Regulatory Compliance Support
How Mideye Server addresses specific requirements in EU and international compliance frameworks.
⚠️ Important: Mideye provides authentication technology that addresses specific requirements in various compliance frameworks. Achieving full compliance with NIS2, DORA, ISO 27001, or other standards requires comprehensive organizational programs beyond MFA. Consult your compliance team, auditor, or legal counsel for complete compliance guidance.
Framework Overview
Mideye Server addresses specific requirements in EU and international compliance frameworks including NIS2, DORA, ISO 27001, and GDPR. This page provides explicit mappings between Mideye features and regulatory requirements to help you understand how Mideye fits into your compliance program.
🇪🇺 NIS2 Directive (EU 2022/2555)
The Network and Information Security Directive applies to essential and important entities across the EU, requiring baseline cybersecurity measures.
| Requirement | Mideye Feature | Article |
|---|---|---|
| Multi-factor authentication | Core MFA engine (push, SMS, TOTP, hardware tokens) | Art. 21(2)(j) |
| Access control policies | Assisted Login (four-eyes principle) | Art. 21(2)(i) |
| Incident detection | Failed login monitoring + Mideye Shield | Art. 21(2)(e) |
| Audit logging | Comprehensive authentication and approval logs | Art. 21(2)(e) |
Official reference: NIS2 Directive on EUR-Lex →
🇸🇪 Swedish Cybersäkerhetslagen (2025:1506)
Sweden's implementation of the NIS2 Directive, effective January 15, 2026. Applies to essential and important societal functions.
21 § — Åtgärder mot IT-incidenter (Security Measures)
| Krav (Requirement) | Mideye-funktion |
|---|---|
| Multifaktorautentisering | MFA med push, SMS, TOTP, hårdvarutoken |
| Policies för styrning av åtkomst | Assisterad inloggning (fyrögonsprincipen) |
| Svenska datacenter | On-premise server + Switch i Sverige |
Officiella referenser: Svensk författningssamling → | MSB förklaring →
🏦 DORA — Digital Operational Resilience Act (EU 2022/2554)
Applies to financial entities in the EU. Regulatory Technical Standards (RTS 2024/1774) provide detailed ICT risk management requirements.
| Requirement | Mideye Feature | Article |
|---|---|---|
| Privileged access on need-to-use or ad-hoc basis | Time-based access windows + Shared Account Protection | RTS Art. 21 |
| Segregation of duties | Assisted Login dual approval | RTS Art. 21 |
| Access rights administration | Policy-based approval workflows | Art. 9(4)(c) |
| Threat intelligence sharing | Mideye Shield hive defense | Art. 45 |
Official references: DORA Regulation → | RTS on ICT Risk Management →
🔒 ISO/IEC 27001:2022
International standard for information security management systems. Mideye implements controls from Annex A that customers use as part of their ISO certification.
| Control | Mideye Feature | Annex A |
|---|---|---|
| Segregation of duties | Assisted Login (enforced dual approval) | A.5.3 |
| Access control | Group-based policies + RADIUS integration | A.5.15 |
| Privileged access rights | Time-limited shared account access | A.5.18 |
| Secure authentication | Multi-factor authentication (push, TOTP, tokens) | A.8.5 |
Note: Mideye is not ISO 27001 certified as an organization. These are controls that Mideye implements which customers use as evidence in their own ISO 27001 certification processes.
🛡️ GDPR Article 32 (EU 2016/679)
Security of processing — technical and organisational measures appropriate to the risk.
Technical Measures Implemented:
- Multi-factor authentication — Reduces risk of unauthorized access to personal data
- Data residency controls — On-premises deployment + Swedish data centers for central services
- Audit logging — Full trail of who accessed what and when
- Access control policies — Enforce least privilege and time-limited access
Official reference: GDPR on EUR-Lex → | GDPR-info.eu Article 32 →
💳 PCI DSS v4.0
Payment Card Industry Data Security Standard for organizations handling cardholder data.
Requirement 8.4 — Multi-Factor Authentication (MFA)
"Multi-factor authentication is required for all non-console administrative access and all remote access to the cardholder data environment."
| Requirement | Mideye Feature |
|---|---|
| MFA for administrative access | RADIUS integration with VPN, firewalls, RDP |
| MFA for all remote access | VPN and remote desktop integration |
| Additional layer for shared accounts | Shared Account Protection |
Official reference: PCI Security Standards Council →
Frequently Asked Questions
Is Mideye NIS2 compliant?
Mideye Server addresses specific NIS2 requirements including multi-factor authentication (Article 21, paragraph 2(j)), access control policies (Article 21, paragraph 2(i)), and incident detection (Article 21, paragraph 2(e)). However, NIS2 compliance involves many requirements beyond MFA including governance, incident response, supply chain security, and business continuity. Mideye provides the authentication and access control components. Consult your compliance team for your complete NIS2 compliance program.
Is Mideye ISO 27001 certified?
Mideye is not ISO 27001 certified as an organization. However, Mideye Server implements controls from ISO 27001:2022 Annex A that customers use as part of their own ISO certification. Specifically, Assisted Login implements Annex A 5.3 (segregation of duties), and the core MFA platform supports Annex A 5.15 (access control) and A.8.5 (secure authentication). Many customers use Mideye as evidence in their ISO 27001 audits.
Does Mideye meet DORA requirements for financial entities?
Mideye Server addresses specific DORA requirements in Article 9(4)(c) on access rights administration and the Regulatory Technical Standards (RTS 2024/1774) Article 21 on privileged access management and segregation of duties. DORA has broad operational resilience requirements beyond authentication. Mideye provides the access control and authentication security controls portion.
What about Swedish Cybersäkerhetslagen compliance?
The Swedish Cybersäkerhetslagen (2025:1506), which took effect January 15, 2026, implements the NIS2 Directive in Sweden. Mideye Server's multi-factor authentication addresses the security measure requirements in 21 § regarding authentication and access control. All Mideye central services run in Swedish data centers, supporting data sovereignty requirements for Swedish critical infrastructure.
Can I use Mideye for PCI DSS compliance?
Yes. Mideye Server addresses PCI DSS v4.0 Requirement 8.4 for multi-factor authentication on administrative and remote access to cardholder data environments (Mideye is not PCI DSS certified; this refers to the MFA controls our product provides as part of a customer's broader compliance program). Many customers integrate Mideye with VPN, RDP, and administrative consoles to support PCI DSS MFA requirements. Remember that PCI DSS has many other requirements beyond MFA.
Related Resources
Assisted Login
Four-eyes principle for ISO 27001 A.5.3 and DORA segregation of duties.
Shared Account Protection
Privileged access on need-to-use basis for DORA RTS Article 21.
Air-Gapped Mode
Zero internet dependency for critical infrastructure and supply chain security.
Mideye Shield
Incident detection aligned with NIS2 Article 21(2)(e) and DORA Article 45.
Data Residency
GDPR Article 32 technical measures and Swedish data sovereignty.
Technical Documentation
Installation, integration guides, and operational procedures.
Request Compliance Documentation
Need our Data Processing Agreement, security documentation, or sub-processor list? Contact our team.
Contact Sales