Multi-Factor Authentication (MFA) in the Context of DORA and NIS2

MFA in the context of DORA and NIS2

The Role of MFA in DORA and NIS2 Compliance

In early 2023, two critical regulations—DORA (Digital Operational Resilience Act) and NIS2 (Network and Information Systems Directive)—came into effect, aiming to enhance the cyber resilience of European organizations. Although these regulations do not mandate specific security tools, they emphasize the need for strong authentication mechanisms as part of robust security practices.

Analysis of DORA and NIS2 Regulations in the Context of Enterprise Cyber Security in the EU.

DORA and NIS2 outline essential measures for safeguarding corporate resources. While the exact security tools are not specified, both DORA and NIS2 underscore the importance of appropriate strategies, policies, protocols, and ICT tools to secure systems, applications, and databases from unauthorized access.

Why Strong Authentication is Central to DORA and NIS2

Through analysis with experts at the Law4Tech Foundation, it is clear that both DORA and NIS2 recognize multi-factor authentication (MFA) as a crucial security measure. MFA is a foundational tool that significantly reduces risks associated with phishing, social engineering, and unauthorized credential access, making it a key component in meeting these regulatory standards.

Who is responsible for complying with DORA

DORA: “Financial Entities Must Implement Strong Authentication”

Under DORA, financial entities are explicitly required to implement strong authentication mechanisms. Article 4 of DORA introduces a principle of proportionality, encouraging entities to adjust security according to their size, risk profile, and the complexity of services provided. Larger organizations with higher risk profiles are expected to implement more advanced security measures, while smaller entities may implement proportionate safeguards.

DORA grants each organization some flexibility in defining its security approach. However, national financial supervisory commissions will ultimately determine compliance through inspections, making it essential for organizations to adopt MFA and other strong security controls in alignment with DORA’s expectations.

Who is responsible for complying with NIS2 and DORA

NIS2’s Broader Approach to Cybersecurity

Under NIS2, organizations across key sectors must adopt cyber hygiene practices and establish a zero-trust framework. Required practices include regular software updates, secure device configurations, network segmentation, identity and access management (IAM), and extensive user awareness training. NIS2 also encourages organizations to use advanced security technologies like AI or machine learning to strengthen defenses against cyber threats.

Within this framework, MFA is recognized as a core security measure, forming the foundation for comprehensive protection. MFA, by requiring multiple verification factors, ensures only authorized users access sensitive applications and systems.

Do You Serve Banks or Insurers? You Need DORA Compliance – Secure Your Future Now!

What is Strong Authentication, and How Can Organizations Implement It?

DORA and NIS2 make it clear that companies in critical sectors must adopt strong authentication mechanisms. MFA provides this by requiring at least two factors to verify a user’s identity, which can include:

  • Knowledge factors: Something the user knows, like a password or PIN.
  • Possession factors: Something the user has, such as a security token or mobile device.
  • Inherence factors: Something the user is, including biometrics like fingerprints or facial recognition.

To support compliance, organizations may consider solutions like the User Access Security Broker from Secfense, which enables quick, no-code deployment of MFA across all applications, including legacy systems. With this approach, companies can implement MFA, including FIDO2 passkeys, without altering application code, achieving enterprise-wide coverage in days.

Do you know how the new Digital Operational Resilience Act (DORA) and The NIS2 (Network and Information Security) Directive regulations will affect the future of businesses in Europe

Deadlines for Compliance with DORA and NIS2

The deadlines for compliance are fast approaching: DORA goes into effect on January 17, 2025, and NIS2 on October 17, 2024. Organizations that proactively assess and upgrade their security systems, policies, and technologies now will be best positioned to meet these regulations, while enhancing their cybersecurity resilience.

For further information on DORA and NIS2 requirements, access our comprehensive e-book, “Analysis of DORA and NIS2 Regulations in the Context of EU Cybersecurity”. This report, developed with Law4Tech Foundation, provides in-depth guidance on compliance measures.

Need-Help-with-DORA-Compliance-Schedule-a-Call-with-Kasper-Today-and-Get-Ready-Before-the-January-17-Deadline

Take the Next Step: Schedule a call with a Secfense expert to discuss how strong, passwordless MFA can help your organization comply with DORA and NIS2. Watch our webinar for practical insights on meeting regulatory requirements with scalable, secure MFA solutions.

Antoni takes care of all the marketing content that comes from Secfense. Read More

Featured Articles

Keep In Touch

Read More

How to implement 2FA without relying on mobile phones

Cybersecurity specialists working in enterprise environments are well aware of the importance of strong authentication methods like FIDO and passkeys. These technologies offer strong, phishing-resistant…
Avatar of Antoni Sikora Antoni Sikora

READ TIME 4 MIN

Managing Authentication in the Aviation

Why Does the Aviation Industry Face Authentication Challenges? The aviation industry comprises a complex network of airlines, airports, third-party suppliers, government agencies, and other stakeholders….
Avatar of Antoni Sikora Antoni Sikora

READ TIME 3 MIN

PSD3 Explained: Key Changes, Compliance Requirements, and How to Prepare

What is PSD3? PSD3 (Payment Services Directive 3) is the third iteration of the European Union directive regulating the payments services market. The main objective…
Avatar of Antoni Sikora Antoni Sikora

READ TIME 4 MIN

Testimonials

We are faced with new challenges every day. We must always be one step ahead of the attackers and know what they are going to do before they do it. We are convinced that the User Access Security Broker will bring security to a new level, both for those working at the office and from home. For us, working with Secfense is an opportunity to exchange experience with developers who put great value on out-of-the-box thinking.

Krzysztof Słotwiński

Business Continuity and Computer Security Officer

BNP Paribas Bank Poland

As part of the pre-implementation analysis, we verified that users utilize a wide range of client platforms: desktop computers, laptops, tablets, smartphones, and traditional mobile phones. Each of these devices differs in technological advancement, features, and level of security. Because of this, and also due to the recommendation of the Polish Financial Supervision Authority (UKNF), we decided to introduce additional protection in the form of multi-factor authentication mechanisms based on FIDO. As a result, users of our applications can log in safely, avoiding common cyber threats such as phishing, account takeover, and theft of their own and their clients’ data.

Marcin Bobruk

CEO

Sandis

We are excited to partner with Secfense to enhance our user access security for our web apps. By integrating their User Access Security Broker, we ensure seamless and secure protection for our applications and systems, delivering superior security and convenience to our customers.

Charm Abeywardana

IT & Infrastructure

Visium Networks

Before investing in Secfense, we had the opportunity to talk to its existing clients. Their reactions were unanimous: wow, it’s so easy to use. We were particularly impressed by the fact that implementing their solution does not require the involvement of IT developers. It gives Secfense a huge advantage over the competition, and at the same time opens the door to potential customers who so far were afraid of changes related to the implementation of multi-factor authentication solutions.

Mateusz Bodio

Managing Director

RKKVC

Even when the network and infrastructure are secured enough, social engineering and passwords can be used to gain control of the system by attackers. Multifactor authentication is the current trend. Secfense addresses this and allows you to build zero trust security and upgrade your current systems to passwordless applications within minutes, solving this problem right away,” said Eduard Kučera, Partner at Presto Ventures and cybersecurity expert – former Director in hugely successful Czech multinational cyber security firm Avast.

Eduard Kučera

Partner

Presto Ventures

One of the biggest challenges the world is facing today is securing our identity online. That’s why we were so keen to have Secfense in our portfolio. They make it possible to introduce strong authentication in an automated way. Until now, organizations had to selectively protect applications because the deployment of new technology was very hard, or even impossible. With Secfense, the implementation of multi-factor authentication is no longer a problem, and all organizations can use the highest standards of authentication security.

Stanislav Ivanov

Founding Partner

Tera Ventures

Two-factor authentication is known to be one of the best ways to protect against phishing; however, its implementation has always been difficult. Secfense helped us solve that problem. With their security broker, we were able to introduce various 2FA methods on our web applications at once.

Dariusz Pitala

Head of IT

MPEC S.A.