Compliance deep dive · reviewed 2026-05-22

NIS2 IAM requirements — Article 21, MFA mandate, and the 18-country transposition state

EU NIS2 Directive IAM provisions — Article 21 measures, the MFA + access-control requirements, and the patchy member-state transposition through 2025.

Authority

European Commission + national NIS competent authorities (BSI in Germany, ANSSI in France, NCSC-NL in Netherlands, etc.)

Effective date

Directive (EU) 2022/2555 adopted December 2022. National transposition deadline October 17, 2024 — but ~half of member states missed the deadline; transposition continued through 2025.

Jurisdiction

European Union + EEA — but transposed via national law, so specifics vary by member state

Evidence cadence

Continuous — competent authorities can conduct inspections + audits at any time

Scope

Roughly 110,000 EU entities across 18 sectors — "essential entities" (energy, transport, banking, financial-market infrastructure, healthcare, drinking water, wastewater, digital infrastructure, ICT services, public admin, space) + "important entities" (postal, waste management, chemicals, food, manufacturing, digital providers, research). Significant expansion vs NIS1.

IAM-relevant controls

The controls that matter for IAM.

Art. 21(2)(a)
Policies on Risk Analysis + Information System Security
What it requires: Implement appropriate cybersecurity risk-management measures, including policies on risk analysis and information system security.
Evidence example
Documented information-security policy + risk register + management review minutes.
Art. 21(2)(d)
Supply-Chain Security
What it requires: Supply-chain security including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers.
Evidence example
Vendor IAM requirements in contract + supplier-risk-assessment + supplier inventory.
Art. 21(2)(f)
Policies and Procedures to Assess the Effectiveness of Cybersecurity Risk-Management Measures
What it requires: Regular assessment of the effectiveness of cybersecurity risk-management measures.
Evidence example
Internal audit + penetration test + tabletop exercise + management review.
Art. 21(2)(g)
Basic Cyber Hygiene + Training
What it requires: Basic cyber hygiene practices + cybersecurity training.
Evidence example
Annual cybersecurity awareness training records + phishing simulation results.
Art. 21(2)(i)
Human Resources Security + Access Control Policies + Asset Management
What it requires: Human resources security, access control policies, and asset management.
Evidence example
JML automation log + access control policy + identity asset inventory.
Art. 21(2)(j)
Multi-Factor Authentication or Continuous Authentication, Secured Voice/Video/Text + Emergency Communications
What it requires: The use of multi-factor authentication or continuous authentication solutions, secured voice/video/text communications, and secured emergency communication systems within the entity, where appropriate.
Evidence example
MFA enforcement evidence on user + privileged + remote access + secured-comms configuration.
Art. 23
Incident Reporting
What it requires: Notify the relevant authority of significant incidents within 24 hours (early warning), 72 hours (incident notification), and 30 days (final report).
Evidence example
Incident response runbook with 24/72/30 timing + national authority contact procedure.

How NIS2 expanded beyond NIS1

NIS1 (2016) covered 7 sectors and roughly 8,000 entities. NIS2 (2022) covers 18 sectors and approximately 110,000 entities — a 13x expansion. Newly in-scope sectors include manufacturing, postal services, food production/processing/distribution, waste management, chemicals, public administration, space, and digital infrastructure providers.

The Article 21 cybersecurity measures in summary

Article 21(2) lists 10 categories of cybersecurity risk-management measures that entities must implement. The IAM-relevant ones are (a) risk analysis, (d) supply-chain security, (g) basic hygiene, (i) HR + access control + asset management, and (j) MFA / secured communications. These are deliberately broad — supplemented by national implementing measures in each member state.

The 24/72/30-hour reporting cadence

NIS2 establishes a tight three-stage incident reporting clock:

24 hours: early warning to the CSIRT or competent authority
72 hours: incident notification with initial assessment
30 days: final report after the incident is resolved

Sector-specific overlap

Many NIS2-scope entities are also subject to sector-specific cybersecurity regulations. The major overlaps:

Banking — DORA (Digital Operational Resilience Act, effective Jan 2025) — supersedes NIS2 for financial services
Healthcare — sector-specific implementations under national law
Critical infrastructure — overlaps with EU CER Directive (Critical Entities Resilience)
Digital services — overlaps with eIDAS 2 + Data Act + Cyber Resilience Act

Common findings

Art. 21(2)(j) — "where appropriate" is being interpreted strictly by some competent authorities; MFA expected on essentially all administrative access
Art. 21(2)(d) — supply-chain IAM requirements pass to subcontractors, but evidence collection is inconsistent
Art. 23 — 24-hour early warning is the most-missed deadline; organizations underestimate it
Art. 21(2)(i) — access control policy exists but lifecycle automation (JML) hasn't scaled to NIS2 expectations
Cross-border coordination — multinational entities with subsidiaries in multiple member states face inconsistent expectations

Penalties

Essential entities: up to €10M or 2% of total worldwide annual turnover, whichever higher. Important entities: up to €7M or 1.4%, whichever higher. Personal liability for management bodies (members can be temporarily prohibited from exercising managerial functions).

Evidence cadence

Continuous — competent authorities can conduct inspections + audits at any time. Some member states require periodic self-assessment + reporting. Significant incidents require the 24/72/30-hour reporting cadence.

Practitioner notes

What the policy doesn’t tell you.

NIS2 is a directive, not a regulation. This means each EU member state transposes it into national law — so specifics vary. Germany (NIS2UmsuCG), France (LCEN modification), Netherlands (Wet beveiliging netwerk- en informatiesystemen), etc.
As of mid-2025, ~half of member states had completed transposition. Some are still finalizing through 2025 / 2026. Practitioners must check national law, not just the directive text.
The MFA requirement (Art. 21(2)(j)) is one of the most-cited provisions but the "where appropriate" qualifier creates interpretation debate. Most competent authorities lean toward "essentially everywhere" for entities in scope.
NIS2 overlaps significantly with GDPR Article 32 — entities subject to both face one set of technical measures satisfying both. The lift is mostly governance + reporting cadence.
For sectors already heavily regulated (banking, healthcare), NIS2 layers on top of existing sector-specific requirements. For sectors newly in scope (manufacturing, postal, food), NIS2 is the first prescriptive cybersecurity baseline.
Management-body personal liability is a notable feature. Officers + directors can be held personally responsible for non-compliance — similar to NYDFS Part 500 but with EU-style enforcement.

Need help with this framework?

We deliver IAM control programs for NIS2 IAM.

Talk to a compliance leadCross-framework crosswalkAudit checklists

The controls that matter for IAM.

Art. 21(2)(a)

Policies on Risk Analysis + Information System Security

What it requires: Implement appropriate cybersecurity risk-management measures, including policies on risk analysis and information system security.

Evidence example

Documented information-security policy + risk register + management review minutes.

Art. 21(2)(d)

Supply-Chain Security

What it requires: Supply-chain security including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers.

Evidence example

Vendor IAM requirements in contract + supplier-risk-assessment + supplier inventory.

Art. 21(2)(f)

Policies and Procedures to Assess the Effectiveness of Cybersecurity Risk-Management Measures

What it requires: Regular assessment of the effectiveness of cybersecurity risk-management measures.

Evidence example

Internal audit + penetration test + tabletop exercise + management review.

Art. 21(2)(g)

Basic Cyber Hygiene + Training

What it requires: Basic cyber hygiene practices + cybersecurity training.

Evidence example

Annual cybersecurity awareness training records + phishing simulation results.

Art. 21(2)(i)

Human Resources Security + Access Control Policies + Asset Management

What it requires: Human resources security, access control policies, and asset management.

Evidence example

JML automation log + access control policy + identity asset inventory.

Art. 21(2)(j)

Multi-Factor Authentication or Continuous Authentication, Secured Voice/Video/Text + Emergency Communications

What it requires: The use of multi-factor authentication or continuous authentication solutions, secured voice/video/text communications, and secured emergency communication systems within the entity, where appropriate.

Evidence example

MFA enforcement evidence on user + privileged + remote access + secured-comms configuration.

Art. 23

Incident Reporting

What it requires: Notify the relevant authority of significant incidents within 24 hours (early warning), 72 hours (incident notification), and 30 days (final report).

Evidence example

Incident response runbook with 24/72/30 timing + national authority contact procedure.

How NIS2 expanded beyond NIS1

The Article 21 cybersecurity measures in summary

Sector-specific overlap

Many NIS2-scope entities are also subject to sector-specific cybersecurity regulations. The major overlaps:

Banking — DORA (Digital Operational Resilience Act, effective Jan 2025) — supersedes NIS2 for financial services

Healthcare — sector-specific implementations under national law

Critical infrastructure — overlaps with EU CER Directive (Critical Entities Resilience)

Digital services — overlaps with eIDAS 2 + Data Act + Cyber Resilience Act

What the policy doesn’t tell you.

NIS2 is a directive, not a regulation. This means each EU member state transposes it into national law — so specifics vary. Germany (NIS2UmsuCG), France (LCEN modification), Netherlands (Wet beveiliging netwerk- en informatiesystemen), etc.

As of mid-2025, ~half of member states had completed transposition. Some are still finalizing through 2025 / 2026. Practitioners must check national law, not just the directive text.

The MFA requirement (Art. 21(2)(j)) is one of the most-cited provisions but the "where appropriate" qualifier creates interpretation debate. Most competent authorities lean toward "essentially everywhere" for entities in scope.

NIS2 overlaps significantly with GDPR Article 32 — entities subject to both face one set of technical measures satisfying both. The lift is mostly governance + reporting cadence.

For sectors already heavily regulated (banking, healthcare), NIS2 layers on top of existing sector-specific requirements. For sectors newly in scope (manufacturing, postal, food), NIS2 is the first prescriptive cybersecurity baseline.

Management-body personal liability is a notable feature. Officers + directors can be held personally responsible for non-compliance — similar to NYDFS Part 500 but with EU-style enforcement.