NIS2 compliance

NIS2 asks for MFA by name. Start there.

The NIS2 Directive explicitly lists multi-factor authentication and access control policies among its required cybersecurity measures — with management personally accountable. Monofor enforces those controls across your estate and produces the evidence your national authority will ask for.

Where NIS2 meets identity

NIS2 (Directive (EU) 2022/2555) widened EU cybersecurity regulation to thousands of "essential" and "important" entities — energy, transport, health, digital infrastructure, manufacturing, public administration, and more — with member-state laws applying from October 2024. Article 21 lists the minimum measures every entity must take, and identity appears by name: access control policies, multi-factor or continuous authentication solutions, and human resources security.

Unlike its predecessor, NIS2 puts management bodies personally on the hook for approving and overseeing these measures, with fines up to 2% of global turnover for essential entities. That changes the conversation: boards now need controls that are demonstrably in place — enforced by systems and documented by logs, not described in policy documents.

Requirement → Monofor

Measure to control, mapped.

Article 21(2) measures with an identity dimension, and the Monofor capability that enforces each one.

Requirement
Multi-factor authentication (Art. 21(2)(j))

NIS2 explicitly requires MFA or continuous authentication solutions where appropriate.

How Monofor helps

Monosign enforces MFA on every login — TOTP, push, SMS, and phishing-resistant FIDO2 passkeys — with adaptive step-up when risk signals such as new devices or unusual locations appear.

Monosign MFA
Requirement
Access control policies (Art. 21(2)(i))

Policies on access control and asset management are a named minimum measure.

How Monofor helps

Centralized SSO puts every application behind one policy point; conditional access rules enforce who connects from where, on which device, at what time — and log every decision.

Monosign
Requirement
Human resources security (Art. 21(2)(i))

Access must track the employment lifecycle — especially departures.

How Monofor helps

Joiner-mover-leaver automation provisions access on day one and revokes everything the day someone leaves, with directory sync keeping HR, AD, and applications consistent.

Monosync
Requirement
Privileged & administrative access

Admin access to essential services is the path incident reports keep finding.

How Monofor helps

Monopam vaults privileged credentials, requires approval for elevation, limits it to time-bound windows, and records every session — video plus keystrokes — for incident reconstruction.

Monopam
Requirement
Supply chain security (Art. 21(2)(d))

Entities must manage the security of supplier and service-provider access.

How Monofor helps

Vendors and partners get time-bound, recorded, approval-gated access through the same privileged gateway as employees — no standing VPN accounts or shared logins in your supply chain.

External & partner access
Requirement
Incident handling & reporting (Arts. 21, 23)

A 24-hour early-warning window assumes you can reconstruct access fast.

How Monofor helps

Tamper-evident authentication logs, entitlement history, and session recordings feed your SIEM and give incident teams the who-what-when within the reporting deadline.

Monosync Governance
This page is general product information, not legal or compliance advice. Work with your legal and audit teams to determine how the framework applies to your organization.

Dünya genelinde kurumsal şirketlerin tercihi

50M+

güvence altındaki kimlik

7,000+

kurumsal entegrasyon

40+

ülke

Ziraat Bankası
IGA Istanbul Airport
McDonald's
Saudi Telecom Company
Odeabank
Godiva
United Biscuits
Fenerbahçe Sports Club
FAQ

Common questions

Does NIS2 apply to us?
NIS2 covers "essential" and "important" entities across 18 sectors — from energy, transport, banking infrastructure, and health to digital providers, manufacturing of critical products, and public administration — generally organizations with 50+ employees or €10M+ turnover in those sectors, with some size-independent inclusions. Scope is set by each member state’s transposition, so confirm with legal counsel.
Does deploying Monofor make us NIS2 compliant?
No single product achieves NIS2 compliance — the directive also covers risk analysis, business continuity, crisis management, and training. Monofor implements the identity-related Article 21 measures (MFA, access control, privileged and supplier access) and documents them, which addresses several of the named minimum measures directly.
Why does management accountability change anything?
Because NIS2 makes management bodies approve and oversee cybersecurity measures — with personal liability. Enforced, logged controls that can be demonstrated in one report are much easier to stand behind than policy PDFs. That is precisely what an identity platform provides.
We already work on DORA. Is NIS2 extra work?
They overlap heavily on identity controls — financial entities in DORA scope are largely carved out of NIS2, while their ICT suppliers may face both. The same Monofor controls and evidence serve both frameworks; see our DORA page for that mapping.

Kimlikleri doğru şekilde
yönetmeye hazır mısınız?

Beş dakikadan kısa sürede tam donanımlı bir deneme ortamı kurun. Kredi kartı yok, satış engeli yok.