NIS2 turns identity governance into a compliance requirement

At a glance

What this is: This is SailPoint's analysis of NIS2 and its message is that identity governance is now a compliance-critical control surface for EU organisations.

Why it matters: It matters because IAM, IGA, and PAM teams will be judged on lifecycle control, risk analysis, and access accountability across both human and non-human identities.

By the numbers:

• Only a third (34%) of organisations across the UK, France and Germany have completed preparations for NIS2.
• 90% of companies polled in the latest IDSA survey said they had an identity-related breach in the past year.
• 96% believed the breach was preventable.

👉 Read SailPoint's analysis of NIS2 compliance and identity governance

Context

NIS2 is the EU's updated network and information security law, and its practical effect is to make identity governance part of cyber resilience rather than a back-office access task. The article frames the problem as one of risk, reporting, and accountability across critical sectors that depend on both human and non-human access.

For IAM teams, the important shift is that access reviews, revocation, approval workflows, and senior oversight are no longer internal process choices. They sit alongside incident readiness, supply chain risk, and zero-trust expectations, which means lifecycle discipline has direct regulatory consequences.

Key questions

Q: What breaks when access governance is weak under NIS2?

A: Weak access governance creates both security exposure and compliance failure. If organisations cannot show who approved access, who removed it, and when those decisions happened, they struggle to prove control effectiveness. That gap matters most for contractors, leavers, generic accounts, and sensitive applications where standing access quickly becomes unnecessary trust.

Q: Why does NIS2 make identity governance more important for critical sectors?

A: NIS2 expands security expectations beyond perimeter controls and into access accountability, lifecycle discipline, and senior oversight. Critical sectors depend on identities to operate, so unmanaged access becomes a direct resilience issue. Identity governance gives organisations the evidence needed to show that cyber controls are active, current, and tied to business risk.

Q: What do organisations get wrong about zero trust and NIS2?

A: They often treat zero trust as an architecture label instead of an access governance model. Under NIS2, the practical test is whether least privilege, approval discipline, and access review are actually enforced. If those controls are missing, zero trust claims do not withstand audit or incident scrutiny.

Q: Who is accountable when access problems lead to NIS2 failures?

A: Senior management is accountable because the directive requires oversight of cybersecurity risk management measures. That means identity decisions cannot sit only with technical teams. Organisations need clear ownership for access reviews, revocation, and reporting so accountability is traceable from policy to action.

Technical breakdown

NIS2, identity governance, and access lifecycle control

NIS2 pushes identity governance into the control set for cyber resilience because access decisions now affect incident exposure, reporting quality, and management accountability. In practice, that means joiner-mover-leaver handling, entitlement reviews, and revocation timing are no longer isolated IAM chores. They are evidence-bearing controls that regulators can expect organisations to demonstrate across employees, contractors, partners, and suppliers.

Practical implication: map access lifecycle controls to NIS2 evidence requirements and make revocation and recertification auditable.

Zero trust and least privilege in regulated environments

The article ties NIS2 to zero-trust principles because broad access and implicit trust make it harder to prove that security measures are effective. Least privilege matters here because it reduces the number of paths an attacker or careless insider can use after initial compromise. The compliance issue is not only whether access exists, but whether access is justified, approved, and constrained to business need.

Practical implication: align privileged and sensitive access decisions to zero-trust principles and document the approval logic behind them.

Third-party access, generic accounts, and non-human identities

NIS2 becomes harder when organisations rely on contractors, generic accounts, service accounts, and other non-human identities that are difficult to track cleanly. The article's point is that over-extended trust in shared or unmanaged identities weakens both security and compliance posture. If an access path cannot be tied to a responsible owner and a current business need, it becomes a governance liability as well as a security risk.

Practical implication: remove generic accounts, tighten third-party access, and force ownership for every non-human identity used in regulated services.

Threat narrative

Attacker objective: The objective is to reach sensitive systems or data through governance weaknesses that let access persist longer than it should.

1. Entry occurs through excessive or poorly governed access across employees, contractors, partners, or third-party connected services, which widens the available attack surface.
2. Escalation happens when standing access, generic accounts, or delayed offboarding lets an attacker or insider move into sensitive systems without fresh approval.
3. Impact follows as identity-related compromise turns into ransomware exposure, data leakage, service disruption, or regulatory failure to demonstrate control.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

NIS2 turns identity governance into a regulated control surface: This directive does not treat access management as background administration. It makes lifecycle discipline, approval logic, and access accountability part of the security posture that senior management must oversee. The implication is that IAM and IGA teams now carry evidence obligations, not just operational ones.

Access revocation failure is the most visible governance weakness in the article: SailPoint's examples around employees, contractors, role changes, and leavers point to a simple failure mode. When access is not removed promptly, organisations preserve unnecessary trust and create both breach exposure and compliance defects. Practitioners should treat delayed deprovisioning as a regulatory control failure.

Generic accounts create accountability debt that NIS2 makes harder to defend: A generic account cannot easily satisfy the directive's expectation for ownership, risk analysis, and oversight. That breaks the chain between identity, access decision, and responsible manager. The result is a governance gap that is visible both to attackers and to auditors.

Identity lifecycle evidence will matter more than policy statements: NIS2 is not satisfied by having a policy that says access should be reviewed or removed. Organisations will need proof that recertification, termination handling, and approval workflows actually happen at scale. Practitioners should expect the burden to shift from stated intent to demonstrable control performance.

Zero trust becomes more credible when it is enforced through identity controls, not slogans: The article is correct to connect NIS2 with zero-trust thinking, but the operational proof comes from least-privilege enforcement and continuous access evaluation. Without identity governance underneath it, zero trust is only architecture language. Practitioners should use NIS2 to harden the access model behind the framework.

From our research:

• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, according to The State of Non-Human Identity Security.
• Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging at 37% and over-privileged accounts at 37%.
• For a broader control lens, read Ultimate Guide to NHIs , Regulatory and Audit Perspectives for the governance and audit model practitioners need to operationalise.

What this signals

Identity governance is moving from a support function to a compliance proof point. NIS2 raises the cost of vague ownership, slow revocation, and weak access evidence because those failures now map directly to regulated obligations. For practitioners, the question is no longer whether access is documented, but whether it is demonstrably controlled across the full lifecycle.

With only 1.5 out of 10 organisations highly confident in securing NHIs, according to The State of Non-Human Identity Security, regulated access will keep failing where ownership and monitoring are fragmented. Teams should expect auditors and incident reviewers to ask for proof, not intent.

Accountability debt: this is the growing gap between who can use an identity and who can actually answer for it. NIS2 pushes organisations to close that gap through tighter lifecycle evidence, clearer approval chains, and stronger oversight across human and non-human access.

For practitioners

• Map NIS2 obligations to identity controls Build a control mapping that links access reviews, joiner-mover-leaver steps, approval checkpoints, and incident reporting evidence to specific NIS2 obligations. This makes ownership visible before audit or incident response pressure arrives.
• Eliminate generic and shared accounts Inventory generic accounts, shared admin identities, and unmanaged service credentials, then assign each one a named owner or replace it with a trackable identity. If ownership cannot be established, the account should be treated as a liability.
• Shorten offboarding and access-removal cycles Measure how long it takes to disable access when staff, contractors, or partners leave or change roles, and tie that interval to compliance reporting. Delayed revocation is one of the clearest ways to fail both governance and security objectives.
• Document approval paths for sensitive access Require explicit approval and risk analysis for access to sensitive applications and data, then retain the decision record. That record is what lets security, audit, and management prove that access was intentional rather than inherited.

Key takeaways

• NIS2 makes identity governance a regulated control requirement, not an optional maturity goal.
• The article's evidence shows a large preparation gap, with only 34% of surveyed organisations reporting completed NIS2 readiness.
• Teams that cannot prove access removal, approval discipline, and ownership will struggle to defend both security and compliance.

Key terms

• Identity governance: Identity governance is the control discipline that defines who or what should have access, who approves it, and how long it should last. In regulated environments it becomes evidence-driven, requiring audit trails for access decisions, reviews, removals, and exceptions across human and non-human identities.
• Joiner-mover-leaver: Joiner-mover-leaver is the lifecycle process used to grant, adjust, and remove access as people or systems change state. It is not just an HR workflow. It is a governance control that determines whether access remains aligned to current business need or becomes unnecessary standing privilege.
• Generic account: A generic account is an identity not tied to a single named person or clearly owned non-human system. These accounts are difficult to audit, recertify, and revoke cleanly, which makes them especially risky in regulated environments because accountability and timely removal both become ambiguous.
• Zero trust: Zero trust is an access model built on continuous verification rather than implicit trust. For identity teams, it means every access path must be justified, constrained, and observable, with least privilege and strong identity controls doing the real enforcement work.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by SailPoint: Foot to the floor: what NIS2 means for your business. Read the original.