Multi-factor authentication under NIS2 : requirements and implementation for regulated entities
Vartiainen, Riku (2025)
2025
All rights reserved. This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:amk-2025052214490
https://urn.fi/URN:NBN:fi:amk-2025052214490
Tiivistelmä
This report aims to consolidate information relating to the European Union’s NIS2 Directive and its implications to the use of multi-factor authentication. The research is done by qualitative approach, with secondary research done on relating directives and guidelines set by industry standards bodies. Also, opinion pieces from reputable industry sources are assessed to analyse discourse on the topic. Key findings highlight the directive's emphasis on strong authentication measures, though it’s ambiguity leaves room for interpretation regarding specific implementations.
The report includes an introduction where the relevance, the research background and objectives are introduced. The research methods and sources are classified and identified on a higher level in this chapter. Lastly, the limitations of this research are addressed. The recently ratified NIS2 regulation aims to bring the European Union member countries cybersecurity up to date, expanding on the previous NIS directive. This means that the regulated parties face demands to overhaul their authentication practices.
To help the reader form a more specific picture of multi-factor authentication, reports by reputable industry sources and academic research are analysed. This helps build a better understanding of the underlying mechanics and decision making when picking a solution for multi-factor authentication. After the foundational knowledge base is built, the research reflects different common multi-factor authentication solutions to the NIS2 requirements. The research identifies that SMS OTPs are in most cases too weak to fulfil the requirements set by the directive, and passkeys are highlighted as the solution for future proofing and compliance.
Ultimately, the thesis provides actionable insights for regulated entities to align their multi-factor authentication strategies with NIS2 requirements, balancing security, usability, and compliance. The findings advocate for future-proof solutions like FIDO2 passkeys, which are resilient against phishing and align with evolving standards alongside the future of a more unified European Union IT infrastructure.
The report includes an introduction where the relevance, the research background and objectives are introduced. The research methods and sources are classified and identified on a higher level in this chapter. Lastly, the limitations of this research are addressed. The recently ratified NIS2 regulation aims to bring the European Union member countries cybersecurity up to date, expanding on the previous NIS directive. This means that the regulated parties face demands to overhaul their authentication practices.
To help the reader form a more specific picture of multi-factor authentication, reports by reputable industry sources and academic research are analysed. This helps build a better understanding of the underlying mechanics and decision making when picking a solution for multi-factor authentication. After the foundational knowledge base is built, the research reflects different common multi-factor authentication solutions to the NIS2 requirements. The research identifies that SMS OTPs are in most cases too weak to fulfil the requirements set by the directive, and passkeys are highlighted as the solution for future proofing and compliance.
Ultimately, the thesis provides actionable insights for regulated entities to align their multi-factor authentication strategies with NIS2 requirements, balancing security, usability, and compliance. The findings advocate for future-proof solutions like FIDO2 passkeys, which are resilient against phishing and align with evolving standards alongside the future of a more unified European Union IT infrastructure.