NIS2 compliance gap: what IAM teams need to close now

TL;DR: NIS2 raises the bar for identity governance across EU critical sectors, with SailPoint citing that only 34% of organisations in the UK, France and Germany had completed preparations and 90% of companies in an IDSA survey reported an identity-related breach. The directive makes access revocation, approval, risk analysis, and senior-management oversight core control expectations, not optional hygiene.

NHIMG editorial — based on content published by SailPoint: Foot to the floor: what NIS2 means for your business

By the numbers:

• Only a third (34%) of organisations across the UK, France and Germany have completed preparations for NIS2.
• 96% believed the breach was preventable.

Questions worth separating out

Q: What breaks when access governance is weak under NIS2?

A: Weak access governance creates both security exposure and compliance failure.

Q: Why does NIS2 make identity governance more important for critical sectors?

A: NIS2 expands security expectations beyond perimeter controls and into access accountability, lifecycle discipline, and senior oversight.

Q: What do organisations get wrong about zero trust and NIS2?

A: They often treat zero trust as an architecture label instead of an access governance model.

Practitioner guidance

• Map NIS2 obligations to identity controls Build a control mapping that links access reviews, joiner-mover-leaver steps, approval checkpoints, and incident reporting evidence to specific NIS2 obligations.
• Eliminate generic and shared accounts Inventory generic accounts, shared admin identities, and unmanaged service credentials, then assign each one a named owner or replace it with a trackable identity.
• Shorten offboarding and access-removal cycles Measure how long it takes to disable access when staff, contractors, or partners leave or change roles, and tie that interval to compliance reporting.

What's in the full article

SailPoint's full blog covers the operational detail this post intentionally leaves for the source:

• The specific NIS2 readiness findings from SailPoint's survey of 1,500 IT decision makers.
• The article's examples of access governance controls, including offboarding, generic accounts, and approval-based access.
• The IDC-linked discussion of how identity governance supports compliance at scale.
• The broader business context around fines, senior-management liability, and cyber resilience planning.

👉 Read SailPoint's analysis of NIS2 compliance and identity governance →

NIS2 compliance gap: what IAM teams need to close now?

Explore further

View Full Forum →  |  NHI Foundation Course →