NIS2 Article 21: Identity Evidence Auditors Ask For in 2026

April 27, 2026 ·Gustav Poola ·

nis2article-21identity-managementmfaaccess-controlsupply-chainauditeidas

Belgium's 18 April 2026 NIS2 deadline has passed. Article 21 is now an evidence chain, not a checklist. Where most entities' identity proofing falls short.

NIS2 Article 21: Identity Evidence Auditors Ask For in 2026

NIS2 Article 21 in 2026 is no longer a checklist of controls — it is an evidence chain. Auditors examine three measures most closely: (i) HR security and access control, (j) MFA or continuous authentication, and (d) supply chain. The weakest link in most entities' evidence, by national authority signalling, is identity proofing at enrolment.

Belgium's first binding NIS2 conformity-assessment deadline passed on 18 April 2026 — four days before this post. It was the first date in the EU on which essential entities had to place complete, audit-ready evidence of their Article 21 cybersecurity risk-management measures in front of a national authority. Germany's NIS2 Implementation Act entered force 6 December 2025 and the BSI registration and reporting portal went live 6 January 2026. Across the EU, 2026 is the year that Article 21 stops being a checklist and starts being an evidence chain — and the single weakest link in most entities' evidence, based on what national authorities are signalling, is identity.

What Article 21(2) Actually Requires

Article 21(2) of Directive (EU) 2022/2555 sets out ten cybersecurity risk-management measures that every essential and important entity must adopt (NIS2 Article 21 — full text):

(a) risk analysis and information security policies
(b) incident handling
(c) business continuity, including backup, disaster recovery, and crisis management
(d) supply chain security
(e) security in network and information system acquisition, development, and maintenance, including vulnerability handling
(f) policies and procedures to assess the effectiveness of the measures
(g) basic cyber hygiene and cybersecurity training
(h) policies and procedures on the use of cryptography and encryption
(i) human resources security, access control policies, and asset management
(j) the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications, and secured emergency communication systems within the entity, where appropriate

Measure (i) is the identity-and-access core. Measure (j) is the authentication enforcement layer. Measure (d) extends the same trust chain into the supply chain. Those three are where audit evidence gets tested.

The text is technology-neutral. The Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024 lays down the technical and methodological requirements for measures (a) through (j), but only for eleven specific categories of digital entity — DNS service providers, TLD name registries, cloud computing, data centres, content delivery networks, managed service providers, managed security service providers, online marketplaces, online search engines, social networking platforms, and trust service providers (EUR-Lex — CIR 2024/2690). Its Annex anchors the measures in ISO/IEC 27001, ISO/IEC 27002, ETSI EN 319401, and CEN/TS 18026:2024. Every other essential and important entity looks instead to the ENISA Technical Implementation Guidance on cybersecurity risk management measures, version 1.0, published in June 2025 (ENISA, June 2025).

The Evidence Gap: MFA Logs Are Not Identity Proofing

The gap that 2026 audits will expose is subtle. Most entities can produce authentication logs — millions of them, from the same identity provider that enforces multi-factor authentication on every login. What most cannot produce is the step before the logs begin: evidence that the identity bound to each credential is the identity it claims to be.

An auditor examining Article 21(2)(i) does not stop at "users must log in with MFA." They ask, for any given user account:

Who verified this person's identity at enrolment?
Against what authoritative source?
What evidence survives that verification — a scanned image, a vendor's match score, or a cryptographic record?
If the person is a third-country national or a supplier's employee, what jurisdiction's identity document was checked, and how?
Can you reproduce the chain from enrolment through credential issuance through the authentication log — end to end, on demand?

MFA proves that a credential was used. It does not prove that the credential belongs to the person you think it belongs to. Under Article 21(2)(i), that second claim is what auditors are asking you to substantiate.

How Article 21(2) identity evidence must connect enrolment, credential issuance, authentication, and consequential signing

The ENISA guidance walks through each of the ten measures with outcome statements, implementation evidence, and references to ISO/IEC controls. The Belgian CCB has gone further, making the CyFun framework a named compliance pathway alongside ISO 27001: essential entities had to submit a CyFun Basic or Important self-assessment — or equivalent ISO 27001 documentation — to a BELAC-accredited Conformity Assessment Body by the 18 April 2026 deadline (CCB Belgium — 18 April 2026 deadline). For the first time in the EU, a national authority has put a signed attestation from an accredited third party between a company's "we comply" claim and the regulator's willingness to believe it.

What Went Live on 6 January 2026 in Germany

Germany was the last large member state to finish NIS2 transposition. The NIS-2-Umsetzungs- und Cybersicherheitsstärkungsgesetz (NIS2UmsuCG) was passed by the Bundestag on 13 November 2025, approved by the Bundesrat, and entered force on 6 December 2025 (Bird & Bird, December 2025). The BSI registration and incident-reporting portal went live on 6 January 2026, opening a three-month window for essential and important entities to register themselves. The BSI has been explicit that the enforcement model is not reactive: the Act empowers the BSI to carry out on-site audits and document requests without a triggering incident, and to issue public notices for serious violations (Morrison Foerster, December 2025).

The fine ceilings are the part every board already knows:

Essential entities — up to €10 million or 2% of global annual turnover, whichever is higher
Important entities — up to €7 million or 1.4% of global annual turnover
Personal liability for managing directors in cases of gross negligence or intent, and the ability for authorities to impose temporary management bans

What the enforcement pattern is surfacing — across Belgium, Germany, the Netherlands, and Austria — is that regulators are far more interested in documented identity evidence than in the presence of a particular product. A privileged-access MFA tool that produces beautiful logs but cannot answer "how do you know this admin is who they were when you enrolled them?" is a finding waiting to happen.

Article 21(2)(d): The Cross-Border Supplier Problem

Measure (d) — supply chain security — requires every essential and important entity to assess the cybersecurity posture of its direct suppliers and service providers. In practice this means a supplier register, classified by criticality, with documented evidence of each supplier's controls. Auditors expect to see:

An up-to-date inventory of suppliers with access to network and information systems
Risk classification with documented methodology
Contract clauses aligning supplier practices to the entity's own Article 21 measures
Incident-reporting obligations that flow down the chain

None of that is hard in principle. The hard part arrives when the supplier is a non-EU entity — a third-country cloud sub-processor, a specialist logistics partner, a software vendor with offshore engineering — and the question becomes: how do you verify the identity of that supplier's personnel to the same standard as your own? The EU Digital Identity Wallet, which every Member State must make available by December 2026, only solves the EU half of the problem. It does not reach the non-EU supplier's service engineer who needs privileged access to your production environment under a change ticket.

This is the point at which "we enforce MFA" stops being an answer. The answer an auditor can sign off on is an enrolment record — one that cryptographically binds a specific human being, verified against their government's own signed identity data, to the credential that then carries MFA.

What Cryptographic Identity Evidence Looks Like

Every biometric passport issued under ICAO Doc 9303 — roughly 180 countries and regions (Signicat, December 2025) — contains an NFC chip holding the holder's data signed by the issuing government. Reading that chip at enrolment produces three things a photograph of an ID document and a selfie cannot:

Government-signed data. The identity attributes — name, nationality, document number, date of birth, photograph — are signed by the state that issued the passport. The signature is verifiable offline.
Clone resistance. The chip supports Active or Chip Authentication, proving the chip is the original, not a duplicate.
Holder presence. The PACE protocol binds the read to physical presence of the document with its holder.

When that cryptographic attestation is captured at enrolment, bound to the issued credential, and countersigned by a qualified electronic signature under eIDAS, the entity can produce — on demand, in any future audit — an evidence chain that runs from the sovereign issuer's signature through to the authentication log entry. No probabilistic match, no vendor's closed-model opinion, no "our AI says it's them."

This is what Article 21(2)(i) asks for and what (j) enforces against. It is also what supply-chain security under (d) needs to extend across non-EU personnel, where the EU's own wallet cannot reach — the layer workforce identity verification addresses for both internal sensitive-role staff and external providers' personnel under one cryptographic primitive.

2026 Is the Evidence Year

Until 2026, NIS2 compliance programmes could reasonably focus on having the ten measures. From Belgium's 18 April deadline onward, they must focus on evidencing them — and identity is the link in the chain that auditors are examining first. Entities that have built their identity layer on probabilistic document checks, vendor-mediated selfies, or MFA tooling without an enrolment audit trail have a 2026 remediation project, not a 2027 one. Entities whose enrolment captures cryptographic, government-signed identity data, countersigned under eIDAS, have an answer to every Article 21(2)(i), (j), and (d) question before it is asked.

NIS2 did not change what "strong authentication" means. It changed who has to prove it, to whom, on what schedule, and with what documentary evidence. 2026 is the first year we will see how far that proof has to go.

Article 21(2)(i) and (j) read especially tightly against the three-framework OT remote-access convergence (NERC CIP-003-9 in the US, IEC 62443-2-4:2023 globally, NIS2 in the EU) — all three now require identity-bound vendor sessions that bind to a specific named human. And where NIS2 governs the cybersecurity layer of essential and important entities, the CER Directive's 17 July 2026 critical-entity designation wave adds a complementary physical-resilience and personnel-security layer — one that reaches external service providers' personnel on exactly the same identity-proofing primitive.

Sources

NIS2 Directive and Implementing Regulation

ENISA technical guidance

National transposition

Fines, penalties, enforcement

ePassport standard

About the author

Gustav Poola is co-founder of IdentiGate. He focuses on the technical architecture of passport-chip identity verification, advanced electronic signature production under eIDAS, and the engineering of identity flows that survive regulator and auditor walk-back.