Identity Controls for NIS2

The EU NIS2 Directive raises baseline cybersecurity obligations for essential and important entities across many sectors, and identity controls are central to its risk-management requirements. Member-state transposition has made these expectations enforceable, with management accountability attached.

What NIS2 expects of identity

NIS2 requires appropriate technical and organizational measures, and the identity-relevant ones include:

• Access control policies and least privilege.
• Multi-factor or continuous authentication for relevant access.
• Asset and identity management, including non-human identities in operational environments.
• Supply-chain security, which includes governing third-party and vendor access.

What good looks like

• MFA across the workforce, with phishing-resistant factors for privileged and remote access.
• PAM for operational-technology and IT privileged access, a priority in NIS2's industrial and infrastructure sectors.
• IGA for least privilege, joiner-mover-leaver, and evidenced reviews.
• Governed third-party access and ITDR to detect identity-based attacks and meet reporting duties.

Common pitfalls

• Assuming NIS2 is only for IT; its sectors include energy, manufacturing, transport, and more, where OT access is the gap.
• Unmanaged vendor and contractor access in scope of supply-chain requirements.
• No detection capability to support the incident-reporting timelines.

Related

Energy & utilities and manufacturing verticals. Vendors: PAM, ITDR, IGA.