NIS2 compliance depends on identity control, not checkbox governance

At a glance

What this is: This is an analysis of how NIS2 compliance depends on identity security across access control, supply chain security and risk measurement.

Why it matters: It matters because IAM, IGA and PAM teams now have to prove control over all identities, including suppliers and other non-employee access paths.

By the numbers:

• This type of attack on the supply chain is 40% more frequent than malware or ransomware attacks.

👉 Read SailPoint’s analysis of identity security and NIS2 compliance pillars

Context

NIS2 shifts identity from a supporting control to a compliance boundary. The article argues that organisations cannot show real alignment with the directive unless they can account for who and what has access, how privileged access is governed, and where third-party identities expand attack paths.

The operational issue is not whether access management exists, but whether identity governance can prove effective control over named accounts, privileged accounts, supplier access and toxic entitlements. For IAM and IGA teams, that means the compliance discussion now runs through lifecycle controls, access visibility and remediation discipline rather than policy statements alone.

Key questions

Q: How should organisations map identity security to NIS2 compliance?

A: Start by linking identity controls to the directive’s risk pillars, especially access control, supply chain security, cyber hygiene and governance evidence. Then prove who has access, why it exists, whether it is privileged, and whether it is still justified. NIS2 compliance is stronger when identity data is used as evidence, not just as an internal control metric.

Q: Why do supplier identities create so much NIS2 compliance risk?

A: Supplier identities often have legitimate access but weaker governance than internal users, which makes them easy to overlook in lifecycle reviews and offboarding. That creates residual access, over-privilege and accountability gaps across the supply chain. Under NIS2, those gaps are not only security issues but also evidence that access control is not well governed.

Q: How do security teams prove that identity controls are actually reducing risk?

A: Use posture indicators that show whether accounts are shared, orphaned, over-privileged, disabled late or carrying toxic entitlement combinations. If those signals are trending down, governance is working. If they are invisible, compliance claims are weak because the organisation cannot demonstrate that access reality matches policy intent.

Q: Who is accountable when third-party access causes a NIS2 problem?

A: Accountability sits with the organisation that granted the access and failed to govern it, even if a supplier or contractor was the immediate user. The practical test is whether the access was owned, reviewed, time-bounded and removed when the relationship changed. If those answers are unclear, governance ownership is also unclear.

Technical breakdown

Why identity security maps directly to NIS2 risk pillars

The article ties identity security to five of NIS2’s recommended risk areas, which is a useful way to understand why access control is not a narrow IAM issue. The directive’s focus on risk analysis, supply chain security, cyber hygiene, access control and HR security makes identity governance a cross-cutting control plane. Named accounts versus generic accounts, privileged access restrictions, least privilege and segregation of duties are all mechanisms that turn policy into observable enforcement. Practical implication: compliance teams should map identity controls to the directive’s risk pillars instead of treating them as separate programmes.

Practical implication: Map identity controls to NIS2 pillars and use that mapping to evidence compliance.

Why supplier identities expand the attack surface

NIS2 supply chain requirements matter because indirect access often enters through suppliers, vendors, partners and contractors rather than primary employees. These identities are still operationally trusted, but they usually sit outside the same governance intensity as internal users, which creates blind spots in lifecycle control, access scope and offboarding. The article’s point is that compromise can arrive through access relationships rather than malware alone. Practical implication: treat third-party identities as governed subjects with time-bounded access, not as exceptions that sit outside standard IAM oversight.

Practical implication: Bring third-party identities into the same approval, review and offboarding process as internal access.

How identity security turns access visibility into measurable risk reduction

The practical value of identity security in the article is visibility: knowing which accounts exist, who owns them, which are shared, which are high privilege and which have accumulated toxic access. That turns identity from a static permission store into a risk measurement system. The article also points to AI-assisted suggestions for remediation, but the real governance signal is whether the organisation can identify deviations from policy fast enough to act. Practical implication: build identity posture indicators that surface orphaned, shared and over-privileged accounts before they become compliance evidence gaps.

Practical implication: Use identity posture indicators to find orphaned, shared and over-privileged accounts early.

Threat narrative

Attacker objective: The attacker seeks to use trusted identity paths to compromise the organisation indirectly and disrupt business operations.

1. Entry occurs through exposed or weakly governed third-party access, especially supplier identities that are not managed with the same rigor as internal accounts.
2. Escalation follows when privileged or accumulated access rights are left in place, allowing attackers or compromised parties to reach resources beyond their intended scope.
3. Impact is realised when identity control gaps prevent the organisation from detecting, correcting or proving safe access relationships across the supply chain.

Breaches seen in the wild

• LiteLLM PyPI package breach — LiteLLM PyPI supply chain attack, credentials stolen from users.
• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

NIS2 makes identity control an evidentiary requirement, not a side effect of access management. The article is right to treat identity security as foundational because the directive’s risk pillars cannot be met with policy language alone. If an organisation cannot show control over who has access, what kind of access they hold and whether that access is still justified, it cannot credibly claim compliance. The implication is that identity governance becomes part of the compliance record, not just the security stack.

Supply chain security under NIS2 is really third-party identity governance. The article correctly shifts the conversation from vendor risk in the abstract to the identities that suppliers, contractors and partners actually use. Those identities create a governance gap when they are treated as temporary exceptions rather than lifecycle-managed access subjects. Practitioners should read this as a warning that third-party access without strong entitlement discipline becomes a regulatory weakness as well as an attack path.

Identity security posture is the control that converts NIS2 from aspiration into proof. Visibility into shared accounts, orphaned access, high privilege and toxic entitlement accumulation is the difference between saying you manage access and demonstrating that you do. That is why this topic belongs at the centre of IGA, PAM and security operations together. The practitioner takeaway is to measure access reality continuously, not only at audit time.

Least privilege and segregation of duties only work if entitlement drift is continuously removed. The article’s emphasis on risky access reflects a simple governance truth: access that accumulates over time eventually defeats the policy that created it. NIS2 raises the stakes because unmanaged accumulation can affect operational resilience and supply chain trust at the same time. Teams should treat entitlement drift as a compliance and resilience problem, not an administrative cleanup task.

Zero trust in NIS2 terms is identity truth, not just network segmentation. The article points toward a broader compliance model in which access is only valid when it is attributable, current and constrained. That makes identity the enforcement point for least privilege across users, suppliers and privileged accounts. The implication for practitioners is to align access governance, asset ownership and privileged access review into one control narrative.

From our research:

• From our research: 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
• Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks.
• To understand why these outcomes persist, read Ultimate Guide to NHIs , Key Challenges and Risks for the governance gaps that let access drift become exposure.

What this signals

NIS2 will continue to push IAM, IGA and PAM teams toward evidence-based governance, where access review cadence matters less than whether the organisation can show who owns each entitlement and why it still exists. With 72% of organisations having experienced or suspecting an NHI breach, according to The 2024 ESG Report: Managing Non-Human Identities, the underlying lesson is that unmanaged access is already a board-level risk signal.

Identity evidence gap: the real problem is not only excess access, but the inability to prove that access has been removed, constrained or reassigned at the right time. That is why NIS2-style compliance work increasingly overlaps with lifecycle governance, asset ownership and privileged access review.

For teams building their operating model, the next step is to connect access posture to Lifecycle Processes for Managing NHIs and to the NIST Cybersecurity Framework 2.0, so remediation can be traced from control gap to business risk.

For practitioners

• Map identity controls to the NIS2 risk pillars Tie named accounts, privileged access, supplier access, cyber hygiene and access review evidence back to the directive’s risk areas so compliance can be demonstrated with control outcomes rather than policy statements.
• Extend governance to third-party identities Bring suppliers, consultants, contractors and partners into the same approval, recertification and offboarding process used for internal accounts, with explicit access expiry and ownership.
• Build identity posture indicators Track orphaned accounts, shared accounts, disabled status failures, high privilege and toxic entitlement buildup so remediation can be prioritised before audit findings or incidents expose the gaps.
• Review privileged access against current business need Revalidate every elevated entitlement against the service or supplier relationship that justified it, then remove access that no longer matches the operating model or the contract boundary.

Key takeaways

• NIS2 turns identity governance into a compliance proof point because organisations must show control over access, privilege and supplier identities.
• The article’s strongest warning is that third-party access creates a supply chain exposure path when lifecycle and entitlement controls are too weak to contain it.
• Teams that can measure shared accounts, orphaned access and toxic entitlement drift will be better placed to convert NIS2 from policy obligation into demonstrable risk reduction.

Key terms

• Identity Posture: The measurable state of identity governance across an environment, including ownership, privilege, lifecycle status and policy alignment. In practice, it shows whether access is current, justified and removable, which is what turns identity from an abstract control into a risk signal.
• Toxic Entitlement: A combination of permissions that creates unacceptable business or security risk when held by the same identity. These rights may be individually valid, but together they break segregation of duties, inflate privilege and increase the chance of misuse or compliance failure.
• Third-Party Identity: An identity used by a supplier, contractor, consultant or other external party to access internal systems. These identities are often legitimate but hard to govern consistently because they sit at the boundary between internal controls and external accountability.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.

This post draws on content published by SailPoint: Pillars of the NIS2 Directive: Recommended risk management measures. Read the original.