The era of theoretical compliance is over. DORA and NIS2 are now law across the EU, and regulators are no longer forgiving gaps. For identity, access management, and cybersecurity teams, authentication has become a compliance frontier — not just a security control.
Enforcement Reality
- DORA is in force across the EU. Financial institutions — and every technology vendor in their supply chain — must now meet operational resilience and authentication requirements and be ready for audits.
- NIS2 is transposed into national laws in all EU member states. Enforcement is active, and penalties for non-compliance are already being issued.
- The focus has shifted from planning to proving: closing gaps, maintaining continuous compliance, and demonstrating readiness at any time.
Why Authentication Is Now a Core Compliance Vector
Both DORA and NIS2 elevate expectations around identity and access controls:
- MFA must be phishing-resistant, not just token-based in theory.
- Every system counts — including legacy and third-party apps.
- Auditability is mandatory — each authentication event must be logged and traceable.
Legacy infrastructure remains the biggest compliance risk, yet it cannot be excluded from these new standards.
The Problem with “MFA in Name Only”
Many organizations claim to “have MFA,” but regulators now look deeper:
- MFA is inconsistently deployed — SMS here, push there, hardware tokens only for a few apps.
- Older systems still rely on passwords.
- Logs are fragmented and audits painful.
What matters isn’t just having MFA, but proving it’s phishing-resistant, consistent, and centrally auditable.
What’s New from Secfense and the FIDO Alliance
- Secfense joined the FIDO Alliance Passkey Pledge, helping accelerate global adoption of passkeys and phishing-resistant authentication — without requiring application rewrites.
- Secfense received a U.S. patent for its no-code technology that enables passwordless protection across enterprise environments, including legacy apps.
- FIDO Alliance reports record adoption: over 15 billion accounts worldwide now support passkeys, and more than 70 % of users are aware of this technology.
- The Passkey Pledge initiative unites global companies around eliminating passwords, emphasizing interoperability, privacy, and enterprise readiness.
These milestones confirm that passwordless, phishing-resistant authentication is now mainstream — and expected under modern regulations.
Designing a Compliance-Ready Authentication Strategy
- Adopt FIDO-based passkeys or equivalent phishing-resistant MFA across all systems.
- Include legacy apps using overlay or broker technology — no code changes required.
- Centralize logs and ensure traceability for every authentication event.
- Strengthen recovery flows to avoid weak fallback methods.
- Monitor protocol updates and threat research to stay aligned with evolving standards.
- Document and prove compliance through continuous testing and audit-ready reporting.
Final Word
We’ve entered the enforcement era. DORA and NIS2 are not checkboxes — they mark a structural change in how organizations must protect access.
Phishing-resistant, auditable authentication is now the baseline for trust, compliance, and operational resilience.
Secfense enables enterprises to deploy passkeys and FIDO-based MFA across all systems — even legacy ones — without rewriting code or disrupting users.
👉 Schedule a call with our team to see how you can achieve DORA and NIS2 compliance with phishing-resistant authentication that’s ready for any audit.
Get the Full Special Report
Want to dive deeper right now?
We’ve put together a Special Report breaking down DORA and NIS2’s authentication requirements, timelines, and compliance tips.
Antoni Sikora 