Tech News
← Back to articles

NIS2 compliance: How to get passwords and MFA right

2025-12-18 | original
read original related products more articles

The EU's NIS2 Directive is pushing organizations to take cybersecurity seriously, and that means looking closely at how you manage access. If you're responsible for security in a company that falls under NIS2, you're probably asking: what exactly do I need to do about passwords and authentication?

Let's break down what NIS2 means for your identity and access controls, and how to build a practical roadmap that actually works.

What is NIS2 and who must comply?

NIS2 (the Network and Information Security Directive) replaced the original NIS Directive in January 2023, and EU member states were required to transpose it into national law by October 2024. The directive applies to medium and large organizations across 18 critical sectors, including energy, transport, banking, healthcare, digital infrastructure, and public administration.

If your organization has 50+ employees or annual revenue exceeding €10 million in these sectors, you likely need to comply. The penalties for non-compliance are steep: essential entities face fines up to €10 million or 2% of global annual turnover, while important entities face up to €7 million or 1.4% of turnover.

Essential vs. Important: Entities explained

NIS2 classifies organizations into two categories:

Essential entities: Large organizations in high-criticality sectors (Annex I) like energy, banking, healthcare, and digital infrastructure. These face proactive supervision with regular audits and maximum fines of €10 million or 2% of global annual turnover, whichever is higher.

Large organizations in high-criticality sectors (Annex I) like energy, banking, healthcare, and digital infrastructure. These face proactive supervision with regular audits and maximum fines of €10 million or 2% of global annual turnover, whichever is higher. Important entities: Organizations in other critical sectors (Annex II) like postal services, waste management, and food production. These face ex-post supervision (only monitored after non-compliance is reported) and maximum fines of €7 million or 1.4% of global annual turnover.

Both categories must meet the same cybersecurity requirements. The difference lies in supervision intensity and penalty levels.

... continue reading

Related:
Craving more control over At a Glance on your Pixel home screen? Try QPR3 Beta 1
Curious to try Gemini for Home but can’t get it where you live? Here’s where it’s headed next
These 21-year-old dropouts raised $2M to build Givefront, a fintech for nonprofits
Beginning January 2026, all ACM publications will be made open access
This Former NASA Engineer Grew His Startup to $100M Revenue in Less Than 4 Years: 'Lightning in a Bottle'

© 2025 GoKawiil