NIS2, passwords, and MFA: Everything you need to know 

MFA and password security are key considerations in several regulatory frameworks, and NIS2 is no different. The NIS2 Directive is an important piece of legislation for anyone working in cybersecurity across the European Union. The latest updates to the NIS2 (Network and Information Systems) regulations were published in the Official Journal of the European Union on December 19, 2022, and they entered into force on January 17, 2023. These updates aim to strengthen the security of network and information systems across the EU and apply to a broader range of entities, including digital service providers and essential services.

An evolution of the original Network and Information Systems (NIS) Directive, NIS2 expands its reach and tightens its requirements, reflecting the increasing sophistication and frequency of cyber threats. We’ll take a look at what NIS2 means for your cybersecurity practices, with a focus on password security and MFA. 

What is NIS2? 

The NIS2 Directive is a regulatory framework within the European Union designed to enhance the overall level of cybersecurity across member states. The directive includes provisions for significant incident reporting, information sharing, and cooperation among national authorities. It also sets out a range of administrative fines for non-compliance, aiming to ensure that both public and private sector organizations take their cybersecurity obligations seriously.

The goal of NIS2 is to provide a high common level of cybersecurity across the European Union, protecting essential services and the digital economy from the growing threat of cyber-attacks. MFA and password security are key parts of this.

What is the difference between NIS and NIS2? 

The original NIS Directive was the first piece of EU-wide legislation on cybersecurity, in 2016. NIS2 aims to address the limitations and gaps identified in the original directive by expanding its scope to cover more sectors and types of entities, enforcing stricter security measures, and enhancing the management of cybersecurity risks.

The key driver behind strengthening the directive is a far more menacing cyber threat landscape. Less than 10 years ago in 2016, attacks like ransomware were rarer and significantly less costly for companies. To put it into context, global cybercrime damages were estimated at $3 trillion in 2015 but are estimated to reach $10.5 trillion by the end of 2025. 

The three main changes to NIS2 compared to NIS are:

• NIS2 extends the scope to new economic sectors that play important roles in modern digital ecosystems. 
• NIS2 removes implementation inconsistencies by clarifying the security, incident reporting, and enforcement requirements that apply to all organizations. 
• It establishes planning, crisis management, and increased collaboration between member states in the event of large-scale cybersecurity incidents  

Do I need to change anything regarding passwords or MFA for 2025? 

There are no immediate updates to be aware of for 2025. The NIS2 Directive was officially adopted by the European Parliament and the Council in November 2022. Member states were required to transpose the directive into national law within 21 months from its entry into force, so the directive came into full effect across the EU in mid-2024. In other words, organizations already need to be compliant. 

How do NIS2 regulations impact password security?  

The NIS2 Directive, with its focus on strengthening cybersecurity across the EU, implicitly emphasizes the importance of robust password security as part of an organization’s cybersecurity measures. While the directive may not specify detailed requirements solely about password security, achieving NIS2 compliance requires entities to adopt appropriate and proportionate technical and organizational measures to manage risks to network and information systems security.  

This includes practices related to securing access control, which directly involves password management. Here’s a breakdown of how you can meet the NIS2 password requirements:

Strong password policies

NIS2 places a strong emphasis on the implementation of effective access control mechanisms. The enforcement of strong, secure password policies is vital to comply with this. Organizations are expected to ensure that passwords are difficult to guess, regularly updated, and resistant to common attack techniques. A robust password policy should also include guidelines on password length, complexity, and expiration periods.

To help comply with these requirements, tools such as Specops Password Policy can be used to both enforce strong policies and check for known compromised passwords in a user-friendly way. 

User education and training

Part of managing cybersecurity risk involves training users on the importance of strong passwords and secure authentication practices. Effective training should cover the risks of password reuse across multiple accounts, the importance of creating unique and complex passwords, and the value of using password managers to safely store credentials.

For example, encouraging the use of passphrases (long, memorable phrases that are harder to crack than traditional passwords) is a practical way to help users adopt better habits without sacrificing usability.

Auditing and compliance checks

Regular audits and compliance checks are essential for ensuring that password policies are properly enforced and aligned with the security objectives outlined in the NIS2 Directive. These evaluations help identify weaknesses in password hygiene, detect non-compliant accounts, and uncover practices that could expose the organization to credential-based attacks.

Interested in giving your Active Directory a health check? Specops Passwords Auditor runs a read-only scan of you Active Directory and gives an exportable report detailing your password-related vulnerabilities – download your free tool here.  

Securing password resets

Under NIS2, organizations must ensure that identity and access management processes, including password resets, are resilient against unauthorized access. This means implementing secure methods for verifying a user’s identity during a reset. Traditional helpdesk-driven password resets can pose security and compliance risks, especially if verification steps are weak or inconsistent.

Specops uReset offers a way for end users to reset their own passwords, while staying secure and compliant with NIS2 recommendations. uReset allows users to verify their identity via a range of flexible MFA options, including Duo Security, Google Authenticator, Microsoft Authenticator, Okta, PingID, Symantec VIP, and Yubikey. Multiple authentication options guarantee users will complete the password-reset task, even if an identity provider is unavailable. 

By reducing dependency on service desks and securing the reset process, organizations can better meet NIS2’s expectations for robust access controls and incident prevention.

Multi-factor authentication (MFA)  

MFA plays a significant role in the directive. It provides an additional layer of security for threat actors to breach after a password has been compromised. MFA is an important topic in the context of NIS2 and it’s worth exploring in more detail.

What are the NIS2 MFA requirements? 

The NIS2 Directive highlights multi-factor authentication as a fundamental security measure that organizations should implement to enhance their cybersecurity capabilities. MFA is crucial for building a layered defense against threats including phishing and social engineering attacks, which are common methods for stealing user credentials.

This is key for supporting the NIS2 Directive’s aim to ensure that organizations operating in critical sectors have robust defenses against unauthorized access, thereby safeguarding important data and systems that are essential for the functioning of society and the economy.  

MFA adoption supports compliance with the NIS2 Directive’s push for following state-of-the-art security practices, but is widely recognized as a best practice among other cybersecurity regulations and guidelines too. Organizations subject to the NIS2 Directive should strongly consider integrating MFA into their cybersecurity frameworks if they haven’t already done so. This not only aids in compliance but also significantly bolsters their security posture against increasingly sophisticated cyber threats. 

Ensure NIS2 compliance with Specops Secure Access

Specops Secure Access provides essential multi-factor authentication (MFA) for Windows logon, MFA for RDP connections, and MFA for VPN connections, safeguarding against password attacks and unauthorized access.

With support for offline authentication, it ensures continuous protection even in challenging network conditions. Learn how Specops Secure Access can help you meet NIS2 requirements.

Frequently Asked Questions about NIS2