2 security keys & passkeys) are recommended “wherever possible”.
• Privileged & Administrative Accounts – § 11.3.2(a–d): use dedicated, individual admin accounts secured with strong authentication and limited privileges.
• System‑Administration Networks – § 11.4: access must be tightly controlled and fully logged; MFA is strongly advised for these systems.
• Remote & Internet‑Facing Access – Guidance: always enforce MFA on VPN, RDP, e‑mail portals, and any service exposed to the Internet or accessed from outside the corporate network.
• Evidence & Periodic Review – § 11.6.4: keep authentication logs, document risk analysis, and review MFA procedures at planned intervals (ENISA suggests every ≤ two years).

ENISA Guidance: When Should Entities Deploy MFA?

ENISA’s implementing guidance on the NIS2 Directive emphasizes the critical role of MFA in securing access to network and information systems. Understanding when and where to implement MFA is essential for organizations aiming to comply with the directive.

1. MFA for Privileged Accounts and System Administration Accounts

Privileged accounts and system administration accounts are high-value targets for cyber attackers. ENISA’s guidance highlights the importance of securing these accounts.

ENISA Requirement:

"11.3 PRIVILEGED ACCOUNTS AND SYSTEM ADMINISTRATION ACCOUNTS

11.3.1. The relevant entities shall maintain policies for management of privileged accounts and system administration accounts as part of the access control policy referred to in point 11.1.

11.3.2. The policies referred to in point 11.3.1. shall:

(a) establish strong identification, authentication such as multi-factor authentication and authorisation procedures for privileged accounts and system administration accounts;

(b) set up specific accounts to be used for system administration operations exclusively, such as installation, configuration, management or maintenance;

(c) individualise and restrict system administration privileges to the highest extent possible,

(d) provide that system administration accounts are only used to connect to system administration systems."

Why This Matters?

Implementing MFA to satisfy point 11.3 ensures that only authorized personnel can access critical systems, reducing the risk of unauthorized access. ENISA emphasizes that enabling MFA is particularly crucial for accounts that, if accessed by malicious actors, could enable them to cause significant damage to the organization.

How Rublon MFA Satisfies This Requirement

✅ Robust Security for Privileged Accounts: Rublon MFA provides robust MFA authentication mechanisms tailored for privileged and administrator accounts, thus satisfying point 11.3.2 of ENISA’s implementing guidance. By integrating Rublon MFA into their infrastructure, organizations can enhance security for administrators without compromising usability.

2. MFA for Administration Systems

The ENISA guidance on NIS2 lists strong authentication mechanisms such as multi-factor authentication (MFA) as a recommended way to secure access to administration systems.

ENISA Requirement:

"11.4 ADMINISTRATION SYSTEMS

11.4.1. The relevant entities shall restrict and control the use of system administration systems in accordance with the access control policy referred to in point 11.1."

"Require strong authentication mechanisms such as MFA for accessing system administration systems."

Why This Matters?

Administration systems are gateways to an organization’s most sensitive operations. Securing them with MFA adds an extra layer of protection against unauthorized access.

How Rublon MFA Satisfies This Requirement

✅ Seamless Integration with Administration Systems: Implementing Rublon MFA for administration systems ensures compliance with requirement 11.4 of the ENISA guidance. It offers seamless integration and strong authentication methods suitable for system administrators. Rublon MFA can also help deliver the necessary examples of evidence, such as regularly maintained logs that track access to system administration systems.

3. MFA for Secure Authentication

ENISA’s guide on NIS2 mandates the implementation of appropriate authentication means, including technologies like Two-Factor Authentication (2FA) and Multi-Factor Authentication (MFA).

ENISA Requirement:

"11.6 AUTHENTICATION

11.6.1. The relevant entities shall implement secure authentication procedures and technologies based on access restrictions and the policy on access control."

Mentioned authentication technologies include:

• password-based authentication,
• passkeys,
• two-factor authentication,
• MFA,
• biometric authentication,
• token-based authentication, such as a one-time passcode (OTP),
• smart cards,
• Fast Identity Online 2 security keys,
• certificate-based authentication,
• SSO,
• OpenID Connect

In addition, ENISA recommends the use of phishing-resistant MFA, pointing out that this “strong” type of authentication uses no shared secrets and is not vulnerable to an attacker-in-the-middle attack. A protected cryptographic private key can be securely registered with a domain, in accordance with Fast Identity Online (FIDO) and W3C WebAuthn standards, or a trust provider, following public key infrastructure and International Telecommunication Union X.509 standards.

Why This Matters?

Among the various methods available, two-factor authentication (2FA) and multi-factor authentication (MFA) are especially vital for thoroughly verifying user identities before granting access. This is because other methods, such as password-based authentication, biometric authentication, token-based authentication, passkeys, and single sign-on (SSO), can be integrated as factors or additional security controls within MFA. Due to the alarming rise in the number of phishing attacks in the last few years, ENISA’s recommendations on phishing-resistant MFA are essential. ENISA marks push notifications as “medium” and text messages and OTPs as “last resort”. Only phishing-resistant MFA is designated as “strong”, which underscores the importance and high level of security of this form of MFA.

How Rublon MFA Satisfies This Requirement

✅ Strong Phishing-Resistant Authenticators: Rublon MFA supports FIDO2 & FIDO U2F security keys like YubiKey and Google Titan, as well as software and hardware passkeys compatible with FIDO standards, enabling true phishing resistance.

✅ Versatile Authentication Methods: Rublon MFA supports multiple authentication methods, including but not limited to push notifications, QR codes, phone number-related methods, and phishing-resistant authenticators. Rublon supports two-factor, three-factor, and multi-factor authentication, giving organizations the freedom to adopt the exact security measures that match their risk profile.

4. MFA for Accessing Network and Information Systems

ENISA’s guidance underscores the importance of implementing MFA when accessing network and information systems, especially those housing sensitive data and critical assets.

ENISA Requirement:

"11.7 MULTI-FACTOR AUTHENTICATION

11.7.1. The relevant entities shall ensure that users are authenticated by multiple authentication factors or continuous authentication mechanisms for accessing the entities’ network and information systems, where appropriate, in accordance with the classification of the asset to be accessed.

11.7.2. The relevant entities shall ensure that the strength of authentication is appropriate for the classification of the
asset to be accessed."

Why This Matters?

This ENISA requirement means that organizations must:

• Assess Asset Classification: Determine which systems require enhanced security based on the sensitivity of the data they contain and include this information in documentation detailing the classification of assets and the associated requirement for MFA protection.
• Select Appropriate MFA Methods: Choose MFA techniques that align with both security needs and user convenience by preparing a list of user roles, associated access rights, and the description of the analysis conducted to determine appropriate MFA methods.
• Define When to Use MFA: Define when and how MFA is required, e.g., on every login or once per session, and ensure your MFA settings reflect the defined requirements.
• Protect Internet-Facing Systems With MFA: Enforce multi-factor authentication on all internet-exposed systems, including email platforms, remote desktop connections, and VPNs, to mitigate unauthorized access risks.
• Secure Remote Sessions: Require MFA whenever users connect from off‑site locations.
• Use Logs as Compliance Evidence: Maintain MFA logs as verifiable evidence that multi-factor authentication is active and enforced across specific networks and information systems, demonstrating regulatory compliance.
• Enable Phishing-Resistant MFA and SSO Whenever Possible: Integrate multi-factor authentication (MFA) with Single Sign-On (SSO) solutions for seamless user access and enforce phishing-resistant MFA whenever possible to ensure the highest level of security.
• Ensure Secure Fallback Methods: Establish secure and reliable fallback procedures for users who are unable to access their primary multi-factor authentication methods.
• Educate Users: Help users understand why multi-factor authentication matters and how to use it confidently and securely.

How Rublon MFA Satisfies This Requirement

✅ Phishing‑Resistant MFA (Passkeys & FIDO2): Rublon lets users enroll hardware‑ and software‑bound passkeys that comply with the FIDO2/WebAuthn standard, delivering the “strong / phishing‑resistant” level of MFA explicitly recommended by ENISA 11.7 guidance.

✅ Other Flexible MFA Options: Rublon MFA offers a wide range of authentication methods, including but not limited to:

• SMS Passcodes: The SMS Passcode authentication method can be used, though alternative methods are recommended for higher security.
• Authenticator Apps: Rublon Authenticator and support for third-party apps like Google Authenticator and Microsoft Authenticator.
• Push Notifications: Quick and convenient Mobile Push approval requests sent to users’ devices.
• Hardware Tokens: Compatibility with tokens that generate OTPs.
• Biometrics: Support for fingerprint and facial recognition in the Rublon Authenticator app and Windows Hello passwordless login.

This variety allows organizations to tailor their MFA approach based on asset sensitivity and user roles.

✅ Secure Fallback Methods: Administrators can issue time‑bound Bypass Codes or switch a user to an alternate factor (e.g., push) when a primary authenticator is unavailable; all such events are logged, satisfying ENISA’s call for “secure fallback methods”.

✅ Policy-Based Access Control: Rublon MFA enables entities to enforce different authentication strengths depending on the asset’s classification. High-risk systems can require stronger MFA methods, ensuring compliance with ENISA’s requirement to match authentication strength to asset sensitivity.

✅ Seamless Integration with Systems: Rublon MFA integrates with VPNs, remote access software, and email clients like Outlook Web App (OWA) or Roundcube. It supports protocols like LDAP, RADIUS, and SAML, enabling robust MFA enforcement across all access points.

✅ Centralized Logs: Rublon provides detailed Authentication Logs showing MFA usage across the network and information systems, as well as Audit Logs and Phone Logs that show all admin actions and phone-related user activities, respectively. These logs serve as evidence for compliance audits and can be exported to SIEM solutions, demonstrating that MFA is actively enforced and that administrators’ and phone-related activities are properly recorded.

Important Considerations for Achieving NIS2 Directive Compliance

1. Training Users on Multi-Factor Authentication

ENISA highlights the importance of user training in multi-factor authentication best practices.

ENISA Requirement:

"Educate users about the importance of MFA and how to use it."

Why This Matters?

Even the most robust security measures can be undermined by human error. Educating users ensures they understand the importance of MFA and how to use it effectively.

How Rublon MFA Supports This Initiative

✅ User Training Resources: Rublon provides comprehensive materials to educate users on MFA usage and security best practices. This helps organizations foster a security-aware culture and improves overall compliance.

✅ Smooth Onboarding Processes: Rublon’s intuitive setup and user-friendly interfaces make it easier for personnel to adopt MFA, reducing resistance and promoting better security habits.

2. Alignment with Other Standards and Frameworks

The NIS2 MFA requirements align with several international and national cybersecurity standards, which can help streamline compliance efforts.

Mapped Standards Include:

• International Frameworks:
  • ISO/IEC 27001:2022 (A.8.5): Emphasizes secure authentication and access control measures.
  • NIST CSF v2.0 (PR.AA-03): Focuses on identity management and access control, advocating for mechanisms like MFA.
• National Frameworks:
  • BE-CyFun®2023 BASIC (PR.AC-3.2): Belgium’s cybersecurity framework includes access control measures consistent with MFA requirements.
  • ES-Royal Decree 311/2022 (Article 20, Annex II): Spain’s national security scheme mandates specific access control measures, mirroring the MFA requirements in NIS2.

Why This Matters?

By recognizing these mappings, organizations can optimize their security strategies, ensuring that MFA deployment aligns not only with the NIS2 Directive but also with other crucial security standards.

How Rublon MFA Facilitates Compliance Across Frameworks

✅ Unified Compliance Approach: Rublon’s robust authentication solutions support compliance with multiple standards, enhancing overall security while simplifying the process of meeting diverse regulatory obligations.

---

Subscribe to the Rublon Newsletter

Stay ahead in the digital world! Subscribe to the Rublon Newsletter for monthly updates on our latest features and essential cybersecurity tips. Protect your systems and stay informed with expert insights delivered straight to your inbox. Don’t miss out—subscribe now!

---

Top Tips for Implementing MFA for NIS2 Compliance

To help organizations implement MFA effectively, ENISA offers practical tips. Here’s how Rublon MFA aligns with these recommendations:

1. Integrate MFA with SSO

Tip: Combine MFA with Single Sign-On solutions for seamless and secure access across multiple systems.

Rublon MFA:

✅ SSO Integration: Rublon supports Single Sign-On via Rublon Access Gateway, simplifying access while maintaining strong security.

2. Provide Secure Fallback Methods

Tip: Establish secure backup options for users who lose access to their primary MFA method.

Rublon MFA:

✅ Alternative Authentication Methods: Rublon offers Bypass Codes and alternative methods to ensure users can regain access securely without compromising security.

3. Educate Users About MFA

Tip: Train personnel on the importance of MFA and proper usage practices.

Rublon MFA:

✅ Educational Resources: Supports user onboarding and provides materials to facilitate training sessions, enhancing user understanding and compliance.

4. Monitor MFA Logs Regularly

Tip: Keep an eye on authentication logs to detect suspicious activities.

Rublon MFA:

✅ Comprehensive Logging: Provides detailed Authentication and Audit Logs, enabling proactive security monitoring and quick response to potential threats.

5. Keep MFA Systems Updated

Tip: Regularly update the MFA solution and associated devices to protect against emerging threats.

Rublon MFA:

✅ Continuous Updates: Ensures the platform stays current with the latest security protocols and updates, safeguarding against vulnerabilities.

Get started by signing up for a Free 30-Day Rublon Trial →

6. Implement Contextual MFA

Tip: Use additional authentication factors under specific circumstances, like access from unusual locations or devices.

Rublon MFA:

✅ Adaptive Authentication: Allows adding additional security controls, such as a biometric lock on the mobile app, enhancing security based on context. Risk-based authentication is on our roadmap.

7. Evaluate MFA Providers Carefully

Considerations:

• Ease of Integration: Should integrate smoothly with existing systems.
• User Experience: Balance security with user convenience.
• Scalability: Should grow with your organization.
• Support and Reliability: Offer robust support and high reliability.

Rublon MFA:

✅ Tailored to Your Needs: Rublon is scalable, user-friendly, and integrates seamlessly with a variety of platforms. It offers dedicated Customer Support and maintains high uptime standards.

8. Pilot Test the MFA Solution

Tip: Start with a small user group to identify potential issues before full deployment.

Rublon MFA:

✅ Supports Pilot Programs: Allows organizations to fine-tune their MFA strategies through pilot testing on a free, no-limits 30-day trial, ensuring a smooth full-scale rollout later on.

9. Ensure Legal Compliance

Tip: Confirm that your MFA implementation meets regulations like GDPR.

Rublon MFA:

✅ Compliance Assurance: Rublon facilitates compliance with many cybersecurity regulations and data protection laws, including but not limited to NIS2, DORA, GDPR, PCI DSS, PSD2, EU Cybersecurity Act, ISO/IEC 27001, and NIST SP 800-53. This ensures that data privacy and legal standards are maintained within an organization.

How Rublon MFA Satisfies ENISA’s NIS2 MFA Guidance

Here’s a summary of how Rublon MFA meets the specific requirements and recommendations outlined in the ENISA guidance:

ENISA Guidance	Rublon MFA
Implement MFA for privileged accounts and system administration accounts	✅ Strong MFA methods for privileged users
Require MFA for accessing administration systems	✅ Seamless integration with administration systems
Implement secure authentication procedures and technologies	✅ Various authentication methods aligning with best practices
Ensure users are authenticated by multiple factors for accessing network and information systems	✅ Centralized MFA across infrastructure, customizable access policies
Match authentication strength to asset classification	✅ Group and application policies for high-risk assets
Integrate MFA with SSO solutions	✅ Own SSO capabilities and plans for integration with others
Provide secure fallback methods	✅ Bypass codes and alternative authentication methods
Educate users about MFA	✅ Onboarding support and educational resources
Monitor MFA logs for suspicious activity	✅ Authentication and audit logs for security
Keep MFA systems updated	✅ Regular updates and maintenance
Evaluate and choose an MFA provider that fits the entity’s requirements	✅ Scalability, user-friendliness, technical support
Ensure MFA implementation meets legal requirements (e.g., GDPR)	✅ Compliance with GDPR and other regulations

Conclusion

The ENISA’s guidance on the NIS2 Directive places significant emphasis on MFA as a cornerstone of cybersecurity. Compliance is not just about implementing MFA but doing so thoughtfully—matching authentication strength to asset sensitivity and ensuring users are well-trained.

Rublon MFA offers a robust solution that aligns with ENISA’s guidance. Its flexible authentication methods, seamless integrations, and support for compliance evidence make it an excellent choice for organizations aiming to meet NIS2 requirements.

Frequently Asked Questions on ENISA NIS2 MFA Guidance

Ready to Enhance Your Security and Achieve NIS2 Compliance?

Start your free trial of Rublon MFA today and take the first step towards a more secure future.