Regulatory Compliance Support

How Mideye Server addresses specific requirements in EU and international compliance frameworks.

⚠️ Important: Mideye provides authentication technology that addresses specific requirements in various compliance frameworks. Achieving full compliance with NIS2, DORA, ISO 27001, or other standards requires comprehensive organizational programs beyond MFA. Consult your compliance team, auditor, or legal counsel for complete compliance guidance.

Framework Overview

Mideye Server addresses specific requirements in EU and international compliance frameworks including NIS2, DORA, ISO 27001, and GDPR. This page provides explicit mappings between Mideye features and regulatory requirements to help you understand how Mideye fits into your compliance program.

🇪🇺 NIS2 Directive (EU 2022/2555)

The Network and Information Security Directive applies to essential and important entities across the EU, requiring baseline cybersecurity measures.

Requirement Mideye Feature Article
Multi-factor authentication Core MFA engine (push, SMS, TOTP, hardware tokens) Art. 21(2)(j)
MFA for privileged & administrative access RADIUS MFA in front of AD, VPN, RDP and admin logins; Credential Provider for Windows admin logons Art. 21(2)(j) + ENISA TIG § 11.3.2
Access control policies Assisted Login (four-eyes principle) Art. 21(2)(i)
Incident detection Failed login monitoring + Mideye Shield Art. 21(2)(e)
Audit logging Comprehensive authentication and approval logs Art. 21(2)(e)

Privileged accounts come first. ENISA's Technical Implementation Guidance (June 2025) for the NIS2 Implementing Regulation (EU) 2024/2690 calls for dedicated, individual administrator accounts protected with strong authentication (§ 11.3.2), tightly controlled and fully logged administration systems (§ 11.4), and multi-factor authentication on VPN, RDP, and any service reachable from outside the corporate network. Admin and privileged accounts are where auditors look first. Mideye puts RADIUS-based MFA in front of Active Directory, VPN, and administrative logins today, including Windows admin logons via the Credential Provider.

Non-compliance is expensive: NIS2 Article 34(4) sets administrative fines for essential entities of up to €10 million or 2% of total worldwide annual turnover, whichever is higher.

Official references: NIS2 Directive on EUR-Lex → | ENISA Technical Implementation Guidance →

🇸🇪 Swedish Cybersäkerhetslagen (2025:1506)

Sweden's implementation of the NIS2 Directive, effective January 15, 2026. Applies to essential and important societal functions.

21 §, Åtgärder mot IT-incidenter (Security Measures)

Krav (Requirement) Mideye-funktion
Multifaktorautentisering MFA med push, SMS, TOTP, hårdvarutoken
Policies för styrning av åtkomst Assisterad inloggning (fyrögonsprincipen)
Nordic datacenters On-premise server + Switch hosted in the Nordics

The supporting security-measure regulations (föreskrifter) from MCF, formerly MSB, are expected to enter into force on October 1, 2026, and the proposal includes an explicit multi-factor authentication requirement for access to systems classified as requiring enhanced protection.

Officiella referenser: Svensk författningssamling → | MSB förklaring →

🏦 DORA, Digital Operational Resilience Act (EU 2022/2554)

Applies to financial entities in the EU. Regulatory Technical Standards (RTS 2024/1774) provide detailed ICT risk management requirements.

Requirement Mideye Feature Article
Privileged access on need-to-use or ad-hoc basis Time-based access windows + Shared Account Protection RTS Art. 21
Segregation of duties Assisted Login dual approval RTS Art. 21
Access rights administration Policy-based approval workflows Art. 9(4)(c)
Threat intelligence sharing Mideye Shield hive defense Art. 45

Official references: DORA Regulation → | RTS on ICT Risk Management →

🔒 ISO/IEC 27001:2022

International standard for information security management systems. Mideye implements controls from Annex A that customers use as part of their ISO certification.

Control Mideye Feature Annex A
Segregation of duties Assisted Login (enforced dual approval) A.5.3
Access control Group-based policies + RADIUS integration A.5.15
Privileged access rights Time-limited shared account access A.5.18
Secure authentication Multi-factor authentication (push, TOTP, tokens) A.8.5

Note: These are controls that Mideye implements which customers use as evidence in their own ISO 27001 certification processes.

🛡️ GDPR Article 32 (EU 2016/679)

Security of processing, technical and organisational measures appropriate to the risk.

Technical Measures Implemented:

  • Multi-factor authentication, Reduces risk of unauthorized access to personal data
  • Data residency controls, On-premises deployment + EU data centers (Sweden and Finland) for central services
  • Audit logging, Full trail of who accessed what and when
  • Access control policies, Enforce least privilege and time-limited access

Official reference: GDPR on EUR-Lex → | GDPR-info.eu Article 32 →

💳 PCI DSS v4.0

Payment Card Industry Data Security Standard for organizations handling cardholder data.

Requirement 8.4, Multi-Factor Authentication (MFA)

"Multi-factor authentication is required for all non-console administrative access and all remote access to the cardholder data environment."

Requirement Mideye Feature
MFA for administrative access RADIUS integration with VPN, firewalls, RDP
MFA for all remote access VPN and remote desktop integration
Additional layer for shared accounts Shared Account Protection

Official reference: PCI Security Standards Council →

Frequently Asked Questions

Is Mideye NIS2 compliant?

Mideye Server addresses specific NIS2 requirements including multi-factor authentication (Article 21, paragraph 2(j)), access control policies (Article 21, paragraph 2(i)), and incident detection (Article 21, paragraph 2(e)). However, NIS2 compliance involves many requirements beyond MFA including governance, incident response, supply chain security, and business continuity. Mideye provides the authentication and access control components. Consult your compliance team for your complete NIS2 compliance program.

How does Mideye support ISO 27001 certification?

Mideye Server implements controls from ISO 27001:2022 Annex A that customers use as part of their own ISO certification. Specifically, Assisted Login implements Annex A 5.3 (segregation of duties), and the core MFA platform supports Annex A 5.15 (access control) and A.8.5 (secure authentication). Many customers use Mideye as evidence in their ISO 27001 audits.

Does Mideye meet DORA requirements for financial entities?

Mideye Server addresses specific DORA requirements in Article 9(4)(c) on access rights administration and the Regulatory Technical Standards (RTS 2024/1774) Article 21 on privileged access management and segregation of duties. DORA has broad operational resilience requirements beyond authentication. Mideye provides the access control and authentication security controls portion.

What about Swedish Cybersäkerhetslagen compliance?

The Swedish Cybersäkerhetslagen (2025:1506), which took effect January 15, 2026, implements the NIS2 Directive in Sweden. Mideye Server's multi-factor authentication addresses the security measure requirements in 21 § regarding authentication and access control. Mideye central services run in EU data centers within the Nordic region (Sweden and Finland), supporting EU data sovereignty requirements for Swedish critical infrastructure.

Can I use Mideye for PCI DSS compliance?

Yes. Mideye Server addresses PCI DSS v4.0 Requirement 8.4 for multi-factor authentication on administrative and remote access to cardholder data environments, providing the MFA controls that form part of a customer's broader compliance program. Many customers integrate Mideye with VPN, RDP, and administrative consoles to support PCI DSS MFA requirements. Remember that PCI DSS has many other requirements beyond MFA.

Related Resources

Assisted Login

Four-eyes principle for ISO 27001 A.5.3 and DORA segregation of duties.

Shared Account Protection

Privileged access on need-to-use basis for DORA RTS Article 21.

Air-Gapped Mode

Zero internet dependency for critical infrastructure and supply chain security.

Mideye Shield

Incident detection aligned with NIS2 Article 21(2)(e) and DORA Article 45.

Data Residency

GDPR Article 32 technical measures and Swedish data sovereignty.

Technical Documentation

Installation, integration guides, and operational procedures.

Request Compliance Documentation

Need our Data Processing Agreement, security documentation, or sub-processor list? Contact our team.

Contact Sales