Because NIS2 expects organisations to control risk across their supply chain, not just inside the enterprise boundary. If vendors, MSPs, or cloud partners retain unnecessary access, the organisation still owns the accountability. Third-party lifecycle management, entitlement scope, and revocation discipline become part of compliance.
Why This Matters for Security Teams
NIS2 turns third-party access into a governance issue because risk does not stop at the company boundary. If a managed service provider, software supplier, or integration partner keeps stale accounts, broad OAuth consent, or reusable secrets, the organisation still owns the operational impact and the audit outcome. That is why supply chain access needs the same discipline as internal privileged access, as reflected in the NIS2 Directive.
For NHI-heavy environments, this is often where governance breaks down. Third parties rarely behave like fixed employees: they connect through API keys, service accounts, vendor apps, certificates, and delegated tokens that outlive the task they were created for. NHIMG’s Ultimate Guide to NHIs — Regulatory and Audit Perspectives frames this as a lifecycle problem, not a one-time approval problem. The practical question is not who was trusted at onboarding, but whether access is still justified today. In practice, many security teams encounter third-party overreach only after a vendor account or OAuth grant has already been abused.
How It Works in Practice
Operationally, NIS2 pushes organisations to prove they can discover, scope, review, and revoke third-party access across every system that matters. That means maintaining inventories of external identities, mapping them to business purpose, and separating low-risk support access from privileged production access. The controls are stronger when identity, entitlement, and secret lifecycle management are treated as one workflow instead of three disconnected processes.
Practitioners usually start with four actions:
- Classify every third-party connection by system, data sensitivity, and privilege level.
- Prefer short-lived access paths over standing credentials, especially for admin functions.
- Review vendor entitlements on a defined cadence and after contract, role, or scope changes.
- Revoke access automatically when the business need ends, not at the next annual review.
This lines up with the access-control emphasis in NIST Cybersecurity Framework 2.0 and with the non-human identity risks highlighted in 52 NHI Breaches Analysis. It is also consistent with the OWASP Non-Human Identity Top 10, which treats credential sprawl, weak rotation, and over-privileged access as systemic failure modes. Where organisations get the most value is in tying vendor approvals to actual workload identity and revocation events, rather than to contract paperwork alone. These controls tend to break down when third parties use shared admin accounts or unmanaged OAuth apps because ownership and usage cannot be cleanly attributed.
Common Variations and Edge Cases
Tighter third-party access governance often increases operational overhead, so organisations need to balance auditability against delivery speed. That tradeoff is especially visible in MSP environments, emergency break-glass access, and legacy platforms that cannot support short-lived credentials or fine-grained delegation.
There is no universal standard for this yet, but current guidance suggests a few patterns are safer than others. For routine support, use just-in-time access with approval, logging, and automatic expiry. For integrations, prefer workload identity and scoped tokens over human-shared credentials. For high-risk suppliers, require stronger contractual evidence of access controls, incident notification, and offboarding discipline. NHIMG’s Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs is useful here because the same lifecycle logic applies whether the identity belongs to a vendor tool, a bot, or a cloud integration.
The edge case that most often complicates NIS2 programs is third-party SaaS with tenant-wide delegated access, because the organisation may not control the underlying credential model even though it remains accountable for the risk.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack surface, NIST CSF 2.0 set the technical controls, and NIS2 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIS2 | NIS2 requires governance over third-party access and supply-chain risk. | |
| OWASP Non-Human Identity Top 10 | NHI-03 | Third-party credentials and over-privilege are core non-human identity risks. |
| NIST CSF 2.0 | PR.AC-4 | Third-party access governance maps to controlled access and least privilege. |
Inventory, review, and revoke external access based on business need and impact.
