NIS2 asks for MFA by name. Start there.
The NIS2 Directive explicitly lists multi-factor authentication and access control policies among its required cybersecurity measures — with management personally accountable. Monofor enforces those controls across your estate and produces the evidence your national authority will ask for.
Where NIS2 meets identity
NIS2 (Directive (EU) 2022/2555) widened EU cybersecurity regulation to thousands of "essential" and "important" entities — energy, transport, health, digital infrastructure, manufacturing, public administration, and more — with member-state laws applying from October 2024. Article 21 lists the minimum measures every entity must take, and identity appears by name: access control policies, multi-factor or continuous authentication solutions, and human resources security.
Unlike its predecessor, NIS2 puts management bodies personally on the hook for approving and overseeing these measures, with fines up to 2% of global turnover for essential entities. That changes the conversation: boards now need controls that are demonstrably in place — enforced by systems and documented by logs, not described in policy documents.
Measure to control, mapped.
Article 21(2) measures with an identity dimension, and the Monofor capability that enforces each one.
NIS2 explicitly requires MFA or continuous authentication solutions where appropriate.
Monosign enforces MFA on every login — TOTP, push, SMS, and phishing-resistant FIDO2 passkeys — with adaptive step-up when risk signals such as new devices or unusual locations appear.
Monosign MFAPolicies on access control and asset management are a named minimum measure.
Centralized SSO puts every application behind one policy point; conditional access rules enforce who connects from where, on which device, at what time — and log every decision.
MonosignAccess must track the employment lifecycle — especially departures.
Joiner-mover-leaver automation provisions access on day one and revokes everything the day someone leaves, with directory sync keeping HR, AD, and applications consistent.
MonosyncAdmin access to essential services is the path incident reports keep finding.
Monopam vaults privileged credentials, requires approval for elevation, limits it to time-bound windows, and records every session — video plus keystrokes — for incident reconstruction.
MonopamEntities must manage the security of supplier and service-provider access.
Vendors and partners get time-bound, recorded, approval-gated access through the same privileged gateway as employees — no standing VPN accounts or shared logins in your supply chain.
External & partner accessA 24-hour early-warning window assumes you can reconstruct access fast.
Tamper-evident authentication logs, entitlement history, and session recordings feed your SIEM and give incident teams the who-what-when within the reporting deadline.
Monosync GovernanceTrusted by enterprises worldwide
identities secured
enterprise integrations
countries
Common questions
- Does NIS2 apply to us?
- NIS2 covers "essential" and "important" entities across 18 sectors — from energy, transport, banking infrastructure, and health to digital providers, manufacturing of critical products, and public administration — generally organizations with 50+ employees or €10M+ turnover in those sectors, with some size-independent inclusions. Scope is set by each member state’s transposition, so confirm with legal counsel.
- Does deploying Monofor make us NIS2 compliant?
- No single product achieves NIS2 compliance — the directive also covers risk analysis, business continuity, crisis management, and training. Monofor implements the identity-related Article 21 measures (MFA, access control, privileged and supplier access) and documents them, which addresses several of the named minimum measures directly.
- Why does management accountability change anything?
- Because NIS2 makes management bodies approve and oversee cybersecurity measures — with personal liability. Enforced, logged controls that can be demonstrated in one report are much easier to stand behind than policy PDFs. That is precisely what an identity platform provides.
- We already work on DORA. Is NIS2 extra work?
- They overlap heavily on identity controls — financial entities in DORA scope are largely carved out of NIS2, while their ICT suppliers may face both. The same Monofor controls and evidence serve both frameworks; see our DORA page for that mapping.
Ready to start managing
identities the right way?
Spin up a fully-loaded trial tenant in under five minutes. No credit card. No sales gate.