The European Union is significantly tightening cybersecurity requirements. Legislation such as DORA, NIS2, and the upcoming Cyber Resilience Act (CRA) will require organizations to structurally strengthen their digital resilience. Strong authentication, chain security, incident response, and “security by design” are key themes.
Yivi can play a key role in this: as a European, privacy-friendly, and phishing-resistant solution for digital identity and multi-factor authentication, Yivi helps organizations quickly and practically meet the new requirements—without being dependent on commercial identity providers outside the EU.
In this blog post, we explore how Yivi supports organizations in implementing DORA, NIS2, and the CRA, with concrete practical examples.
DORA (Digital Operational Resilience Act)
Key requirements: DORA is an EU regulation focused on the digital resilience of financial institutions. It sets uniform requirements for ICT risk management, including: strong authentication, incident management and notification, periodic cyber resilience testing, and risk management of external ICT suppliers. DORA requires organizations to implement a strong authentication policy based on a risk assessment of their ICT processes. Article 9 emphasizes the need to determine where multi-factor authentication (MFA) is necessary to reduce risks (particularly for employees and suppliers) and that this authentication must be phishing-resistant. Furthermore, DORA requires rapid detection and reporting of IT incidents to supervisory authorities and the performance of penetration tests and other resilience assessments. Institutions must also carefully manage their interactions with third parties and suppliers (such as cloud or IT service providers) by monitoring their cybersecurity and making agreements about continuity.
Support by Yivi
Yivi can help organizations meet DORA’s requirements, particularly regarding strong authentication and access. Yivi serves as a user-friendly MFA solution: users log in using their Yivi app, which incorporates two factors (something the user has – their phone/wallet – and something they know – a PIN) and generates one-time cryptographic codes. This meets the definition of strong authentication under DORA, which prescribes MFA with dynamic codes. Because Yivi uses state-of-the-art cryptography and selective data sharing, it is highly phishing-resistant, and login credentials are not exposed to password leaks or reuse. Furthermore, Yivi supports strict access control: access to critical systems can be made conditional on the presentation of certain digital attributes (e.g., an organization-issued Yivi credential confirming that someone is an employee with certain privileges). This ensures that only authorized personnel are granted access to sensitive IT assets, fully in line with DORA’s requirement for strong authentication for external network access and privileges, among other things.
Practical Examples
A bank can use Yivi for employee logins to internal systems and VPNs, so that only employees with a Yivi identity (issued by the bank) can log in. This replaces vulnerable passwords with passwordless login via the Yivi app, which is DORA-compliant and immediately reduces operational risk. Yivi can also be used for customer authentication for online services (although customer authentication formally falls under PSD2, it aligns seamlessly with DORA’s focus on strong security of all systems). In incident response scenarios, Yivi can contribute because all access attempts are cryptographically authenticated and loggable – in the event of a security incident, there is clear evidence of who gained access and when. Finally, Yivi fits within DORA’s third-party risk management: it is an open-source solution managed by a Dutch party, giving banks more control and insight into the technology compared to outsourcing to a large foreign identity provider. This simplifies due diligence and oversight of the supplier, which in turn contributes to compliance with DORA’s regulations for ICT supplier risks.
NIS2 (Network and Information Security Directive 2)
Key requirements: NIS2 is an EU directive that prescribes minimum cybersecurity measures for a wide range of essential and important sectors. Organizations must implement a cyber risk management framework with technical and organizational measures. Key requirements include:
-
Strong (multi-factor) authentication and access management: Article 21 of NIS2 prescribes “the use of multi-factor authentication or continuous authentication solutions,” where appropriate. Access controls and identity management are also explicitly mentioned (e.g., human resources security, access policies).
-
Supply chain security: Organizations must address the security of their supply chain, including relationships with suppliers and service providers. They must specifically address vulnerabilities of suppliers and the quality of their products and development processes.
-
Secure software development and patch management: NIS2 requires that security, including vulnerability management and reporting, be considered during the acquisition, development, and maintenance of ICT systems. Basic cyber hygiene and updates are part of this.
-
Incident detection and reporting: Organizations must quickly detect incidents and report significant cybersecurity incidents to the competent authorities/CSIRT. NIS2 uses a three-step reporting system for this: an early warning within 24 hours of discovery, a full incident report within 72 hours, and a final report within one month. All this is to improve response and information sharing.
Support by Yivi
Yivi can practically fulfill several NIS2 requirements. First, Yivi provides strong authentication (MFA) out-of-the-box, exactly what NIS2 Art. 21(j) requires. By using Yivi as a login method for both employees and external partners, organizations meet the MFA requirement without complex in-house implementations. Furthermore, Yivi strengthens access control: only individuals with the correct digital attributes in their wallets are granted access to certain systems or data. This includes shielding critical production networks or sensitive databases. Yivi can ensure that only employees with, for example, a valid “security training completed” or “job X approved” attribute are allowed in. This aligns with NIS2’s requirement for stringent identity and access management.
Yivi indirectly helps with supply chain security because it is a high-quality, European product. When using Yivi as an identity system, an organization doesn’t have to rely on potentially risky identity providers from third countries. NIS2 requires you to assess the quality and security practices of your suppliers – Yivi scores well in this regard thanks to open-source code, academic roots, and strict privacy-by-design principles. Yivi’s cryptography and development standards are transparent and peer-reviewed, which aligns with the “state-of-the-art” encryption and cryptography policies required by NIS2. For secure software development, Yivi as a component offers the advantage that much security functionality is already robustly implemented. Developers can integrate Yivi via well-documented APIs that comply with industry standards, instead of building authentication logic themselves (with all the potential for errors). This reduces the risk of vulnerabilities in your own product and simplifies the management of updates and patches to the identity technology.
Practical Examples
In critical infrastructure (e.g., an energy company or water board), Yivi can be deployed to give operators and technicians with a Yivi pass access to operating systems. This guarantees multi-factor login when operating vital processes, fully compliant with NIS2 (Network Information System (NIS2)), and the system knows for sure which certified person is logging in. Hospitals or other healthcare institutions (also covered by NIS2) can use Yivi for healthcare provider logins to patient records: only authorized doctors/nurses with a hospital-issued digital ID (in Yivi) are granted access. This protects data confidentiality and enforces strict access control. Yivi can also be useful when collaborating with suppliers: a company can grant suppliers access to an ordering portal on the condition that the supplier identifies themselves with Yivi, possibly with an attribute granted by the client (“contracted supplier of company X”). This prevents unauthorized access in the supply chain and adds an extra layer of authentication to supply chain interactions. Finally, Yivi’s logging (the verification of each login can be recorded) helps with incident detection: suspicious attempts (e.g., repeated failed scans or incorrect attributes) can serve as a red flag. Should an incident need to be reported, the organization can demonstrate that the attempts were authenticated and, for example, that unauthorized individuals were prevented from gaining access thanks to Yivi’s measures.
CRA (Cyber Resilience Act)
Key requirements: The Cyber Resilience Act (CRA) is an upcoming EU regulation that sets minimum cybersecurity requirements for products with digital elements (hardware and software) marketed in the EU. Manufacturers must ensure that products are “security by design” and remain secure throughout their lifecycle. Some essential requirements from Annex I of the CRA include:
-
Protection against unauthorized access: Products must include appropriate control mechanisms, such as authentication and identity management systems, to prevent unauthorized access.
-
Confidentiality and integrity of data: Sensitive data must remain confidential and intact, for example, through state-of-the-art encryption of data at rest and in transit and by preventing data from being modified unnoticed.
-
Data minimization: A product may only process personal data that is necessary for its intended use (data minimization).
-
Mitigation of attack vectors and secure configuration: The product must be securely configured upon delivery (secure by default) and minimize exposure surfaces.
-
Incident logging and updates: The product must log/monitor relevant security events, and manufacturers must be able to release security updates to address vulnerabilities. Manufacturers are required to patch known vulnerabilities and have a coordinated vulnerability disclosure process.
Supported by Yivi
Yivi can contribute to CRA compliance by providing a ready-made, secure identity and authentication component for products. First, Yivi directly addresses the requirement for protection against unauthorized access. By incorporating Yivi as an authentication mechanism in a digital product (e.g., a web application, online service, or IoT platform), the manufacturer provides a robust login system based on strong cryptographic authentication instead of just a password. Yivi’s approach—users receive digital attributes from a trusted issuer and must cryptographically prove them upon use—functions as a decentralized identity and access management system. This means that a Yivi-enabled product only grants access to users with valid, verifiable credentials, meeting the CRA’s requirement for a suitable access control solution.
Furthermore, Yivi’s privacy-friendly design aligns with the CRA’s requirements for data minimization and data integrity. Because Yivi allows users to selectively share attribute data—only the information strictly necessary for a specific action—the product doesn’t process redundant personal data. This helps the manufacturer demonstrate that the product meets the minimization requirement. At the same time, Yivi’s strong encryption (both in the app and during transmission) ensures that confidential data is protected from eavesdropping or manipulation, in line with the required state-of-the-art encryption.
Secure software & updates: Because Yivi is open source and managed by an experienced team (Caesar Group in collaboration with the Privacy by Design Foundation), it is a high-quality and auditable component. A manufacturer that integrates Yivi benefits from the continuously improved and community-reviewed codebase. In the context of the CRA (Certificate of Security and Resilience), which requires products without known vulnerabilities to be released and patched proactively, using Yivi can facilitate this process. Updates to the Yivi software (e.g., security fixes) can be easily implemented by the manufacturer in the product software, and the open nature of Yivi means that vulnerabilities are quickly discovered and fixed. Yivi also has features such as credential revocation and system-level logging, which allows a product to detect and log misuse or suspicious activity (e.g., an attempt with an invalid or revoked certificate can be logged as a security event). This supports the CRA requirement that products monitor security-relevant activities.
Practical Examples
Suppose a manufacturer builds a smart industrial machine that can be controlled remotely via a web interface. By requiring Yivi authentication for this operation, only authorized operators (who have received a digital certificate from the manufacturer in their Yivi wallet) can operate the machine. Such a machine is then CRA-compliant because unauthorized persons are kept out through strong MFA and identity verification, and all operating actions are cryptographically traceable to a specific, authenticated user. Another example: a financial software provider can integrate Yivi to give customers access to sensitive data or transactions. This immediately fulfills the requirement that the product have “adequate access control”
european-cyber-resilience-act.com
, while simultaneously ensuring confidentiality through Yivi’s encrypted attribute exchange. Yivi can also assist with coordination within a chain—think of reporting chains or audits where various parties must provide data: with Yivi, each party can digitally demonstrate their identity and authorization (e.g., an auditor who proves they are certified through Yivi), which increases the integrity of the process and demonstrates compliance with security requirements.
European Sovereignty and Trust
An additional advantage of Yivi is that it is entirely European-based—in terms of infrastructure and ownership—which contributes to trust and compliance under all the aforementioned frameworks. Many competing ID wallets are powered by large commercial parties, often outside the EU, which can raise questions about data sovereignty and dependencies. Yivi, on the other hand, runs on European infrastructure and is being developed by the Dutch Caesar Group, in collaboration with the Privacy by Design foundation (founded by Professor Bart Jacobs). This means there are close ties with government and academia, and Yivi meets strict public standards for security and privacy.
Under DORA and NIS2, organizations must also pay attention to the reliability of their suppliers and service providers (e.g., cloud or identity providers). The fact that Yivi is being developed by a party with government connections—and is already being used in government projects (e.g., the municipality of Nijmegen is experimenting with the Yivi wallet)—instills confidence that Yivi is a reliable and secure tool. No American cloud provider can demand personal data under the USA CLOUD Act; all data exchange via Yivi remains within European jurisdiction. This aligns with the EU’s pursuit of digital sovereignty and reduces compliance risks related to data exports or foreign laws. Moreover, Yivi’s open-source, transparent nature inspires trust in regulators: the code and security approach are transparent and verifiable, something that can be a positive factor in audits or supervisory processes under DORA/NIS2.
In short, Yivi’s European origins and privacy-by-design foundation support organizations not only technically in meeting requirements like MFA, access control, and secure data exchange, but also organizationally and legally. Using a sovereign EU identity wallet can demonstrate a serious commitment to compliance: choosing a solution that aligns with European regulations and values increases the trust of both customers and regulators in the organization’s digital resilience.