MFA and SSO in high-security environments: what NIS2 requires and where conventional solutions fail

Multi-factor authentication is now on everyone’s lips. NIS2 mentions it, vendors sell it, and IT departments have been implementing it for years. The problem is that many organizations are complying on paper with what the directive fundamentally requires, and that difference can cost millions in sanctions or, worse, a security breach. This article analyzes what NIS2 actually requires regarding authentication, the structural limitations of conventional MFA and SSO, and which security model effectively meets the requirements of high-criticality environments.

The most common mistake: believing MFA is simply “adding a second factor”

When an organization deploys a one-time password (OTP) application on its employees’ mobile devices and checks the box marked “MFA implemented,” it is making an interpretation error that can have serious consequences.

NIS2 does not require the existence of a second factor. It requires entities to demonstrate that they have assessed their entire identity attack surface and mitigated risk at every critical access point. The difference between these two interpretations is enormous.

An SMS verification code can be intercepted, an OTP code can be captured by a real-time phishing page, an employee can become a victim of MFA fatigue, approving a fraudulent access request simply because they receive dozens of notifications in succession. None of this is solved by merely “having MFA”; it is solved by having the right type of MFA, applied in the right places, with the right architecture behind it.

What exactly does NIS2 require regarding authentication

Article 21 of the NIS2 Directive establishes ten minimum security measures that every affected entity must implement. Section 2(j) is the one that directly concerns authentication, and its wording is more demanding than it is usually interpreted to be: it requires the use of multi-factor authentication or continuous authentication solutions and specifies that their application must extend to all contexts where the lack of protection could result in a breach.

In practice, this includes:

• Remote access (VPN, remote desktop, access to SaaS applications)
• Corporate email and collaboration tools
• Administration panels and privileged accounts
• Access to cloud systems and hybrid environments

In addition, the directive requires that these measures be demonstrable. It is not enough to have them implemented: the organization must be able to provide evidence of their operation during an audit or inspection. This turns traceability into an implicit requirement, even though the directive does not explicitly mention it in that section.

In Spain, the framework is complemented by the National Security Framework (ENS), established in Royal Decree 311/2022, which incorporates all NIS2 requirements and is mandatory for the public sector and all suppliers providing services to it. For many organizations, complying with ENS and complying with NIS2 are, in practice, the same path.

SSO: the great productivity lever with a critical achilles’ heel

Single Sign-On (SSO) is one of the most valuable tools for simplifying access management in organizations with multiple applications and systems. It allows a user to authenticate once and access all authorized resources without re-entering credentials. From an operational perspective, it reduces password fatigue, lowers support tickets, and improves the employee experience.

But SSO has a structural characteristic that becomes a critical risk in high-security environments: it centralizes access.

If an attacker succeeds in compromising an active SSO session, they gain simultaneous access to all applications, environments, and systems associated with that account. They do not need to escalate privileges or move laterally: the SSO architecture hands everything to them at once. In environments containing sensitive data, industrial control systems, or classified information, this “blast radius” is simply unacceptable without additional layers of control.

SSO is not the problem. The problem is SSO without robust MFA, without session traceability, and without centralized credential management capable of revoking access immediately.

The limitations nobody mentions: when MFA and SSO are not enough

Beyond the concentration risk inherent in SSO, there are other limitations that conventional MFA and SSO implementations fail to address and that auditors specializing in NIS2 are systematically identifying.

Weak MFA Versus Phishing-Resistant MFA

Not all multi-factor authentication methods offer the same level of protection. Methods based on SMS or OTP applications are vulnerable to real-time phishing attacks and increasingly sophisticated social engineering techniques. High-security environments require phishing-resistant methods: physical security keys (YubiKey), client certificates, or hardware-based authentication. The difference in actual protection levels is several orders of magnitude.

SSO without traceability: you know who logged in, not what they did

An SSO system records that user X logged in at 9:14 a.m. But if integrated access traceability does not exist, the organization does not know which applications they accessed, which data they downloaded, what changes they made, or how long they remained active in each system. NIS2 requires incident response capability, and that capability requires detailed activity records, not just authentication logs.

Dependence on External Identity Providers

A large portion of the MFA and SSO solutions available on the market are hosted on third-party infrastructure, typically provided by U.S.-based cloud vendors. This creates a structural dependency affecting both data sovereignty and service availability: if the provider experiences an outage or changes its conditions, the organization loses control over its own access management system.

Service Credentials and Non-Human Accounts Outside the Perimeter

Specialized auditors repeatedly identify three major vulnerabilities in IAM implementations: the absence of real MFA, accounts with excessive privileges, and unmanaged service credentials. This last point, non-human identities associated with systems, applications, and automated processes, lies completely outside the scope of most conventional MFA and SSO solutions.

The complete model: MFA + SSO + centralized traceability

The answer for high-security environments is not to choose between MFA and SSO, nor to add layers in an incoherent manner. It is an integrated model that simultaneously addresses the three vectors that NIS2 effectively requires, even though it does not mention them together in a single article.

Robust, Phishing-resistant authentication

MFA based on methods that cannot be compromised through social engineering or credential interception. Client certificates, hardware security keys, and managed-device-based authentication.

Centrally managed access with sovereignty

SSO that does not depend on external infrastructure for its critical operation. The organization must retain control over its identity provider, access policies, and the ability to revoke sessions in real time.

Complete traceability of every access

Detailed records of every session: who accessed, from where, which system they accessed, for how long, and which operations they performed. Not as a compliance add-on, but as an integrated component of the access architecture.

Centralized credential management (Vault)

A secure, encrypted repository where credentials, passwords, certificates, and service secrets, are stored, rotated, and distributed in a controlled manner. It eliminates the use of weak, shared, or plaintext credentials and ensures that no credential remains outside the management perimeter.

Integrated network segmentation

Access control does not end at the identity layer. Network segmentation ensures that even if an authenticated user is compromised, lateral movement within the infrastructure is blocked. It is the difference between containing an incident and suffering a full-scale breach.

This is the model underpinning Endurance, Cosmikal’s Remote Shielded Workspace (RSW) solution. Five integrated capabilities, robust MFA, sovereign SSO, credential vault, complete traceability, and network segmentation, in a single solution developed in Spain, without dependence on external cloud providers, certified by the CCN, and validated in NATO’s NIAPC catalogue as the only Spanish solution in the access control category. This certification is not a commercial badge: it is validation that the model works in the most demanding security environments in the world.

Is your organization really prepared? NIS2 checklist

Before considering authentication compliance complete, it is worth reviewing the following points:

1. Is the deployed MFA phishing-resistant? SMS- or OTP-based methods do not meet the standard required for critical systems.
2. Are privileged and administrative accounts protected? They are the primary target of any attacker and require stricter authentication than standard accounts.
3. Is there access traceability, not just authentication logging? Knowing who logged in is not enough; you need to know what they did.
4. Does the SSO solution support immediate session revocation? In the event of an incident, minutes matter.
5. Are service credentials and non-human accounts inventoried and managed? They are frequently the most overlooked attack vector.
6. Does the identity system depend on an external provider for availability? Operational sovereignty is an implicit requirement in critical environments.
7. Can the organization demonstrate compliance during an audit? If demonstrable records do not exist, the measure does not exist from a regulatory perspective.

Conclusion

MFA and SSO are essential tools, but they are not synonymous with robust security. NIS2 requires an approach that goes beyond technical implementation: it requires organizations to understand their identity risk surface, apply proportional controls, and be able to demonstrate them.

In high-criticality environments ,public sector, essential infrastructure, defense, and regulated industry, that level of rigor requires solutions that combine strong authentication, sovereign centralized management, and complete traceability. Solutions that do not depend on third parties to function and that are validated in the most demanding contexts.

Endurance integrates MFA, SSO, and traceability within a sovereign and certified environment. If you would like to see how it can be adapted to your organization’s specific needs, contact the Cosmikal team.

Did you find this article useful? Share it with your security team or your organization’s compliance officer.