If your organisation falls under the NIS2 Directive, you have almost certainly heard that multi-factor authentication (MFA) is now a requirement. What the guidance is less clear about is what kind of MFA qualifies - and the difference matters enormously. Not all MFA is equal, and choosing the wrong implementation could leave you exposed both to cyberattacks and to compliance risk.
This article breaks down what Article 21 actually requires, why most common MFA methods fall short, and what phishing-resistant authentication looks like in practice.
What Article 21 of NIS2 Actually Says
NIS2's Article 21 establishes a set of baseline security measures that all covered entities must implement. On authentication specifically, it requires the use of multi-factor authentication or continuous authentication solutions, and where appropriate, secured voice, video, and text communications and secured emergency communications.
The directive does not prescribe specific technologies. What it does establish is a risk-based obligation: your authentication controls must be proportionate to the risk your organisation faces. For most entities in scope - particularly those in critical infrastructure sectors, financial services, digital infrastructure, and managed services - the risk level is high enough that weak MFA implementations are difficult to justify to a supervisory authority.
ENISA's NIS2 Technical Implementation Guidance, published in June 2025, makes the framework concrete. It categorises MFA methods into three tiers - "strongest," "medium," and "last resort" - and explicitly recommends phishing-resistant methods, specifically FIDO2/WebAuthn, wherever possible for high-risk access scenarios. SMS-based OTP and standard TOTP authenticator apps do not feature in the "strongest" tier. This is not a fringe interpretation - it reflects how the directive is being applied in practice across member states including Hungary, Poland, and the Czech Republic.
Why Most MFA Does Not Meet the Bar
The problem is that the term "MFA" covers a very wide range of implementations, and most of the commonly deployed options share a fundamental weakness: they are vulnerable to real-time phishing attacks.
Here is how it works. An attacker sends a convincing phishing email that redirects the target to a fake login page. The target enters their username and password. The attacker relays these credentials to the real site in real time, triggering an MFA prompt. The target receives an SMS code or push notification, approves it, and hands the attacker a fully authenticated session - without realising anything has happened.
This attack is not theoretical. It is documented, widely used by ransomware groups, and increasingly automated. The following MFA methods are all vulnerable to it:
- SMS one-time passwords - interceptable via SIM swap and real-time phishing relay
- Email OTP - same relay vulnerability, with the added risk of compromised email accounts
- TOTP authenticator apps (Google Authenticator, Microsoft Authenticator in OTP mode) - time-based codes can be relayed in real time
- Push notification approvals - susceptible to push fatigue attacks and real-time relay
- Knowledge-based backup factors - security questions, PINs - not MFA at all
None of these bind the authentication to the specific website the user is actually visiting. That binding is precisely what phishing-resistant authentication provides.
What Phishing-Resistant Actually Means
Phishing-resistant MFA is not a marketing term - it is a technical property. An authentication method is phishing-resistant when the cryptographic handshake is bound to the origin of the request. If a user is tricked into authenticating on a fake site, the authentication simply fails, because the cryptographic response is valid only for the legitimate domain.
There are two standards that deliver this property:
FIDO2 / WebAuthn - the current gold standard, and the method ENISA explicitly names in its NIS2 guidance as the strongest available. Authentication is performed using public-key cryptography. The private key never leaves the authenticator device, and the authentication response is cryptographically bound to the relying party domain. A phishing site receives a response that is valid only for itself - useless to the attacker.
Smart card / PIV (Personal Identity Verification) - certificate-based authentication with similar cryptographic binding properties. Widely used in government and regulated sectors.
For most commercial organisations implementing NIS2 compliance, FIDO2 is the practical path forward. It is supported natively by Windows, macOS, iOS, Android, and all major browsers. It works with Microsoft Entra ID (formerly Azure AD), Google Workspace, Okta, and most enterprise identity platforms. Deployment is straightforward.
Hardware Security Keys: The Most Robust FIDO2 Implementation
FIDO2 can be implemented in software (platform authenticators using device biometrics, like Windows Hello or Face ID) or in dedicated hardware. For NIS2 purposes, hardware security keys offer the strongest assurance level, for two reasons.
First, the private key is generated and stored inside the key's secure element and cannot be exported. Even if a workstation is fully compromised by malware, the key cannot be extracted. Second, a hardware key is a physical object under the user's control - it cannot be remotely activated, stolen over a network, or silently cloned.
For organisations where privileged access, critical systems access, or remote access to sensitive infrastructure is involved, a hardware security key is the most defensible implementation under NIS2's risk-proportionality framework.
YubiKey 5 Series - the most widely deployed hardware security key in enterprise environments. Supports FIDO2, WebAuthn, smart card (PIV), OTP, and OpenPGP on a single device. Available in USB-A, USB-C, NFC, Lightning, and nano form factors to suit mixed device environments.
YubiKey Bio Series - adds on-device biometric verification (fingerprint) for environments where user-presence verification is required without a PIN. Suitable for shared workstations or high-security access scenarios.
Security Key Series by Yubico - a FIDO2/WebAuthn-only key at a lower price point. A good fit for organisations deploying across a large user base where the extended protocol support of the YubiKey 5 Series is not required.
Matching the Right Key to Your NIS2 Risk Profile
NIS2 covers a broad range of entities, and the appropriate implementation varies by role and risk level. Here is a practical mapping:
Privileged administrators and IT staff - YubiKey 5 Series. These users are the highest-value target for attackers. Hardware MFA is non-negotiable for this group. The 5 Series' multi-protocol support also allows use with legacy systems during transition.
Remote workers accessing sensitive systems - YubiKey 5 NFC or YubiKey 5C NFC. NFC support matters for mobile device use, which is common in hybrid working environments across Central Europe.
General staff in covered entities - Security Key Series. Cost-effective phishing-resistant MFA for broad deployment. Paired with a passwordless or passkey login flow, this significantly reduces help desk burden from forgotten passwords.
C-suite and board members - YubiKey 5 Series with a backup key registered. High-value targets require the strongest protection, and key loss cannot leave an executive locked out of critical systems.
A Note on Hungarian and CEE Implementation
NIS2 was transposed into Hungarian national law through the Cybersecurity Act (Act LXIX of 2024), which came into effect on 1 January 2025, replacing the earlier 2023 act that the European Commission had found to be an incomplete transposition. The Supervisory Authority for Regulated Activities (SZTFH) is the primary cybersecurity supervisory body for private sector essential and important entities, with authority to conduct audits, issue fines of up to EUR 10 million or 2% of global annual turnover for essential entities, and enforce compliance across sectors. Similar frameworks are in force across the Czech Republic, Poland, Slovakia, and Austria, with the technical authentication requirements consistent across all member states.
Organisations in the region working toward NIS2 compliance frequently face the same practical constraint: awareness of the gap between what they currently have deployed and what the directive requires is high, but the path to remediation is less clear. Hardware security key deployment is one of the most straightforward controls to implement - it requires no infrastructure changes for FIDO2-compatible identity platforms, rollout can be staged by user risk tier, and the uplift in security posture is immediate and auditable.
Trust Panda supplies YubiKey hardware security keys across 35+ countries including Hungary, with volume pricing available for organisations deploying at scale. If you are assessing your NIS2 authentication posture and want to understand the right implementation for your environment, get in touch with our team or browse the full YubiKey range.
Summary
- NIS2 Article 21 requires MFA, but the risk-based framework means weak MFA implementations are difficult to defend to supervisory authorities
- ENISA's NIS2 Technical Implementation Guidance (June 2025) ranks MFA in three tiers and explicitly recommends FIDO2/WebAuthn as the strongest available method
- SMS OTP, email OTP, TOTP apps, and push notifications are all vulnerable to real-time phishing relay attacks
- Phishing-resistant authentication requires cryptographic binding to the origin - FIDO2/WebAuthn delivers this
- Hardware security keys (YubiKey) provide the strongest FIDO2 assurance level: private keys cannot be exported or remotely compromised
- Deployment is practical and staged: prioritise privileged users, remote workers, and critical system access first
- Hungarian NIS2 is governed by Act LXIX of 2024, in force since 1 January 2025, under SZTFH supervision
About the author: Attila Pozsonyi leads Trust Panda's operations across Central and Eastern Europe, heading our Yubico-certified team. With deep expertise in NIS2 compliance and identity security across the Hungarian and wider CEE market, Attila works directly with organisations navigating the transition to phishing-resistant authentication. Get in touch with Attila's team to discuss your NIS2 readiness.
