Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

NIS2 compliance gap: what IAM teams need to close now


(@sailpoint)
Reputable Member
Joined: 1 year ago
Posts: 163
Topic starter  

TL;DR: NIS2 raises the bar for identity governance across EU critical sectors, with SailPoint citing that only 34% of organisations in the UK, France and Germany had completed preparations and 90% of companies in an IDSA survey reported an identity-related breach. The directive makes access revocation, approval, risk analysis, and senior-management oversight core control expectations, not optional hygiene.

NHIMG editorial — based on content published by SailPoint: Foot to the floor: what NIS2 means for your business

By the numbers:

Questions worth separating out

Q: What breaks when access governance is weak under NIS2?

A: Weak access governance creates both security exposure and compliance failure.

Q: Why does NIS2 make identity governance more important for critical sectors?

A: NIS2 expands security expectations beyond perimeter controls and into access accountability, lifecycle discipline, and senior oversight.

Q: What do organisations get wrong about zero trust and NIS2?

A: They often treat zero trust as an architecture label instead of an access governance model.

Practitioner guidance

  • Map NIS2 obligations to identity controls Build a control mapping that links access reviews, joiner-mover-leaver steps, approval checkpoints, and incident reporting evidence to specific NIS2 obligations.
  • Eliminate generic and shared accounts Inventory generic accounts, shared admin identities, and unmanaged service credentials, then assign each one a named owner or replace it with a trackable identity.
  • Shorten offboarding and access-removal cycles Measure how long it takes to disable access when staff, contractors, or partners leave or change roles, and tie that interval to compliance reporting.

What's in the full article

SailPoint's full blog covers the operational detail this post intentionally leaves for the source:

  • The specific NIS2 readiness findings from SailPoint's survey of 1,500 IT decision makers.
  • The article's examples of access governance controls, including offboarding, generic accounts, and approval-based access.
  • The IDC-linked discussion of how identity governance supports compliance at scale.
  • The broader business context around fines, senior-management liability, and cyber resilience planning.

👉 Read SailPoint's analysis of NIS2 compliance and identity governance →

NIS2 compliance gap: what IAM teams need to close now?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

NIS2 turns identity governance into a regulated control surface: This directive does not treat access management as background administration. It makes lifecycle discipline, approval logic, and access accountability part of the security posture that senior management must oversee. The implication is that IAM and IGA teams now carry evidence obligations, not just operational ones.

A few things that frame the scale:

  • Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, according to The State of Non-Human Identity Security.
  • Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging at 37% and over-privileged accounts at 37%.

A question worth separating out:

Q: Who is accountable when access problems lead to NIS2 failures?

A: Senior management is accountable because the directive requires oversight of cybersecurity risk management measures. That means identity decisions cannot sit only with technical teams. Organisations need clear ownership for access reviews, revocation, and reporting so accountability is traceable from policy to action.

👉 Read our full editorial: NIS2 turns identity governance into a compliance requirement



   
ReplyQuote
Share: