NIS2 compliance - European Cyber Security (Any real-world progress yet? How does SoftEther fit in?)
Posted: Thu Jan 22, 2026 1:19 pm
Hi all,
NIS2 is coming up more and more often lately, but there’s still very little practical, technical guidance available.
In short, NIS2 is the EU’s updated cybersecurity directive. It doesn’t mandate specific products, but security principles and operational requirements: strong authentication (MFA), logging and monitoring, incident response, least-privilege access, and auditability. These requirements clearly affect remote access and VPN solutions.
This raises the question: How well does SoftEther VPN align with NIS2 requirements?
From initial research:
- SoftEther out of the box (username/password, VPN Azure relay) is hard to defend in an audit.
- With RADIUS + Entra ID + MFA + certificate-based auth + centralized logging, it can be technically aligned with NIS2 expectations.
- The key factor seems to be architecture and operations, not the VPN product alone.
Is anyone here:
- already facing NIS2-related audit questions?
- using SoftEther, OpenVPN, or Azure VPN in a NIS2 context?
- aware of concrete guidance from auditors or authorities?
Would be great to hear real-world experiences, not just theory.
NIS2 is coming up more and more often lately, but there’s still very little practical, technical guidance available.
In short, NIS2 is the EU’s updated cybersecurity directive. It doesn’t mandate specific products, but security principles and operational requirements: strong authentication (MFA), logging and monitoring, incident response, least-privilege access, and auditability. These requirements clearly affect remote access and VPN solutions.
This raises the question: How well does SoftEther VPN align with NIS2 requirements?
From initial research:
- SoftEther out of the box (username/password, VPN Azure relay) is hard to defend in an audit.
- With RADIUS + Entra ID + MFA + certificate-based auth + centralized logging, it can be technically aligned with NIS2 expectations.
- The key factor seems to be architecture and operations, not the VPN product alone.
Is anyone here:
- already facing NIS2-related audit questions?
- using SoftEther, OpenVPN, or Azure VPN in a NIS2 context?
- aware of concrete guidance from auditors or authorities?
Would be great to hear real-world experiences, not just theory.