TL;DR: NIS2, ENS and ISO 27001 increasingly demand demonstrable, continuous control over access, not just policy documentation or periodic reviews, according to Soffid. The governance gap is that many IAM programmes still certify access on a schedule while regulators and auditors expect evidence that permissions are current, justified and enforceable.
NHIMG editorial — based on content published by Soffid: IAM Compliance: control continuo para NIS2 y ENS
By the numbers:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities , 46% confirmed, 26% suspected.
Questions worth separating out
Q: How should organisations prove continuous IAM compliance for NIS2 and ENS?
A: They should tie access approvals, recertification, revocation and logging to a single evidence model that can be reproduced on demand.
Q: Why do periodic access reviews often fail compliance expectations?
A: Periodic reviews often fail because they certify stale data, not live access reality.
Q: What breaks when identity governance is disconnected from audit evidence?
A: The organisation loses the ability to show who approved access, when it changed and whether removal actually happened.
Practitioner guidance
- Map continuous-control evidence to each regulatory obligation Identify which access, approval, logging and recertification records you must be able to reproduce for NIS2, ENS and ISO 27001.
- Centralise entitlement history across hybrid systems Unify identity records from legacy, cloud and SaaS platforms so audit evidence can be assembled from one governed source of truth.
- Shorten review cycles where entitlement drift is fastest Use higher-frequency recertification for privileged, shared or fast-changing access paths, especially where users or service accounts move between systems.
What's in the full article
Soffid's full article covers the operational detail this post intentionally leaves for the source:
- How Soffid positions its IAM, IGA and PAM architecture for compliance-driven control continuity
- How automated recertification and audit exports are described for regulated environments
- How the platform maps to legacy, cloud and hybrid operating models without reimplementation
- How Soffid frames ENS certification and Common Criteria in its compliance narrative
👉 Read Soffid’s article on IAM compliance for NIS2 and ENS →
IAM compliance for NIS2 and ENS: are your controls continuous?
Explore further
Continuous control is the real compliance test, not policy possession. The article correctly shifts the discussion away from documentation and toward demonstrable control over access. That is the core compliance problem in modern IAM: regulators and auditors need evidence that permissions are current, justified and enforceable, not merely described in a policy pack. Practitioners should treat this as an operations problem, not a paperwork problem.
A few things that frame the scale:
- 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to The 2024 Non-Human Identity Security Report.
- 23.7% of organisations share secrets through insecure methods such as email or messaging applications, according to The 2024 Non-Human Identity Security Report.
A question worth separating out:
Q: Which frameworks make continuous access control more important?
A: NIS2, ENS and ISO 27001 all increase pressure to demonstrate that access decisions are controlled, traceable and current. In practice, that means IAM teams need evidence that policies are enforced continuously, not just checked during reviews or internal audits.
👉 Read our full editorial: IAM compliance for NIS2 and ENS needs continuous control