Multi-factor authentication in the context of DORA and NIS2

MFA in the context of DORA and NIS2

At the beginning of 2023, two new regulations – DORA and NIS 2 – came into effect. Their goal is to enhance the cyber resilience of European companies. Although the regulations do not specify the exact tools that organizations should implement to increase their security, they contain provisions indicating the need to apply strong authentication mechanisms.

DORA (Regulation on the financial sector’s operational resilience) and NIS 2 (Directive on measures for a high common level of cybersecurity) broadly discuss how to secure corporate resources. However, they require the use of appropriate strategies, policies, procedures, protocols, and ICT tools that will secure systems, applications, and databases, especially preventing unauthorized access.

What security tools to use? Together with experts from the Law4Tech Foundation, we analyzed the content of both documents. It turns out that both DORA and NIS 2 indicate multi-factor authentication mechanisms (MFA) as a crucial security tool in organizations.

Who is responsible for complying with DORA

DORA: “Financial entities implement strong authentication mechanisms.”

The message of the DORA regulation is clear. It contains an unequivocal statement: financial entities implement strong authentication mechanisms. Organizations should have no doubts about the interpretation of this provision – this regulation directly imposes on financial entities the obligation to implement strong authentication mechanisms, leaving no room for discretion.

Let’s add a few explanatory words. DORA, specifically Article 4, allows for differentiating ICT protection according to the principle of proportionality. In other words, financial entities should adjust the protection of their resources to their size, overall risk profile, and the nature, scale, and complexity of the services provided. Larger entities operating on a larger scale should have higher-level security than smaller organizations.

However, how do we distinguish organizations considered smaller from those considered larger? DORA does not provide clear answers. Each company must independently assess its size and scale of operations and then implement appropriate protective measures. Will it do it correctly? The Financial Supervision Commission in each country should decide this during inspections.

It can be assumed that as the DORA regulations are applied, further interpretations of the regulations issued by the national commissions will appear. However, one should not expect to abandon the requirement to use strong authentication mechanisms. It is in line with the current recommendations of national supervisory institutions. Already in October 2022, the Financial Supervision Commission of one of the EU members emphasized in one of its letters that “the lack of strong, multi-factor customer authentication is an unacceptable risk.” In the opinion of the lawyers we consulted, there should be no doubt about the position of the national supervisory body on this matter.

Who is responsible for complying with NIS2 and DORA

NIS 2: The basis is the implementation of appropriate security measures

The NIS 2 Directive imposes on key and important entities the obligation to introduce basic cyber hygiene practices. These include the zero-trust principle, regular software updates, proper device configuration, network segmentation, identity and access management, user awareness, employee training, and spreading knowledge about cyber threats, phishing, and social engineering techniques.

According to NIS 2, organizations should independently assess their cybersecurity capabilities and, where appropriate, implement appropriate security technologies, such as systems based on artificial intelligence (AI) or machine learning (ML), to enhance their ability to protect against cybercriminals.

There’s no denying it – these are far-reaching requirements and recommendations. Therefore, if AI or ML-based solutions are to become standard in companies, strong authentication mechanisms should be recognized as a basic protective mechanism and form the foundation of the cybersecurity ecosystem in the organization.

What is strong authentication, and how to implement it quickly?

The regulations leave no doubt – financial sector companies and organizations operating in areas considered key and important for the economy and society will have to apply strong authentication mechanisms. Strong, i.e., requiring at least two elements confirming the user’s identity. Why is this so important?

Multi-factor authentication (MFA) is one of the best ways to protect against phishing, social engineering, and credential theft. It enhances the security of the login process, requiring the use of at least two independent authentication components. It can be something a person knows (knowledge component), something a person has (possession component), or who a person is (characteristic component).

  • Knowledge components include, among others, lock patterns, passwords, PIN codes, and personal questions, such as a mother’s maiden name.
  • Possession components are physical objects, including cryptographic keys or local authenticators (e.g., smartphones).
  • Characteristic components are based on biometric data, including facial recognition, fingerprint lines, and voice.

If an organization wants to improve the security of its applications, it can add more components or use more advanced authentication methods.

Many MFA solutions are on the market, so companies have a choice. One option is to choose the User Access Security Broker solution, which allows you to implement MFA on any application in 5 minutes and introduce MFA throughout the organization in 7 to 14 days. The technology allows the implementation of any MFA, including the most effective FIDO2 or Passkeys today, on any application without interfering with its code.

DORA starts to apply on January 17, 2025. The deadline for implementing NIS 2 is October 17, 2024. There is less and less time to adapt to the new regulations. Companies that now analyze their situation, security systems, procedures, and strategies and introduce the required technologies and policies will not only be able to look to the future with peace of mind but also effectively fight the increasing attacks of cybercriminals.

More information about the obligations imposed on companies by the new regulations can be found in the free e-book “Analysis of DORA and NIS2 regulations in the context of cybersecurity of enterprises in the EU” prepared based on an independent report by the Law4Tech Foundation:

Antoni takes care of all the marketing content that comes from Secfense. Read More


We are faced with new challenges every day. We must always be one step ahead of the attackers and know what they are going to do before they do it. We are convinced that the User Access Security Broker will bring security to a new level, both for those working at the office and from home. For us, working with Secfense is an opportunity to exchange experience with developers who put great value on out-of-the-box thinking.

Krzysztof Słotwiński

Business Continuity and Computer Security Officer

BNP Paribas Bank Poland

As part of the pre-implementation analysis, we verified that users utilize a wide range of client platforms: desktop computers, laptops, tablets, smartphones, and traditional mobile phones. Each of these devices differs in technological advancement, features, and level of security. Because of this, and also due to the recommendation of the Polish Financial Supervision Authority (UKNF), we decided to introduce additional protection in the form of multi-factor authentication mechanisms based on FIDO. As a result, users of our applications can log in safely, avoiding common cyber threats such as phishing, account takeover, and theft of their own and their clients’ data.

Marcin Bobruk



We are excited to partner with Secfense to enhance our user access security for our web apps. By integrating their User Access Security Broker, we ensure seamless and secure protection for our applications and systems, delivering superior security and convenience to our customers.

Charm Abeywardana

IT & Infrastructure

Visium Networks

Before investing in Secfense, we had the opportunity to talk to its existing clients. Their reactions were unanimous: wow, it’s so easy to use. We were particularly impressed by the fact that implementing their solution does not require the involvement of IT developers. It gives Secfense a huge advantage over the competition, and at the same time opens the door to potential customers who so far were afraid of changes related to the implementation of multi-factor authentication solutions.

Mateusz Bodio

Managing Director


Even when the network and infrastructure are secured enough, social engineering and passwords can be used to gain control of the system by attackers. Multifactor authentication is the current trend. Secfense addresses this and allows you to build zero trust security and upgrade your current systems to passwordless applications within minutes, solving this problem right away,” said Eduard Kučera, Partner at Presto Ventures and cybersecurity expert – former Director in hugely successful Czech multinational cyber security firm Avast.

Eduard Kučera


Presto Ventures

One of the biggest challenges the world is facing today is securing our identity online. That’s why we were so keen to have Secfense in our portfolio. They make it possible to introduce strong authentication in an automated way. Until now, organizations had to selectively protect applications because the deployment of new technology was very hard, or even impossible. With Secfense, the implementation of multi-factor authentication is no longer a problem, and all organizations can use the highest standards of authentication security.

Stanislav Ivanov

Founding Partner

Tera Ventures

Two-factor authentication is known to be one of the best ways to protect against phishing; however, its implementation has always been difficult. Secfense helped us solve that problem. With their security broker, we were able to introduce various 2FA methods on our web applications at once.

Dariusz Pitala

Head of IT