Multi-Factor Authentication: a new layer of protection

By implementing MFA, the EUIPO commits to maintaining a safe and trusted environment for all users within the User Area while ensuring legal compliance. Complemented by targeted actions against misuse of credentials, these measures contribute to safer access to the User Area for all users. Investigations into recent cases of misuse of User Area credentials highlight the importance of implementing stronger security measures. This includes a case where prohibited disclosure of User Area credentials was proven and sanctions were applied for the first time.

On request from users and in line with the EU Cybersecurity Regulation 2023/2841 and the EUIPO’s Strategic Plan SP2030, the EUIPO will gradually roll out MFA in the EUIPO User Area. This is a key milestone in strengthening account security and protecting user data.

Rollout schedule:

• 1 December 2025: Users will be able to activate MFA in their account settings. This optional phase will allow users to familiarise themselves with the process before it becomes mandatory.

• 16 February 2026: From this date, MFA will be required to access the EUIPO User Area.

How it works: After entering your usual login credentials, MFA will prompt you to set up an authenticator app (such as Microsoft Authenticator or Google Authenticator) for the generation of a six-digit code. Once MFA becomes mandatory in 2026, login will not be possible without this second step. See the below infographic [to be added] for more information about the steps.

When a main account also has linked sub-accounts, each of these sub-accounts will have to set up their own individual MFA.

Why activate MFA early?

• Significantly reduces the risk of unauthorised access by adding a second authentication layer.

• Strengthens your account’s security.

• Aligns with cybersecurity best practices across digital services.

Our Help Centre will be able to support you throughout the transition.

Enhancing access controls

The introduction of MFA is part of a wider effort to strengthen the security and integrity of the EUIPO User Area. Since mid-2021, the EUIPO has conducted 12 investigations into the suspected misuse of User Area credentials, a practice that can put user data and the security of the entire system at risk.

Misuse of User Area credentials consist of legal representatives sharing, or effectively “leasing”, their credentials to third parties, often outside the European Economic Area (EEA). This practice grants unauthorised access to all files and information in the account, posing potential data protection risks. Under the Decision of the Executive Director EX-23-13 and its Annex I, established in 2023 as part of broader measures to safeguard the integrity of the EUIPO User Area, such “prohibited disclosure” is forbidden. The account holder is responsible for the proper use of the account and for maintaining the confidentiality of the credentials. Violating these rules may lead to sanctions such as:

• Suspension (temporary or permanent) of the User Area account.

• Requirement to submit attested authorisations for represented parties.

• Informing relevant national and/or data protection supervisory authorities.

The Office recently investigated and proved unauthorised disclosure of User Area credentials, resulting in the application of sanctions for the first time. In response to the EUIPO’s findings, the EEA representative closed all sub-accounts and submitted a signed declaration to regulate future conduct. The Office encourages anyone with suspicions of prohibited disclosure to contact: customercare@euipo.europa.eu.

A shared responsibility for security

The introduction of MFA and the enforcement of strict rules on credential use are part of the same strategy: ensuring that the EUIPO User Area remains a secure and reliable space for all users. While listening to feedback from individual users and user associations who have brought concerns to our attention, the Office continues to refine and strengthen its security measures.

The EUIPO takes any misuse in the User Area very seriously, applying a zero-tolerance approach based on the applicable legal framework to investigate and sanction any ill-intentioned behaviour. Users are encouraged to protect their login details and enable MFA as soon as it becomes available. Together, these measures will safeguard sensitive data and maintain the integrity of the system, ensuring users can access the User Area confidently and securely while delivering on the EUIPO’s strategic plan for a safe and resilient digital environment.

Source: https://www.euipo.europa.eu/en/news/euipo-increases-user-area-security