Opsio - Cloud and AI Solutions
7 min read· 1,560 words

NIS2 MFA, Encryption, and Network Security Requirements

Published: ·Updated: ·Reviewed by Opsio Engineering Team
Fredrik Karlsson
Fredrik Karlsson

Group COO & CISO

Operational excellence, governance, and information security. Aligns technology, risk, and business outcomes in complex IT environments

NIS2 MFA, Encryption, and Network Security Requirements

NIS2 MFA, Encryption, and Network Security Requirements

NIS2 gets specific about technical controls. Article 21(2)(h) through (j) mandates encryption policies, multi-factor authentication, and secure communication channels (Directive 2022/2555, 2022). According to ENISA (2024), these technical requirements represent the minimum acceptable baseline, and EU entities are expected to implement measures proportionate to their risk profile. For Indian IT companies supporting EU clients, understanding the specific technical expectations prevents audit failures.

Key Takeaways

  • NIS2 Article 21(2)(h-j) mandates encryption, MFA, and secure communications
  • MFA is required for all critical system access, not just remote access
  • Encryption must cover data at rest and in transit with current algorithms
  • 81% of breaches involve stolen or weak credentials (Verizon DBIR, 2024)
  • Technical controls are the most auditable NIS2 requirements

What MFA Requirements Does NIS2 Specify?

Article 21(2)(j) requires "the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems" (Directive 2022/2555, 2022). According to the Verizon Data Breach Investigations Report (2024), 81% of hacking-related breaches involved stolen or weak credentials, making MFA the most impactful single control for NIS2 compliance.

Where MFA Must Be Implemented

NIS2 doesn't limit MFA to specific access types. Best practice, aligned with ENISA guidance, requires MFA for:

  • All remote access to corporate networks and systems
  • Administrative and privileged access to servers, databases, and network equipment
  • Cloud service console access for AWS, Azure, GCP management
  • Email access from non-corporate devices
  • VPN connections from any device
  • Access to systems processing EU client data regardless of location
  • Third-party access by contractors, consultants, and temporary staff

Acceptable MFA Methods

NIS2 doesn't prescribe specific MFA technologies, but ENISA guidance favours phishing-resistant methods:

Tier 1 (Strongest):

  • FIDO2/WebAuthn hardware security keys
  • Platform authenticators (Windows Hello, Apple Touch/Face ID)

Tier 2 (Acceptable):

  • TOTP authenticator apps (Google Authenticator, Microsoft Authenticator)
  • Push notification authentication with number matching

Tier 3 (Discouraged but still MFA):

  • SMS-based OTP (vulnerable to SIM swapping)
  • Email-based OTP (vulnerable to email compromise)

Implementation Guidance for Indian IT Companies

Deploy MFA using your identity provider (Azure Entra ID, Okta, or equivalent). Start with privileged access and expand to all access types. Target 100% MFA coverage for any system touching EU client data or infrastructure.

In our assessments of Indian IT companies, MFA coverage averages 67% of systems, typically covering VPN and email but missing database access, cloud console access, and internal application access. Closing these gaps is a high-priority NIS2 remediation item.

Citation capsule: NIS2 Article 21(2)(j) mandates multi-factor authentication for entity access controls, addressing the 81% of hacking-related breaches that involve stolen or weak credentials (Verizon DBIR, 2024), with ENISA guidance favouring phishing-resistant methods like FIDO2.

What Encryption Standards Does NIS2 Require?

Article 21(2)(h) requires "policies and procedures regarding the use of cryptography and, where appropriate, encryption" (Directive 2022/2555, 2022). According to BSI (German Federal Office for Information Security) (2024), acceptable encryption standards for NIS2 compliance include AES-256 for symmetric encryption and RSA-2048+ or ECDSA for asymmetric operations.

Data at Rest Encryption

All data stores containing EU client data must be encrypted:

  • Database encryption: AES-256 transparent data encryption (TDE) for SQL databases
  • Storage encryption: AES-256 for cloud storage (S3, Azure Blob, etc.)
  • Disk encryption: BitLocker, LUKS, or cloud-native encryption for all volumes
  • Backup encryption: All backup media encrypted with separate key management
  • Endpoint encryption: Full disk encryption on all laptops and workstations

Data in Transit Encryption

All network communications must use current encryption standards:

  • TLS 1.2 minimum for all HTTPS, API, and email communications
  • TLS 1.3 preferred where supported by all endpoints
  • Disable TLS 1.0 and 1.1 completely
  • IPsec or WireGuard for site-to-site VPN connections
  • SSH with key-based authentication for administrative access

Key Management

Encryption is only as strong as key management:

  • Customer-managed keys for EU client data in cloud environments
  • Key rotation at least annually, or more frequently for high-risk systems
  • Key storage in HSMs or dedicated key management services (AWS KMS, Azure Key Vault)
  • Key separation ensuring different keys for different clients and environments
  • Key destruction procedures when keys are retired

Algorithms to Avoid

Deprecated or weak algorithms that will fail audits:

  • DES and 3DES
  • RC4
  • MD5 for any security purpose
  • SHA-1 for digital signatures
  • RSA with key lengths below 2048 bits
Free Expert Consultation

Need expert help with nis2 mfa, encryption, and network security requirements?

Our cloud architects can help you with nis2 mfa, encryption, and network security requirements — from strategy to implementation. Book a free 30-minute advisory call with no obligation.

Solution ArchitectAI ExpertSecurity SpecialistDevOps Engineer
50+ certified engineersAWS Advanced Partner24/7 IST support
Completely free — no obligationResponse within 24h

How Should Indian Companies Implement Network Security for NIS2?

NIS2 Article 21(2)(a) and (e) address network and information system security. According to NIST (2024), network segmentation reduces the blast radius of security incidents by an average of 65%, making it a foundational NIS2 control.

Network Segmentation

Separate network zones based on trust levels and data sensitivity:

  • DMZ for internet-facing services
  • Production zone for EU client workloads, isolated from other environments
  • Development zone separated from production
  • Management zone for administrative access and monitoring tools
  • Guest/IoT zone isolated from all production systems

Firewall and Traffic Controls

  • Deploy next-generation firewalls with application-layer inspection
  • Implement default-deny policies allowing only explicitly approved traffic
  • Enable intrusion detection/prevention systems (IDS/IPS)
  • Log all firewall decisions for audit and forensic purposes
  • Review firewall rules quarterly, removing unused rules

Vulnerability Management

  • Scan external-facing systems weekly
  • Scan internal systems monthly
  • Patch critical vulnerabilities within 14 days
  • Patch high vulnerabilities within 30 days
  • Document exceptions with risk acceptance from management

Secure Communication Channels

NIS2 Article 21(2)(j) specifically mentions "secured voice, video and text communications." This means:

  • Encrypted messaging platforms for internal communications about EU client matters
  • Encrypted video conferencing for meetings involving sensitive information
  • End-to-end encrypted channels for incident response communications
  • Secure file transfer methods replacing unencrypted email attachments

[PERSONAL EXPERIENCE] The "secured emergency communication systems" requirement in Article 21(2)(j) often surprises Indian IT companies. During a security incident, your normal communication channels may be compromised. Establish an out-of-band communication system, like a dedicated encrypted messaging channel or satellite phone, for crisis management. It's a simple preparation step that demonstrates maturity during audits.

What Vulnerability Disclosure Requirements Does NIS2 Add?

NIS2 Article 12 establishes a coordinated vulnerability disclosure framework. According to ENISA (2024), entities must participate in coordinated vulnerability disclosure and maintain processes for receiving and addressing externally reported vulnerabilities.

Requirements for Indian IT Companies

  • Publish a security contact (security.txt file on your website following RFC 9116)
  • Define a vulnerability intake process for receiving reports from external researchers
  • Triage and respond to reported vulnerabilities within defined timescales
  • Coordinate disclosure with affected parties before public disclosure
  • Track and remediate all confirmed vulnerabilities with documented timelines

Why This Matters

Traditional Indian IT companies often lack formal vulnerability disclosure processes. If a security researcher finds a flaw in your system, they need a clear way to report it. Without a published process, researchers may disclose publicly without giving you time to fix the issue.

[UNIQUE INSIGHT] Vulnerability disclosure is a cultural shift for many Indian IT organisations. The instinct is to view external vulnerability reports as threats rather than contributions. Companies that establish researcher-friendly disclosure programmes find and fix vulnerabilities faster and build trust with security-conscious EU clients.

Citation capsule: NIS2 Article 12 requires entities to maintain coordinated vulnerability disclosure processes, including published security contacts and intake procedures for external reports (ENISA, 2024), adding a requirement many Indian IT companies haven't historically addressed.

Frequently Asked Questions

Does NIS2 require specific MFA products or vendors?

No. NIS2 is technology-neutral. It requires multi-factor authentication but doesn't mandate specific products. Choose MFA solutions compatible with your identity infrastructure. Phishing-resistant methods (FIDO2, platform authenticators) are recommended by ENISA guidance but not strictly mandated.

Is TLS 1.2 sufficient for NIS2 compliance, or must we use TLS 1.3?

TLS 1.2 is currently acceptable for NIS2 compliance. TLS 1.3 is recommended where supported. ENISA and BSI guidance prioritise TLS 1.3 for new implementations. Ensure TLS 1.0 and 1.1 are completely disabled, as these are known to have vulnerabilities that would fail an audit.

How does NIS2 interact with India's encryption regulations?

India doesn't impose encryption restrictions on businesses in the same way some countries do. Indian companies can implement AES-256, TLS 1.3, and other current standards without regulatory conflict. CERT-In's requirements are complementary, not contradictory, to NIS2's encryption expectations.

Must Indian companies implement zero-trust architecture for NIS2?

NIS2 doesn't mandate zero-trust specifically, but its requirements for MFA, network segmentation, access control, and continuous authentication align closely with zero-trust principles. Adopting a zero-trust approach naturally satisfies multiple NIS2 technical requirements simultaneously.

What evidence do EU auditors want for technical control compliance?

Auditors want configuration evidence: screenshots of MFA enforcement policies, encryption configuration settings, firewall rule sets, vulnerability scan reports, and patch management records. Automated compliance tools (AWS Security Hub, Azure Defender for Cloud) can generate much of this evidence. Supplement with manual documentation of procedures and testing results.

Key Takeaways on NIS2 MFA Encryption Network Security

NIS2's technical requirements are specific and auditable. MFA must cover all critical access points, not just VPN. Encryption must use current algorithms with proper key management. Network security must include segmentation, monitoring, and vulnerability management.

For Indian IT companies, these technical controls are often the easiest NIS2 requirements to implement because they involve tools and configurations rather than organisational change. Start with MFA coverage expansion, then address encryption gaps, then strengthen network segmentation.

The technical controls are also the most frequently audited. EU clients and their auditors will verify MFA enforcement, encryption standards, and network architecture before examining softer requirements like policies and training.

Your next step: audit your current MFA coverage across all system access points and identify gaps.

For hands-on delivery in India, see NIS2 Compliance Guide — Complete Implementation Roadmap.

Related reading

About the Author

Fredrik Karlsson
Fredrik Karlsson

Group COO & CISO at Opsio

Operational excellence, governance, and information security. Aligns technology, risk, and business outcomes in complex IT environments

View all articles →LinkedIn

Editorial standards: This article was written by a certified practitioner and peer-reviewed by our engineering team. We update content quarterly to ensure technical accuracy. Opsio maintains editorial independence — we recommend solutions based on technical merit, not commercial relationships.