Why identity security is a critical component of effective NIS2 compliance
"On the surface, NIS2 might seem like a daunting hurdle to overcome. But it can also be seen as an opportunity."
NIS2 may have begun enforcement in October 2024, but compliance remains a significant hurdle for organisations. According to the European Cyber Security Organisation, only 15 of the 27 member states have currently transposed the directive into national law.
NIS2 was introduced to make it compulsory for essential services – including energy, healthcare, and financial services, to name a few – to take measures to improve cyber resilience. This is by no means an easy task for many essential services providers, many of which are still dependent on outdated technology to deliver their services. For instance, a recent survey from RS2 found that banks are currently spending 70% of their budgets on maintaining legacy systems.
On the surface, it's easy for organisations to view NIS2 as a regulatory headache that no one has the time or energy to address. But if the spate of retail attacks in the UK earlier this summer is anything to go by, one thing is clear – cybersecurity can no longer be placed on the back burner. A recent survey found that cyberattacks cost UK businesses £44bn in the last five years.
On the surface, NIS2 might seem like a daunting hurdle to overcome. But it can also be seen as an opportunity. It’s a strong incentive for businesses to fortify their operations and stay one step ahead of threat actors, ultimately protecting their bottom line.
Even though NIS2 is an EU regulation, UK organisations with operations in the EU may still need to demonstrate compliance. We’ll delve into the main hurdles for organisations looking to achieve NIS2 compliance, and the solutions available to address them.
Key requirements outlined in the NIS2 framework
IT security managers are perhaps under the most pressure following the introduction of NIS2, responsible for successfully implementing and enforcing the Directive effectively across an organisation. And the stakes have never been higher: with non-compliance resulting in significant legal, financial and reputational consequences. For essential and important entities, including financial institutions and the transport and healthcare sectors, non-compliance can incur costly fines.
One key requirement outlined by NIS2 is that organisations must be able to demonstrate that they have robust access control policies in place. This means the ability to limit access to networks and systems based on user roles and responsibilities. Without the ability to automate access controls, organisations remain reliant on spreadsheets, email or paper trails to manage permissions.
READ ON: From DORA to NIS2: Fortinet's guide to European cybersecurity regulations in 2025
These manual processes are often subject to human error, with permissions not being updated promptly when employees change roles, leave the company, or when contractors’ projects end. Users and ex-employees retain access to sensitive systems and data long after they need it.
This significantly increases the risk of insider threats – whether accidental, with dormant user accounts targeted by cyber criminals, or intentional, such as a disgruntled employee or ex-employees stealing, destroying or altering company information for personal gain. Businesses and public sector organisations should be taking insider threats seriously, which constitute almost half of breaches (49%) within EMEA organisations.
Why access controls are key to operationalising ‘zero trust’
Thankfully, the technology is available today to support organisations to achieve compliance with NIS2 and enable greater data security at the same time. Automated identity management tools make it easier than ever for organisations to seamlessly manage the entire identity lifecycle, from onboarding to offboarding.
Imagine a consultant is working on a contractual basis at a hospital, filling in for another doctor whilst they are on leave. The visiting consultant should only be able to access selected patient records or imaging relevant to their case.
READ MORE: "Regulations can be a tailwind": Dynatrace on NIS2 and complexity beyond human control
Through a custom role and profile, they would be granted temporary access to EHR (Electronic Health Records), but left without administrative system privileges such as scheduling, billing systems, and hospital-wide data reports.
After a specific time frame (the close of the contract), the consultant would no longer be able to access patient information or company systems. This concept, ‘Just-in-time privilege’, operationalises zero trust by granting access based on real-time needs, revoking it once tasks are complete. Access remains role-specific and is granted or rescinded when employees are onboarded or offboarded. Offboarding processes that are quick, seamless and secure are fast becoming a ‘must-have’ for UK employers, who continue to experience consistent staff turnover.
Show and tell
Alongside role-based access, NIS2 requires organisations which provide essential services to clearly document and keep a record of user access permissions. The impact of NIS2 will therefore be felt across a wide range of industries, including, but not limited to, energy, transport, financial services, digital infrastructure, public administration and healthcare.
Manually reviewing and collating a record of existing permissions across an organisation can prove to be an incredibly time-consuming task, as well as a significant drain on IT and security team resources. Identity security platforms eradicate the need to manually document and search for a list of access permissions. IT teams can easily view the number of users with privileged access via an interactive dashboard, as well as a record of outstanding access review tasks. This ‘single pane of glass’ overview makes it possible for organisations to easily review historical access changes and understand which admins granted or revoked access, and when.
Importantly, visualisation via a dashboard equips organisations with the ability to showcase and demonstrate compliance with NIS2 during regulatory inspections. Dashboard data is updated in real-time, providing a single source of truth by bringing together data across a complex network of suppliers, contractors, and other third parties operating within an organisation’s supply chain.
Identity security is an integral part of NIS2 compliance
With the UK’s economy and society at large now dependent on digital services to function, cybersecurity is no longer an afterthought but a business imperative. In this landscape, NIS2 has arrived not a moment too soon. It presents organisations with an opportunity to reassess their cybersecurity posture and establish operations that are more robust, flexible and secure.
Automated identity and access management tools have emerged as a critical consideration for businesses looking to strengthen their first line of defence against sophisticated phishing attacks. Identity security platforms can create one pool of knowledge for IT and security teams, equipping them with full visibility across the entire supply chain.
These platforms don’t just enable a more proactive approach to identity management – they also support compliance with NIS2 by providing a centralised record of ‘who’ has access to ‘what’ in real-time. When businesses move beyond manual processes and legacy systems, they can help close compliance gaps, eradicate siloes, and ultimately chart a course towards operations that are both more secure and scalable.
Steve Bradford is Senior Vice President EMEA at SailPoint
