Surrounding a centrally floating MFA authentication window are several digital panels featuring icons for compliance and risk management, as well as individual short terms such as GDPR, NIS2, or Security Policy.

Multi-Factor Authentication: Mandatory Under NIS2, DORA, or GDPR?

Why MFA is no longer optional - and what companies need to know to balance compliance, security, and competitiveness.

Jun 18, 202615 min readTagsAdministrative FinesAIAuthenticationCybersecurityGDPRMFAPasswordRansomwareScalabilityTOMs

An employee clicks on a link. Thirty seconds later, an attacker has their access credentials. Ninety seconds later, they are inside the system. By the next morning, all customer records - including banking details - have been exfiltrated. In the worst-case scenario, all data is encrypted and will only be released in exchange for a ransom paid in Bitcoin. Six months later, the regulatory authority poses the question the company should have asked itself beforehand: Why was there no multi-factor authentication?

Perhaps the insolvency administrator will be the one to ask it.

This scenario is not fictional. In broad outline, it mirrors the case of a major European telecommunications provider that, in early 2026, paid a fine of 42 million euros - due in part to the fact that VPN access to its systems was not adequately secured.

Here on the Engity blog, we have outlined what is expected of a modern authentication system today: security, ease of administration, adaptability, and user-friendliness. But as the opening example demonstrates, the question is no longer simply what a system can do - but rather what the law, the market, and common sense demand today.

The short answer: In most cases, Multi-Factor Authentication (MFA) is no longer an optional extra. It is mandatory - often in a legal sense, and almost invariably in a practical one. Any business operating today that relies solely on passwords to protect its systems runs a risk - one that is liable to result in awkward situations requiring difficult explanations to regulatory authorities, customers, business partners, or shareholders.

But let’s take things one step at a time.

The Threat Landscape: Cyberattacks as an Existential Risk

When discussing duties and laws, there is a high risk that listeners’ eyelids will begin to feel heavy. Let us, therefore, begin with business reality. Today, more than ever, companies consist of data, software, and intellectual property. A successful cyberattack is no longer merely an IT problem - it can jeopardize a company’s very existence.

This is no exaggeration; indeed, we have already reported on many such incidents in our Data Protection Digests.

In 2024, Stoli - the vodka manufacturer - and its U.S. subsidiaries were forced to file for bankruptcy after a ransomware attack crippled their ERP system and financial accounting operations. The company was simply unable to provide financial reports to its lenders. The consequence: credit lines could not be renewed, a situation that very quickly triggered insolvency. A cyberattack had, quite literally, put a company to death.

In 2025, the Japanese beverage giant Asahi was hit by the ransomware group Qilin; its ordering and logistics systems went down, forcing the corporation to resort to faxes and handwritten orders. While the use of faxes is commonplace in Germany, in Japan, the incident led to a beer shortage.

British automaker Jaguar Land Rover lost six weeks of production due to a cyberattack - resulting in ripple effects throughout its entire supply chain. An intriguing side note: the company apparently did not have cyber insurance.

And the most common attack vector? Stolen credentials. The “Flashpoint Global Threat Intelligence Report 2025” recorded a 33% increase in compromised credentials. In just the first two months of 2025 alone, 200 million stolen login credentials were discovered. In June 2025, a collection of 16 billion passwords surfaced on the dark web - the largest cache ever documented.

MFA helps guard against this type of attack. As we have repeatedly emphasized, it is not a magic bullet. However, it protects the single most common entry point by a wide margin.

To address risks and cases such as those discussed here, there are - hardly surprisingly - also laws. However, there is no single, solitary regulation that mandates MFA; rather, there exists an entire web of regulatory frameworks, all pointing in the same direction.

GDPR, Art. 32: Appropriate Technical and Organizational Measures

The General Data Protection Regulation (GDPR) requires every data controller to implement “appropriate technical and organizational measures” to protect personal data. In this context, Art. 32 Para. 1 GDPR explicitly cites the “state of the art” as a benchmark - alongside implementation costs, the nature and scope of processing, and the likelihood and severity of the risk.

What does this mean in concrete terms? Anyone who processes personal data - and virtually every company does so - must take current technical standards into account when selecting their protective measures. Today, MFA constitutes such a standard. The burden of justification lies with any company that chooses to forgo it.

The NIS2 Directive goes a step further than the GDPR. Article 21, Paragraph 2 of the Directive lists minimum cybersecurity risk management measures that “essential” and “important” entities must implement. Under subparagraph (j), the Directive explicitly cites “the use of multi-factor authentication or continuous authentication solutions” - albeit with the caveat “where appropriate.”

This constitutes neither an unconditional obligation nor a mere non-binding suggestion. MFA is explicitly named as a concrete measure. Companies falling within the scope of NIS2 must, as part of their risk assessment, justify where MFA is appropriate - and where they deem it possible to forgo it. Given the current threat landscape and the fact that compromised credentials represent the most common attack vector, providing such a justification will, in practice, become increasingly difficult.

DORA – The Financial Sector as a Pioneer

In the financial sector, the Digital Operational Resilience Act (DORA) has been in force since January 2025. Article 9, Paragraph 4(d) of the Regulation mandates that financial entities implement “policies and protocols for strong authentication mechanisms” - specifically without the “where appropriate” qualifier used in NIS2. The Regulatory Technical Standards supplementing DORA elaborate on this requirement, explicitly mandating MFA for privileged access and for systems supporting critical or important functions. Consequently, any entity in the financial sector operating without MFA is in violation not merely of best practices, but of applicable law.

Additional Regulations

This list is not exhaustive. The Cyber Resilience Act (CRA) - which, effective September 2026, mandates security requirements for connected products and software - requires “Security by Design,” a concept that includes appropriate authentication. In the payments sector, PSD2 has mandated so-called “Strong Customer Authentication” (SCA) for years. Furthermore, industry-specific requirements - such as those in the healthcare sector or critical infrastructure - further heighten the complexity of the situation.

Corporate Protection and Liability: It’s Not Just About Regulation

The laws mentioned thus far - GDPR, NIS2, and DORA - represent regulation “from the outside”: the state dictates what must be done. However, MFA also possesses a dimension entirely unrelated to supervisory authorities and regulatory mandates. It concerns the protection of the company itself - its assets, its trade secrets, and its contractual obligations. It also concerns the personal liability of those charged with safeguarding these things.

In a sense, a breach of the duties of proper corporate governance is often more distressing for a company’s management than a “mere” statutory violation. Paying a fine is one thing; facing a lawsuit for damages brought by one’s own shareholders - or having to explain the loss of a key client - is quite another.

Director Liability: Cybersecurity Is a C-Suite Responsibility

Under Section 43, Paragraph 1 of the GmbH Act (GmbHG), managing directors of a GmbH are obliged to exercise the diligence of a prudent businessman. For members of the Management Board of a stock corporation (AG), Section 93 of the Stock Corporation Act (AktG) applies, establishing a comparable standard. Naturally, this duty encompasses the protection of the company’s IT systems and data.

The NIS2 Implementation Act significantly heightens this responsibility: it explicitly establishes personal liability for senior management regarding cybersecurity risk management - including a duty to pursue their own continuing education in this field. Senior management cannot simply delegate this responsibility to the IT department and then sit back.

In concrete terms, this means the following: If a managing director rejects Multi-Factor Authentication (MFA) as being “too expensive” or “too cumbersome,” and the company subsequently suffers a compromise via stolen access credentials, the question arises as to whether they have breached their duty of care. The company - or, in the event of insolvency, the insolvency administrator - may claim damages. Given the financial sums that a successful cyberattack can cost, this is not merely a theoretical risk.

Trade Secrets: No Protection Without Protective Measures

The issue of trade secret protection is frequently overlooked in practice, yet it is potentially the most critical aspect.

Pursuant to Section 2, No. 1(b) of the Trade Secrets Act (GeschGehG) - the national implementation of the EU Trade Secrets Directive (2016/943) - information constitutes a trade secret only if the holder has taken “reasonable measures to keep it secret.” This is not merely an additional requirement; it is a definitional element: absent reasonable protective measures, no trade secret exists within the meaning of the Act.

The implications are far-reaching. If a company protects systems housing valuable know-how, customer lists, design data, or algorithms using passwords alone - and a competitor subsequently misappropriates this data - the company could fail in court. This would not be because the data theft itself was deemed permissible, but rather because the information, due to a lack of adequate protective measures, does not even qualify as a trade secret. One does not lose protection only at the moment of the attack; one may, in fact, never have possessed it in the first place.

Whether MFA constitutes an “adequate measure” within the meaning of the Trade Secrets Act in any given case depends on the specific security requirements and the value of the information in question. However, in the case of highly sensitive trade secrets - a category that likely encompasses anything constituting a genuine competitive advantage - it is becoming increasingly difficult to defend the decision to forgo MFA as being “adequate.”

Contractual Liability: The NDA Problem

A final - and particularly important - point follows logically from the two preceding ones and applies to practically every company with business partners.

Companies that have entered into confidentiality agreements (NDAs) with customers, suppliers, or cooperation partners typically commit to protecting confidential information using a specific standard of care. Common wording calls for “reasonable measures” or “the same degree of care that the company applies to its own confidential information.”

If a data breach occurs due to a lack of MFA - thereby exposing a contractual partner’s confidential information - claims for damages and, where stipulated, contractual penalties become a distinct possibility. Added to this are the partner’s rights of termination and a loss of trust - a factor that, in many business relationships, carries even greater weight than any contractual penalty.

In a worst-case scenario, a cascade of consequences ensues: a breach resulting from stolen credentials triggers liability for damages and contractual penalties under NDAs with business partners; furthermore, it results in the loss of trade secret protection for one’s own proprietary information under the Trade Secrets Act (GeschGehG), leading ultimately to the personal liability of the company’s management toward the corporation itself.

This is not a contrived horror scenario, but rather the logical progression of events based on existing legal frameworks.

State of the Art: A Moving Target

Looming above all the points discussed previously - serving as the ultimate benchmark - is the concept of the “state of the art.” This may sound innocuous, but from a legal standpoint, it is highly critical. The reason is that it is a dynamic concept: what was considered appropriate yesterday may already be insufficient today.

When ENISA (the EU Agency for Cybersecurity), the BSI (Federal Office for Information Security), the U.S. NIST, and practically every relevant industry standard recommend MFA as a “baseline,” it becomes extremely difficult for a company to convincingly justify - whether to a supervisory authority or in court - why it chose to forgo it.

The argument that “it was too expensive” simply does not hold water in this context. While Article 32 of the GDPR explicitly mandates a balancing act between implementation costs and risk, given the MFA solutions available today - many of which are scalable, cloud-based, and affordable - this argument is scarcely tenable anymore. This is particularly true considering that the risk on the other side of the scales has grown dramatically.

The BSI Basic Protection Modules recommend MFA for access to administrative interfaces and sensitive systems. ISO 27001, the international standard for information security, mandates risk-appropriate access control - and identifies MFA as an essential tool. Anyone seeking or holding ISO 27001 certification will find MFA practically indispensable.

Added to this is an aspect that is often overlooked: attackers, too, are evolving. According to a 2025 Gartner report, account takeovers - facilitated by the use of generative and agentic AI - will become significantly faster and more automated in the near future. Deepfakes and autonomous AI agents are enabling spear phishing on an industrial scale. Password-based authentication was already barely up to the challenge posed by these pressures; against AI-driven attacks, it stands no chance.

What Happens If You Don’t Do It

Theory is one thing. The enforcement decisions of recent months demonstrate what actually happens in practice when companies fail to implement adequate authentication.

In January 2026, the French data protection authority, CNIL, imposed fines totaling 42 million euros on the telecommunications providers Free Mobile and Free. What had happened? An attacker had gained access to the systems via a weakly secured VPN connection and exfiltrated data from 24 million customer contracts - including banking details (IBANs). Over 2,500 affected individuals filed complaints with the CNIL.

The authority determined, among other things, that the security measures were inadequate. Better-secured access - for instance, through MFA - could potentially have prevented the attack, or at the very least, made it significantly more difficult. 42 Million euros,because access to the VPN was not adequately secured. That should give every CEO pause for thought.

And this is not an isolated incident. By early 2026, the cumulative total of GDPR fines had surpassed the 7.1 billion euro mark. For the first time, the number of daily breach notifications in Europe has exceeded 400 - a 22 percent increase compared to the previous year. Inadequate technical safeguards - particularly regarding access security - are one of the most common grounds for fines.

MFA as a Competitive Advantage

So far, we’ve been talking about risks: legal obligations, fines, and threats to the company’s survival. But there’s another side to the coin: MFA can be an active competitive advantage - read more here.

The mechanism is simple: An increasing number of companies - particularly those subject to regulatory oversight themselves - are assessing the cybersecurity maturity of their suppliers and service providers. Anyone holding an ISO 27001 certification is familiar with the supplier onboarding process: questionnaires, audits, and documentation requirements. The same applies within the framework of NIS2, under which companies are explicitly mandated to ensure the security of their supply chains.

Whether or not a supplier utilizes MFA is a standard inquiry in this context - and, increasingly, a deal-breaker. Those who can demonstrate the use of MFA successfully clear these assessments; those who cannot are eliminated - or never even make it through the door.

A look at current EU legislation reveals that this topic is set to gain even greater significance. In January 2026, as part of the new Cybersecurity Package (CSA2), the European Commission explicitly acknowledged that the supply chain obligations under the NIS2 Directive have led to “burdensome and inconsistent questionnaires” that cascade throughout supply chains. The Commission is currently working on EU-wide standardization: establishing uniform guidelines regarding what questions may be asked in such questionnaires - and how. In parallel, a certification pathway is being developed under which an EU cybersecurity certificate could serve as a substitute for individual questionnaires and audits.

What does this mean? Once standardized supply chain assessments are introduced, Multi-Factor Authentication (MFA) will, in all likelihood, emerge as a standard requirement. Companies that have already implemented it will hold a competitive advantage. Others will be forced to retrofit their systems - or risk losing business.

Consequently, MFA is not merely a cost center, but rather a door-opener in sales.

Not Every MFA Is the Same

Once an organization decides to implement MFA, the next question is: Which MFA method should it choose?

Not all MFA methods provide the same level of security. SMS-based one-time codes, for example, are now considered comparatively vulnerable to attacks such as SIM swapping and phishing. As a result, many organizations are increasingly adopting more modern approaches such as authenticator apps, hardware tokens, or passkeys, which offer a higher level of security.

For businesses, the recommendation is clear: don’t implement just any MFA solution. Instead, choose the method that best fits your organization’s risk profile, the applications in use, and its security requirements.

Conclusion: Action - Before Others Do It for You

In 2026, the question “Do I need multi-factor authentication?” is the wrong question to ask. The right question is: Can I afford to do without it?

In most cases, the answer is: No. The threat landscape, legal requirements, and the expectations of business partners are converging. MFA is not a luxury measure reserved for large corporations; it is the minimum standard that regulators, customers, and insurers expect - and one that, in the event of an incident, can make the difference between having “acted reasonably” and having been “grossly negligent.”

At Engity, we deal with precisely these questions every day. As a European provider of Identity and Access Management solutions, we help companies implement MFA and modern authentication methods in a way that is secure, GDPR-compliant, and practical - without reliance on non-European providers.

If you would like to find out which solution is the right fit for your company, please feel free to get in touch.