Art.21.2j NIS2

NIS2 Art.21.2j: Multi-Factor Authentication and Secured Communications

What This Control Requires

The measures referred to in paragraph 1 shall include at least the following: (j) the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.

In Plain Language

Stolen credentials are still the number one way attackers get in. MFA is the single most effective countermeasure, and NIS2 calls it out by name rather than leaving it buried in access control requirements. Continuous authentication - where identity is verified throughout a session, not just at login - takes this a step further.

Beyond authentication, this control also requires secured communication channels for voice, video, and text. With remote working now standard and cross-border operations common, protecting sensitive discussions from interception is essential.

Emergency communication systems need special attention. When a crisis hits and your primary channels may be compromised, you need a secure fallback that the team can rely on to coordinate the response.

How to Implement

Roll out MFA across all critical access points. At minimum, mandate it for all remote access (VPN, remote desktop, cloud services), all privileged and administrative accounts, email access, systems handling sensitive or regulated data, and any internet-facing authentication.

Choose your MFA methods based on risk. Hardware security keys (FIDO2/WebAuthn) offer the strongest protection. Authenticator apps (TOTP/push notifications) are a solid second tier. Avoid SMS-based MFA where possible due to SIM-swapping risks, though it is still far better than passwords alone. For the best balance of security and usability, consider passwordless authentication using FIDO2 keys or platform authenticators.

For high-risk scenarios, evaluate continuous authentication solutions. These analyse behavioural patterns like typing rhythm, mouse movement, location, and device characteristics throughout a session to detect hijacking or unauthorised use. Particularly valuable for privileged access and remote work.

Secure internal communications by deploying encrypted messaging, voice, and video platforms. For routine business communications, enterprise platforms with encryption in transit may suffice. For sensitive matters like board discussions, M&A activity, or incident response, use platforms with end-to-end encryption.

Set up a dedicated emergency communication system that works independently of your primary infrastructure. This means an out-of-band channel separate from normal email and messaging, pre-distributed contact lists and credentials, backup methods (satellite phones, encrypted radio) for critical infrastructure entities, and regular testing.

Publish clear acceptable use policies for communication tools. Ban personal messaging apps for business communications involving sensitive information. Retain communication metadata and logs in line with your data retention policy.

Test your MFA implementations regularly, including bypass attempts and failover procedures for emergency communications.

Evidence Your Auditor Will Request

MFA deployment records showing coverage across critical systems and users
MFA policy defining where and how multi-factor authentication is required
Inventory of approved secured communication tools and their configurations
Emergency communication plan with designated backup channels
Testing records for MFA and emergency communication systems

Common Mistakes

MFA deployed for external access but not for internal privileged accounts
SMS-based MFA used as the sole option without stronger alternatives available
No secured communication channel for incident response coordination
Emergency communication plan not tested or contact lists outdated
Personal messaging apps used for business communications containing sensitive data

Related Controls Across Frameworks

Framework	Control ID	Relationship
ISO 27001	A.8.5	Related
ISO 27001	A.5.14	Related
SOC 2	CC6.1	Related

Frequently Asked Questions

Is SMS-based MFA acceptable under NIS2?

NIS2 does not explicitly ban it, but it is widely considered the weakest form of MFA due to SIM-swapping and interception risks. Best practice is to offer hardware keys or authenticator apps as the default and only fall back to SMS where no other option is feasible. Regulators are likely to look unfavourably at organisations relying solely on SMS-based MFA.

What does 'continuous authentication' mean in practice?

Rather than checking your identity once at login and trusting the session from there, continuous authentication keeps verifying throughout. It analyses signals like behavioural biometrics, device posture, location, and usage patterns. If something looks off - say the typing pattern changes or the location jumps - the system can require re-authentication or kill the session entirely.

Track NIS2 compliance in one place

AuditFront helps you manage every NIS2 control, collect evidence, and stay audit-ready.

Start Free Assessment