TL;DR: NIS2 pushes critical infrastructure operators toward passwordless access, because username and password controls remain exposed to phishing, reuse, and disruption in regulated environments, according to RSA Security. The real issue is that access assurance now has to survive suppliers, contractors, and legacy systems without relying on static credentials.
NHIMG editorial — based on content published by RSA Security: Passwordless Securing Europe’s Critical Infrastructure in the NIS2 Era
By the numbers:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
Questions worth separating out
Q: How should security teams implement passwordless access in critical infrastructure?
A: Start with the highest-risk user groups and the systems most exposed to phishing or credential reuse.
Q: Why does passwordless matter for NIS2 compliance?
A: NIS2 raises expectations for resilience and access control in critical sectors, so passwordless helps by removing reusable secrets from the login path.
Q: What breaks when passwordless is rolled out without access governance?
A: The rollout can still leave recovery flows, legacy systems, and supplier accounts exposed.
Practitioner guidance
- Inventory every password fallback path Map where passwordless users can still authenticate through recovery codes, help desk reset flows, or legacy applications that force password-based access.
- Extend lifecycle controls to supplier access Apply onboarding, periodic review, and immediate revocation to contractor and vendor accounts that touch operational environments.
- Tie passwordless rollout to Zero Trust policy Require conditional access, device trust, and privilege checks after authentication so the login method does not become the only control.
What's in the full article
RSA Security's full article covers the operational detail this post intentionally leaves for the source:
- How RSA frames passwordless authentication choices for employees, suppliers, and contractors in regulated environments.
- The article’s practical examples of moving from passwords to FIDO2 hardware keys, biometrics, and risk-adaptive access.
- RSA’s discussion of NIS2-oriented access controls, audits, and Zero Trust alignment for critical infrastructure teams.
👉 Read RSA Security's analysis of passwordless identity security for NIS2 critical infrastructure →
Passwordless access for NIS2 critical infrastructure: are controls ready?
Explore further
Passwordless identity reduces credential theft, but it does not solve governance by itself. Passwordless weakens the most common human login failure mode, which is password reuse and phishing, yet critical infrastructure still fails if recovery, fallback, and third-party access remain poorly governed. NIS2 pressure therefore shifts the question from whether passwords should be removed to whether the surrounding identity controls are strong enough to support that change. Practitioners should treat passwordless as an assurance upgrade, not an operating model.
A few things that frame the scale:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
A question worth separating out:
Q: Who is accountable when contractor access is left active in a critical environment?
A: Accountability should sit with the system owner and the identity governance function, not the contractor alone. Critical infrastructure teams need clear ownership for onboarding, review, and revocation because access that outlives the business need becomes a governance failure, not just an authentication issue.
👉 Read our full editorial: Passwordless identity security for NIS2 critical infrastructure access