Passwordless access for NIS2 critical infrastructure: are controls ready?

TL;DR: NIS2 pushes critical infrastructure operators toward passwordless access, because username and password controls remain exposed to phishing, reuse, and disruption in regulated environments, according to RSA Security. The real issue is that access assurance now has to survive suppliers, contractors, and legacy systems without relying on static credentials.

NHIMG editorial — based on content published by RSA Security: Passwordless Securing Europe’s Critical Infrastructure in the NIS2 Era

By the numbers:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.

Questions worth separating out

Q: How should security teams implement passwordless access in critical infrastructure?

A: Start with the highest-risk user groups and the systems most exposed to phishing or credential reuse.

Q: Why does passwordless matter for NIS2 compliance?

A: NIS2 raises expectations for resilience and access control in critical sectors, so passwordless helps by removing reusable secrets from the login path.

Q: What breaks when passwordless is rolled out without access governance?

A: The rollout can still leave recovery flows, legacy systems, and supplier accounts exposed.

Practitioner guidance

• Inventory every password fallback path Map where passwordless users can still authenticate through recovery codes, help desk reset flows, or legacy applications that force password-based access.
• Extend lifecycle controls to supplier access Apply onboarding, periodic review, and immediate revocation to contractor and vendor accounts that touch operational environments.
• Tie passwordless rollout to Zero Trust policy Require conditional access, device trust, and privilege checks after authentication so the login method does not become the only control.

What's in the full article

RSA Security's full article covers the operational detail this post intentionally leaves for the source:

• How RSA frames passwordless authentication choices for employees, suppliers, and contractors in regulated environments.
• The article’s practical examples of moving from passwords to FIDO2 hardware keys, biometrics, and risk-adaptive access.
• RSA’s discussion of NIS2-oriented access controls, audits, and Zero Trust alignment for critical infrastructure teams.

👉 Read RSA Security's analysis of passwordless identity security for NIS2 critical infrastructure →

Passwordless access for NIS2 critical infrastructure: are controls ready?

Explore further

View Full Forum →  |  NHI Foundation Course →