NIS2 Directive · Article 21

NIS2 names MFA as a baseline measure — and makes management personally liable. Is it on every access path, or just your cloud apps?

NIS2 widened the scope of EU cybersecurity law to thousands more "essential" and "important" entities, and Article 21 lists the minimum measures they must take — explicitly including the use of multi-factor or continuous authentication. Article 20 makes management bodies accountable and personally liable for getting it wrong. Regulators reading "MFA" mean it across the estate, not only the SaaS that already had it. The unguarded paths — Active Directory, remote access, and servers — are where an inspection finds fault. Authnull enforces MFA on each and produces the records that demonstrate the measure is operating.

Talk to a compliance engineer

At a glance

FrameworkNIS2 Directive

Key controlsArt. 21(2)(j) · 21(2)(d) · Art. 20

Applies toEssential & important EU entities

TimingNow transposed across the EU

You walk away withBoard-level assurance & logs

Mapped to specific controls — not a generic MFA checklist.

The line that put you here

“...the use of multi-factor authentication or continuous authentication solutions... as part of basic cyber hygiene practices.”

— NIS2 Directive (EU) 2022/2555, Article 21(2)

Under Article 20, management bodies must approve and oversee these measures and can be held personally liable — which makes "MFA everywhere it should be" a board-level question, not just an IT one.

Requirement mapping

Requirement → Authnull

Control	What it requires	How Authnull covers it	Status
Art. 21(2)(j)	Use of MFA or continuous authentication solutions where appropriate.	MFA across AD logon, Windows, Linux, and RADIUS — the access paths beyond the cloud IdP.	Covered
Art. 21(2)(i)	Access-control policies and asset management.	Per-system factor enforcement with group mapping aligned to your access policy.	Covered
Art. 21(2)(d)	Supply-chain & remote-access security.	RADIUS MFA on VPN and remote-access gateways used by staff and third parties.	Covered
Art. 20 / 23	Management accountability and incident records.	Per-login logs give the board demonstrable assurance and feed incident reporting.	Covered

Why your IdP report isn't enough

The gap is always below the cloud login.

Your IdP already satisfies

Microsoft 365 / Google sign-in

SAML web apps

What it leaves for the audit

Active Directory logon

Operational & IT servers

Remote access / VPN

Linux SSH

Authnull enforces MFA on every path on the right — at the directory, OS, and RADIUS layer — so the column that fails the audit becomes the column that passes it.

Evidence

What you hand the assessor.

Assurance for the board

A coverage view leadership can sign off on — relevant given personal liability under Article 20.

Operating-effectiveness logs

Per-authentication records show the measure is live, not just documented.

Phishing-resistant factors

FIDO2 and push meet the "state of the art" bar Article 21 expects.

Make MFA a measure your board can actually sign off.

Enforce MFA on every access path Article 21 implies and keep the records that prove it. Start free, or review your scope with a compliance engineer.

Talk to a compliance engineer

Other deadlines we cover

All compliance pages

Cyber insurance renewalRemote · Privileged · Directory PCI DSS v4.08.4.2 · 8.4.1 · 8.4.3 · 8.5.1 CMMC 2.0 Level 2IA.L2-3.5.3 · 3.5.4 · AC.L2-3.1.12 HIPAA Security Rule§164.312(d) · 312(a)(2)(i) · 308(a)(4)SOC 2 Type IICC6.1 · CC6.6 · CC6.7