Blog

NIS2 Article 21.2 j:

The front door: strong authentication without password panic.

I often describe authentication as the front door to the organisation. It doesn't matter how sophisticated your alarms inside are if the front door is left ajar. And in a digital world, the front door is often an account.

NIS2 Article 21.2 j concerns making the entrance harder to breach: multi-factor authentication or continuous authentication. It's not a call to cause password panic. It's a requirement for reasonable strength where the consequences are significant.

Robert Willborg

Co-founder and Chief Security Officer at OneMore Secure.

What point j actually says

Article 21.2 lists ten areas (a to j). Point j concerns the use of multi-factor or continuous authentication, secure voice, video and text communications and, where appropriate, secure emergency communications within the organisation. This does not mean NIS2 mandates a specific product, biometric method or password length. It means you should use strong authentication in a way that is proportionate and reduces the risk of unauthorised access (European Union, 2022).

Swedish implementation: from EU text to actual requirements

In Sweden, NIS2 is implemented through the Cybersecurity Act (2025:1506) and Cybersecurity Regulation (2025:1507), which came into force on 15 January 2026. This makes strong authentication a part of actual requirements, not just a recommendation (Swedish Parliament, 2025a; Swedish Parliament, 2025b; Government, 2026).

A reality check: MFA is not a silver bullet

Multi-factor authentication (MFA) means using at least two different factors to log in. This could be something you know, something you have or something you are. MFA dramatically reduces the risk that a stolen password alone is enough. But MFA is not magic. If someone hijacks a session, succeeds with social engineering or accesses recovery flows, harm can still occur. Therefore, MFA should be seen as part of the whole in article 21, not a standalone wand.

Continuous authentication: what it is, without jargon

Continuous authentication means you don't just 'check who you are' at login, but also during use. This can mean the system reacts to anomalies, like new locations, unusual behaviour or risky activities. In plain English: the door locks if someone suddenly acts like someone else.

This can be relevant in high-risk environments but should also be proportionate. Too much friction leads to workarounds, creating a new vulnerability.

Secure communications and emergency links: the overlooked part

Point j also mentions secure voice, video and text communications and, where appropriate, secure emergency links. This is often forgotten because everyone focuses on MFA. But in an incident, communication is a lifeline. If your channels can be intercepted, hijacked or disrupted, recovery and crisis management become harder.

This doesn't mean everyone needs specialised systems. It means you must have considered which channels are used in critical situations, and how you secure them.

The most common pitfall: MFA on users but not on administrators

This is a classic. MFA is introduced for regular users but administrative accounts are left less protected because 'it's complicated'. It's like putting a secure door on the front entrance but leaving the cellar door open.

If you want to start right, often begin with what gives the greatest risk reduction: remote access and privileged access.

Three suggestions that make an impact without causing password drama

I stick to three things. They're easy to understand and usually have a clear effect, without adding requirements not in the directive.

· MFA where the consequence is high.

· Protect recovery and support.

· Practice 'stop and block' swiftly.

MFA where the consequence is high means prioritising remote access, administrators and critical systems first. Protecting recovery and support means securing password resets, helpdesk flows and identity processes, as attackers often exploit these shortcuts. Practising 'stop and block' swiftly means you know how to block accounts and sessions when suspicious activity is detected, and can do so without causing chaos.

Conclusion

Article 21.2 j is the front door. It's not about making life hard for people. It's about making intrusion difficult for attackers.

When strong authentication and secure communications become routine, security feels less dramatic. You avoid both panic and theatre. You get a door that actually locks.