In this article we will describe the requirement in NIS2’s Article 21(2)(j), which requires your organisation to implement multi-factor authentication and emergency communication systems.
Multi-Factor Authentication
The purpose of this requirement is to strengthen access control and lower the risk of unauthorised access by using multiple authentication factors and continuously checking user behaviour and the context of a session.
Requirement
When users, IT components, or other assets access your organisation’s networks and information systems, they must be authenticated with multi-factor authentication or continuous authentication. The specific requirements should follow your risk assessment and comply with your organisation’s access control policies.
Multi-factor authentication should be applied when accessing:
- assets remotely,
- administrative systems,
- sensitive or confidential data,
- critical systems,
Continuous authentication can be used to monitor and verify a user’s identity during an active session, based on behavioural and contextual factors, such as login attempts from an unknown location, an unfamiliar or newly registered device, at unusual times or with abnormal patterns.
Documentation
You must review your access control policy, including the multi-factor authentication and continuous authentication, at regular intervals or after major changes and security incidents. The review must be documented.
Emergency Communication Systems
You must ensure that voice, video, and text communication is always available, including in emergency situations. These communication channels must protect confidentiality, integrity, and availability within the organisation.
Requirement
You should assess the need for communication channels, including requirements for protecting confidentiality through encryption and for redundancy to ensure alternative options. These needs should be included in risk assessments and in procedures for business continuity, incident handling, and crisis management.
This could be done in the following ways:
- prepare plans for secure communication during a major incident, including escalation procedures and reporting to partners, authorities, and CSIRTs,
- describe which internal and external communication channels exist, how they are activated, used, and restored in case of failure,
- ensure availability by establishing redundancy, so alternative channels are always available,
- set up crisis management processes that include communication with security services, sector authorities, CSIRTs, and other stakeholders,
- enable communication between different systems through reliable channels that are logically, cryptographically, or physically separated from other channels to protect data flows from alteration or disclosure.
Examples of communication channels include alternative Voice over Internet Protocol solutions, encrypted messaging services, radios, satellite phones, or SMS. The selected channels should support confidentiality and be available independently of primary systems. A policy should specify which classification level of data can be shared via each channel.
Documentation
Emergency communication systems should be tested regularly and may be part of an annual crisis management exercise. Results of tests and exercises should be documented to ensure lessons are learned and improvements are made.
