As NIS2 requirements come into force across the EU, organisations operating in Hungary face increasing expectations to strengthen identity and access controls. One measure has become central to both compliance and cybersecurity readiness: multi-factor authentication (MFA), and specifically phishing-resistant MFA.
NIS2 shifts the focus from simply having MFA in place to ensuring that authentication methods are proportionate to risk and resilient against modern threats. The supporting guidance makes this explicit, stating that:
“The relevant entities shall ensure that users are authenticated by multiple authentication factors… for accessing the entities’ network and information systems, where appropriate, in accordance with the classification of the asset to be accessed.”
What NIS2 Requires Around MFA
Under the guidance supporting the NIS2 Implementing Regulation, organisations are expected to ensure the following:
Users are authenticated with multiple factors
Access to systems should require more than a single authentication factor, reflecting modern security standards. This reinforces the requirement that MFA is used when accessing network and information systems, rather than relying on single-factor login.
Authentication strength matches the criticality of the system
Systems classified as critical or sensitive should use stronger forms of authentication than general-access systems. The guidance highlights that authentication must be adjusted based on risk and criticality.
MFA is enforced on high-risk systems
This applies particularly to:
- Remote access
- System administration interfaces
- Internet-facing services such as webmail/email, VPN and remote desktop
The guidance specifically advises organisations to:
“Enforce MFA on internet-facing systems, such as email/webmail, remote desktop and VPNs.”
Phishing-resistant MFA is recommended where feasible
Stronger methods based on standards such as FIDO2/WebAuthn are recognised as the most resilient against phishing and man-in-the-middle attacks. Traditional MFA methods such as SMS codes or push notifications may not offer adequate protection for high-risk access.
The guidance makes this preference clear, noting that:
“The use of phishing-resistant MFA is recommended.”
It goes further by advising entities to:
“Wherever possible, use phishing-resistant MFA.”
This means organisations need to consider not only whether MFA is enabled, but whether the type of MFA in use aligns with the level of risk.
Why Basic MFA May Fall Short
Some MFA methods remain vulnerable to phishing and social engineering. Attackers may intercept codes, redirect users to fraudulent login pages, or trick users into approving access.
The guidance acknowledges this risk, stating that:
“Some types of MFA are vulnerable to phishing attacks, and the relevant entities should select MFA that can stand up to these attacks.”
For Hungarian organisations preparing for cybersecurity audits, the difference between basic MFA and phishing-resistant MFA may influence compliance outcomes. Auditors may look for evidence that MFA is:
- Applied consistently to critical systems and services
- Appropriate to the risk level
- Using phishing-resistant methods where possible
How YubiKey Aligns with NIS2 Expectations
YubiKey uses FIDO2/WebAuthn, widely recognised as one of the strongest forms of phishing-resistant MFA. The guidance highlights that strong MFA includes:
“‘Strong’: phishing-resistant… no shared secrets, not vulnerable to attacker-in-the-middle; protected cryptographic private key… in accordance with Fast Identity Online (FIDO) and WebAuthn standards.”
This approach offers several advantages:
- No shared secrets or codes that can be intercepted
- Fast authentication suitable for both login and step-up verification
- Broad compatibility with major platforms, identity providers and operating systems
- No reliance on mobile devices, batteries or network connectivity
These characteristics make hardware-backed authentication a practical way to improve security under NIS2 compliance expectations.
A Practical Path for Hungarian Organisations
A structured rollout typically includes:
- Identifying systems that require MFA
- Matching authentication strength to asset criticality
- Prioritising privileged and remote access
- Documenting MFA policies and configurations
- Retaining access and authentication logs as part of the organisation's audit evidence
Taking a phased approach supports operational adoption and audit readiness.
How Trust Panda Supports Organisations Locally
For many organisations, the challenge is not only selecting the right MFA technology but deploying it efficiently and in line with NIS2 expectations. Trust Panda provides practical support in Hungary, including:
- Expertise with YubiKey deployment, supported by certified staff
- Guidance on integration and rollout, including step-up authentication for privileged accounts
- Local stock and fulfilment in Budapest, Hungary, helping reduce lead times when audit deadlines are approaching
This provides a straightforward route to adopting phishing-resistant MFA and generating the documentation and evidence required for cybersecurity readiness.
NIS2 raises expectations around identity security, and MFA is now a central focus, especially for systems that are critical, exposed to the internet, or used for administrative access. The supporting guidance makes it clear that phishing-resistant methods are preferred wherever feasible, and hardware-backed authentication such as YubiKey offers a practical way to meet that requirement while improving day-to-day security.
With access to local expertise, certified support and reliable stock held in Budapest, organisations in Hungary are well positioned to adopt phishing-resistant MFA quickly and strengthen their readiness for upcoming cybersecurity audits.
FAQ
Is MFA required under NIS2?
Yes. MFA is expected to be implemented in line with the criticality of systems and data, and users must be authenticated with multiple factors where appropriate.
What counts as phishing-resistant MFA?
Hardware-backed methods based on standards such as FIDO2/WebAuthn are widely recognised as phishing-resistant and are highlighted in the guidance as the strongest option.
Are SMS or app-based codes sufficient?
They may be considered weaker and more vulnerable to phishing. Stronger methods are recommended where possible, especially for critical systems and administrative access.
Why consider YubiKey for NIS2 readiness?
YubiKey offers fast, phishing-resistant authentication and broad platform support, making it suitable for high-risk systems that need stronger protection.
Resources
Need Help Getting Started?
If your organisation is exploring how to meet NIS2 expectations around phishing-resistant MFA, our team is available to help with practical guidance and deployment planning. You can reach us at support@trustpanda.com to begin the conversation.
If you already know which YubiKeys you need and are ready to move forward, our sales team can assist with pricing and availability at sales@trustpanda.com.
