Who must comply with NIS2?

Medium and large entities in essential or important sectors such as energy, health, banking, digital infrastructure, and ICT services, plus certain entities covered regardless of size.

Does NIS2 require multi-factor authentication?

Yes, NIS2 lists the use of multi-factor or continuous authentication solutions among the baseline cybersecurity risk-management measures where appropriate.

How fast must incidents be reported under NIS2?

Affected entities must submit an early warning to the CSIRT or competent authority within 24 hours of becoming aware of a significant incident, followed by further reporting.

🇪🇺 European Union · Cybersecurity

NIS2 Directive

Directive (EU) 2022/2555 (NIS2)

NIS2 is the EU's cybersecurity directive raising security and incident-reporting obligations for essential and important entities across many critical sectors. Member States had to transpose it by 17 October 2024 and apply the measures from 18 October 2024. It significantly expands the scope of the original 2016 NIS Directive.

Jurisdiction:🇪🇺 European Union

Type:Cybersecurity

In effect:2024

Authority:National competent authorities and CSIRTs designated by each Member State, supported by ENISA

Who it applies to

Medium and large entities operating in sectors deemed essential or important, such as energy, transport, banking, health, digital infrastructure, and ICT service management. Some entities are covered regardless of size, and the rules can reach non-EU providers serving the EU.

Identity requirements

Adopt risk management measures including access control policies and authentication mechanisms
Implement multi-factor or continuous authentication where appropriate as a baseline measure
Govern and secure privileged and administrative access to network and information systems
Report significant incidents to the CSIRT or competent authority, with an early warning within 24 hours
Ensure management accountability for cybersecurity risk-management measures
Manage supply chain and identity-related risks from ICT third parties

How it impacts identity systems

Identity area	Impact
Authentication & MFA	Names multi-factor or continuous authentication among the baseline cybersecurity risk-management measures.
Privileged access (PAM)	Requires control and protection of privileged and administrative access to critical systems.
Breach notification	Requires an early warning within 24 hours and follow-up reporting for significant incidents.
Audit, logging & accountability	Holds management accountable and expects logging and oversight of security measures and incidents.
Identity governance (IGA)	Drives access control policies and identity-related supply chain risk management.

Penalties

For essential entities, fines of up to 10 million euros or 2 percent of total worldwide annual turnover, whichever is higher; lower caps apply to important entities.

Official source

https://digital-strategy.ec.europa.eu/en/policies/nis2-directive

NIS2 Directive: frequently asked questions

Who must comply with NIS2?: Medium and large entities in essential or important sectors such as energy, health, banking, digital infrastructure, and ICT services, plus certain entities covered regardless of size.
Does NIS2 require multi-factor authentication?: Yes, NIS2 lists the use of multi-factor or continuous authentication solutions among the baseline cybersecurity risk-management measures where appropriate.
How fast must incidents be reported under NIS2?: Affected entities must submit an early warning to the CSIRT or competent authority within 24 hours of becoming aware of a significant incident, followed by further reporting.

Educational summary, not legal advice. Confirm current requirements with the relevant authority or counsel. See all European Union regulations or the full country index.