YubiKey for the Public Sector: Security Regulations in Europe
In 2026, simply having a password policy is no longer enough. European cybersecurity regulations now demand multi-factor authentication for access to critical systems — and in several countries, the FIDO2 physical security key is the option that best fits the technical requirements of regulatory frameworks. This guide is designed for IT managers of public bodies and ICT providers who need to understand what each regulation requires and how to comply with it.
The common framework: NIS2 and the MFA obligation
The NIS2 Directive is the starting point for all EU countries. It came into force at the European level in January 2023 and establishes multi-factor authentication as a mandatory technical requirement for all access to critical systems — corporate email, VPNs, administration panels, and any system containing sensitive data.
While some countries faced delays in transposition, the legislative timeline is now reaching its peak in 2026. Regardless of local progress, the European Commission's oversight means that inspections are already underway. For many organizations, non-compliance is no longer an option.
If your company is part of the supply chain of an essential entity — energy, healthcare, transport, banking — NIS2 requires that entity to audit its providers. Compliance is not optional, even if you are an SME.
Regulations by country
The ENS is the reference framework for all Spanish public administrations and their providers. It defines three security categories — Basic, Intermediate, and High — with increasing requirements based on the system's criticality.
In February 2026, the YubiKey 5 CCN became the first hardware security key to obtain the ENS High classification in the CPSTIC catalog of the National Cryptologic Center (CCN). This has a direct practical consequence: Spanish organizations can acquire YubiKeys without the need for the exhaustive follow-up audits required for products not included in the catalog.
Intermediate and High categories: mandatory two-factor authentication for privileged access. FIDO2 meets the technical requirements of the ENS, and the YubiKey 5 CCN is specifically certified for High classification environments.
Furthermore, the CCN has publicly stated that compliance with the ENS in the High category largely covers the structural requirements of NIS2 — making ENS certification a direct path to double compliance.
The BSI (Bundesamt für Sicherheit in der Informationstechnik) is the federal authority for IT security in Germany. Its IT-Grundschutz framework defines the minimum technical measures for public bodies and critical infrastructure operators.
The BSI classifies FIDO2 hardware tokens as the second-factor method with the highest resistance to remote attacks — including real-time phishing and man-in-the-middle attacks. The private key is verified locally on the chip, making any remote attack on the second factor impossible.
For high-security environments, the BSI recommends keys with Common Criteria certification. The YubiKey 5 series includes models with FIDO Level 2 certification, positioning it as a valid option for the most demanding protection levels of IT-Grundschutz.
The RGS is the reference framework for the security of information systems for the French State, managed by ANSSI (Agence Nationale de la Sécurité des Systèmes d'Information). It defines security levels for the public administration's online services.
ANSSI has positioned FIDO2 as the recommended authentication standard to replace OTP and password-based systems in government environments. For services classified at the RGS** level, hardware authentication with a physical key is the option most technically aligned with the framework's requirements.
France also leads NIS2 adoption in the EU — the French transposition (Military Programming Law) is already in effect, and ANSSI acts as the competent authority for the supervision of essential and important entities.
Cyber Essentials is the cybersecurity certification scheme backed by the NCSC (National Cyber Security Centre) of the British government. Version 3.3, in effect since April 27, 2026, introduces the most significant change in years: MFA is no longer just recommended; it is mandatory.
The concrete implications for organizations seeking certification:
- Mandatory MFA on all administrative accounts — no exceptions since April 27, 2026
- Mandatory MFA on all cloud services that support it — if the service offers MFA and it is not activated, the certification automatically fails
- Accepted methods: FIDO2 hardware keys, authentication apps, push notifications — SMS is accepted but considered the weakest method
- UK Public Sector Contracts: Since February 2025, providers for high-risk government contracts must demonstrate advanced authentication controls
For administrative accounts and privileged access, the NCSC explicitly recommends hardware keys over any other method. The YubiKey with FIDO2 is the option that eliminates dependence on shared secrets and blocks 100% of automated phishing attacks.
Comparison by Regulatory Framework
| Framework | Country | Mandatory MFA | FIDO2 Recommended | 2026 Status |
|---|---|---|---|---|
| ENS High | 🇪🇸 Spain | ✅ Medium & High Categories | ✅ YubiKey 5 CCN certified | Active — NIS2 transposition pending |
| BSI IT-Grundschutz | 🇩🇪 Germany | ✅ Critical Infrastructure | ✅ Max resistance to remote attacks | Active — NIS2 transposed |
| RGS / ANSSI | 🇫🇷 France | ✅ RGS** Level | ✅ ANSSI recommended standard | Active — NIS2 transposed |
| Cyber Essentials v3.3 | 🇬🇧 United Kingdom | ✅ Mandatory from 04/27/2026 | ✅ Recommended by NCSC for admins | Active — Deadline met |
Why hardware FIDO2 and not an authentication app?
Authentication apps generate one-time codes based on a shared key between the server and the device. That shared key is the problem: it can be intercepted, leaked, or phished in real-time. This is the scheme that all regulatory frameworks are progressively abandoning.
A FIDO2 key works radically differently. It uses public-key cryptography: the private key never leaves the chip. There is no code to intercept, no shared secret to steal. And the key verifies the domain of the service — if the website is fake, it will not authenticate. This is what makes FIDO2 phishing-resistant by design, not by configuration.
- Identify which systems require MFA according to the applicable ENS/BSI/RGS/Cyber Essentials category
- Evaluate if current systems support FIDO2 / WebAuthn — Google Workspace, Microsoft 365, Okta, and Azure AD support it natively
- Always register two keys per user — one primary and one backup
- Document the deployment for audits: number of keys, assigned users, protected systems
- For Spain: Consider the YubiKey 5 CCN if the system requires ENS High certification
Recommended products for regulated environments
⭐ Most Versatile
YubiKey 5 NFC
FIDO2, OTP, PIV, OpenPGP. Compatible with Google Workspace, Microsoft 365, and most enterprise IAMs. USB-A + NFC.
USB-C + NFC
YubiKey 5C NFC
The same protocols as the USB-A model but with a USB-C connector. For modern laptops and devices.
Frequently Asked Questions
Does the standard YubiKey comply with ENS or is the CCN version required?
For most enterprise use cases, the standard YubiKey 5 NFC meets the technical requirements for strong authentication under the ENS. The CCN version is specific to organizations that need products listed in the CCN's CPSTIC catalog — primarily public administrations and providers of systems classified as ENS High.
Does NIS2 mandate a physical key or is an authentication app sufficient?
NIS2 requires multi-factor authentication for access to critical systems but does not specify a particular method. However, technical reference frameworks — ENS, BSI, ANSSI — point to hardware FIDO2 as the option with the highest resistance to phishing. For privileged access, the physical key is the standard recommendation from European cybersecurity authorities.
How many YubiKeys does a public body need?
The general rule is two keys per user with privileged access — one primary and one backup registered in all systems. Without the second key, a locked-out user cannot regain access without administrator intervention. For large deployments, Yubico's "YubiKey as a Service" includes centralized management and serial numbering for inventory control.
Does Cyber Essentials v3.3 apply to all employees or just administrators?
Version 3.3 makes MFA mandatory specifically for all administrative accounts and for access to any cloud service that supports MFA. For standard users, MFA is not mandatory to obtain certification — although the NCSC recommends it for everyone.
Does a private ICT provider need to comply with these regulations?
It depends on the supply chain. If you provide services to a public body or a NIS2 essential entity (energy, healthcare, banking, transport), your client is required to audit the security of its providers. In practice, more and more technical specifications include strong authentication requirements as a solvency criterion. And in the UK, providers of high-risk government contracts must demonstrate advanced controls since February 2025.
Regulations are converging: Hardware FIDO2 is the standard.
ENS, BSI, RGS, and Cyber Essentials start from different frameworks but arrive at the same place: strong, phishing-resistant authentication for privileged access. The YubiKey technically complies with all of them, and in Spain, it also holds the ENS High certification in the CPSTIC catalog — simplifying the procurement process for the public sector.
If you manage the security of a public body or are an ICT provider for regulated entities, 2026 is not the year to evaluate whether to implement MFA. It is the year to document that you already have it.
