NIS2 expands security expectations beyond perimeter controls and into access accountability, lifecycle discipline, and senior oversight. Critical sectors depend on identities to operate, so unmanaged access becomes a direct resilience issue. Identity governance gives organisations the evidence needed to show that cyber controls are active, current, and tied to business risk.
Why This Matters for Security Teams
NIS2 shifts identity governance from an administrative control to a resilience requirement. For critical sectors, the issue is not only whether access exists, but whether the organisation can prove who has it, why it exists, and how quickly it can be removed when risk changes. That aligns with the accountability expectations in the NIS2 Directive and the operational control model in the NIST Cybersecurity Framework 2.0.
This matters because modern critical services run on machine access, service accounts, API keys, integrations, and delegated admin paths as much as on employee logins. NHIMG research shows that only 5.7% of organisations have full visibility into their service accounts, and 97% of NHIs carry excessive privileges, which turns identity sprawl into a sector-level exposure. The practical lesson is that identity governance is now part of operational continuity, not just compliance reporting, especially when audits must demonstrate active control over privileged access and lifecycle discipline. In practice, many security teams encounter NIS2 findings only after a supplier compromise or stale credential is already affecting production.
How It Works in Practice
For NIS2-regulated environments, identity governance has to cover the full lifecycle: provisioning, approval, use, monitoring, rotation, review, and offboarding. That includes human users, but it is often the non-human identities that create the hardest audit gaps because they are embedded in applications, pipelines, and third-party integrations. The current guidance suggests treating each identity as an accountable asset with an owner, purpose, expiry, and review cadence, rather than as a static technical detail.
In practice, teams need controls that show:
- who approved the access and under what business justification
- which systems, APIs, or environments the identity can reach
- when credentials were last rotated and whether the TTL matches risk
- how logging, alerting, and revocation work when use becomes abnormal
- how third-party access is reviewed, especially for suppliers and managed service providers
NHIMG’s Ultimate Guide to NHIs shows why this is urgent: 71% of NHIs are not rotated within recommended time frames, and 79% of organisations have experienced secrets leaks. That is directly relevant to NIS2 because stale secrets and unmanaged service accounts undermine both incident prevention and incident response evidence. For audit readiness, the stronger pattern is to pair inventory with enforcement, using policy-based reviews and automated revocation rather than quarterly spreadsheet checks. These controls tend to break down when NHIs are embedded in legacy applications that cannot support rotation or ownership tracking because the identity has no clear business owner and no safe change window.
Common Variations and Edge Cases
Tighter identity governance often increases operational overhead, so organisations have to balance assurance against delivery speed, especially in sectors with legacy platforms, outsourced operations, or 24/7 service requirements. There is no universal standard for every implementation detail yet, but current guidance increasingly favors continuous control evidence over periodic certification.
Some environments need extra nuance. Shared service accounts may be unavoidable in older systems, but they should still have compensating controls such as vaulting, monitoring, and tightly scoped access. Supplier-managed identities are another edge case because accountability is split across organisations; this is where Ultimate Guide to NHIs — Regulatory and Audit Perspectives is useful for mapping evidence to audit expectations. The practical problem is that NIS2 does not reward broad access just because it is operationally convenient. It rewards demonstrable control, especially where service continuity depends on machine identities, secrets, and delegated privileges. Where critical systems cannot support fine-grained lifecycle controls, organisations should document the exception, add compensating monitoring, and set a remediation plan, because unmanaged exceptions tend to become permanent. For sector operators, the main failure mode is assuming that human identity governance alone satisfies resilience obligations when the real exposure sits in non-human access paths.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack surface, NIST CSF 2.0 set the technical controls, and NIS2 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIS2 | Art. 21 | Requires risk-management measures and access accountability for essential entities. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege and access management directly support critical-sector identity governance. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Credential rotation and lifecycle control are central to the NIS2 identity governance gap. |
Map identity governance to Art. 21 and prove access, review, and revocation controls are operating continuously.
