The objective of the NIS2 Directive is to enhance the level of cybersecurity and operational resilience of organizations providing services that are essential and important for the functioning of the economy and society.
One of the fundamental elements specified in NIS2 is Multi-Factor Authentication (MFA). The Directive explicitly lists it in Article 21 as one of the minimum cybersecurity risk management measures, alongside areas such as supply chain security, business continuity, and incident handling. This demonstrates that MFA is treated as a critical mechanism for protecting access to systems and data.
In this article, we will demonstrate how MFA fits into the requirements of the NIS2 Directive and why the method of delivering the additional authentication factor matters for organizational resilience and supply chain security. We will also explain how tools such as SMSEagle allow for the implementation of MFA in a predictable and defensible manner within a regulatory context, even in scenarios involving limited availability of external services or the internet.
Article 21(2)(j) of NIS2 specifies the use of MFA “where appropriate.” This phrasing does not imply optionality. Instead, it imposes an obligation on organizations to make a conscious decision based on risk analysis, rather than a free choice.
In environments where the following are present:
The absence of MFA significantly increases the risk of an incident. In such cases, an organization must be able to justify both the implementation of MFA and the method of its execution in a manner that is defensible during an audit.
From a regulatory perspective, MFA is an operational process consisting of several interconnected stages—each of which is subject to evaluation. This process includes the generation of the additional authentication factor, its delivery to the user, and subsequent verification, along with the handling of exceptional situations such as delays, errors, or communication channel unavailability.
Each stage can introduce risk; however, in practice, the most critical moment is the delivery of the OTP (One-Time Password) code. This is the stage where dependencies on external infrastructure, communication service providers, or intermediary platforms most frequently arise. From the NIS2 perspective, this means that the effectiveness of MFA depends not only on the authentication method itself but also on the resilience and predictability of the entire operational process behind it.
If MFA relies on one-time passwords sent via SMS, the delivery channel becomes an element in a chain of technical and organizational dependencies. Its operation is influenced by:
From the NIS2 perspective, this means the OTP channel:
SMSEagle is a hardware SMS gateway that facilitates OTP delivery in an on-premise model; the device is installed directly within the organization’s infrastructure. In this approach, the generation and transmission of one-time passwords occur locally, and communication with the user is conducted directly from the SMSEagle device to the GSM operator’s network.
A key feature of this model is the elimination of the need for external cloud platforms, communication brokers, or constant internet access. As a result, the OTP delivery process remains under the full control of the organization and does not introduce additional dependencies that could become a single point of failure during a crisis or security incident. In the context of NIS2, this simplifies the supply chain and ensures greater predictability of the MFA mechanism.
From the NIS2 perspective, using a local SMS gateway in the MFA process has several significant regulatory consequences:
The NIS2 Directive requires that the entire authentication mechanism be proportionate to the level of risk, operationally resilient, and defensible regarding dependencies on third parties. This means that the assessment covers not just the existence of MFA, but also its implementation method and the impact of potential failures on system access.
In this context, local solutions like SMSEagle serve as a risk-reducing element in the MFA process supply chain. By shortening the OTP delivery path, limiting dependence on external services, and maintaining control over logs and authentication data, organizations can increase the resilience of their authentication mechanisms during incident scenarios. Thus, MFA becomes a true component of organizational operational resilience, in line with both the intent and the letter of NIS2
The NIS2 Directive (EU 2022/2555) introduces a fundamental shift in the approach to cybersecurity risk management. An organisation’s responsibility no longer ends at its own infrastructure—it now explicitly extends to suppliers and service providers whose services are critical to business continuity.
The NIS2 Directive (EU) 2022/2555 replaces the 2016 regulatory framework, introducing harmonised cybersecurity governance requirements for essential and important entities across the European Union. One of its key operational provisions is Article 23, which defines the timelines and scope for reporting cybersecurity incidents to the relevant competent authorities and CSIRT teams.
The objective of the NIS2 Directive is to enhance the level of cybersecurity and operational resilience of organizations providing services that are essential and important for the functioning of the economy and society.
