Log In
Sign Up

NIS2 Compliance Guide for Identity Management

Let’s be honest.

Most compliance initiatives fail for the same reason most gym memberships go unused after February. Not because people don’t care, but because real life always gets in the way.

And in the world of NIS2, real life is usually spelled: identity.

Because when something actually happens, the questions are always the same:

  • Who had access?
  • Why did they have access?
  • Should that access have been removed three months ago?
  • Can you prove it, quickly, without digging through old tickets and Slack threads?

NIS2 raises the bar significantly. Clearer risk management requirements, stronger supervision, and accountability that can no longer be “handled somewhere else”. In Sweden, the rules apply from January 2026.

And yes, identity management ends up right in the spotlight.

Why identity suddenly became everyone’s problem

NIS2 does not talk about IAM tools.
It talks about risk, control, and evidence.

But in practice, identity is what ties most of that together.

If you don’t know:

  • who has access to what
  • why they have it
  • and when it should be removed

then you have a risk problem. Not a documentation problem.

As one auditor once put it:
“It’s not dangerous to be wrong. It’s dangerous not knowing whether you are.”

What NIS2 actually expects from Identity Management

A useful rule of thumb:

NIS2-ready identity equals control you can demonstrate

Not “this is how we usually do it”, but “this is how it actually works”.

1. Access control that is more than a PDF

Access control is rarely defined in one place or one document.
What matters is whether it is applied consistently in practice.

What matters is that:

  • access follows a clear logic
  • ownership is defined
  • changes are traceable

If the answer to “who approves access here?” is
“Good question…”

you have just found a NIS2 gap.

2. Least privilege in practice, not just in theory

NIS2 assumes users do not collect permissions like souvenirs.

That means:

  • role-based access where it makes sense
  • explicit exceptions where it doesn’t
  • regular reviews that actually happen

If every access review ends with “Approve all” after 30 seconds, that is not a review. It is a ritual.

Auditors are not big fans of rituals.

3. Joiner, mover, leaver. Where things usually break

In theory, joiners should be the easy part.
In reality, especially in smaller organizations, they are often handled manually.

Someone creates an account. Someone else adds access. A third person assumes it was done. Sometimes it was. Sometimes it wasn’t.

The result is familiar.
A new employee. First day. Laptop open.
The password works.
Nothing else does.

Someone says “it usually takes a few hours”.
Someone else says “it worked last time”.
The new hire learns an important lesson early: identity is complicated.

Movers are usually inconsistent. Promotions often mean more access. Rarely less.

Leavers are where things really get risky.

NIS2 cares deeply about:

  • access changing when roles change
  • access being removed when employment ends
  • this happening quickly and consistently

Old accounts and forgotten permissions are cybersecurity’s equivalent of unlocked back doors. Nobody plans them. They just stay open.

Privileged access. The eternal headache

Admin accounts always attract attention. From attackers. From auditors. From incident responders.

A NIS2-friendly setup usually includes:

  • separated privileges
  • time-bound elevation
  • strong authentication
  • logs that are useful when things go wrong

“All admins are trusted” is no longer considered a security strategy.

Incident reporting. Where identity saves time and nerves

NIS2 introduces strict incident reporting timelines.
Initial notification within 24 hours.
More detail within 72.

That clock moves fast.

When it does, identity data is often what answers:

  • who logged in
  • from where
  • with which privileges
  • what was changed

Organizations with good identity telemetry report faster, calmer, and with fewer guesses.

Auditors dislike guesses almost as much as attackers enjoy them.

Common identity mistakes we see again and again

“We have IAM”

Great.
Who is responsible for access decisions for access A and access B?

That is where things often become unclear.

Manual processes everywhere

Tickets, emails, spreadsheets.
They work. Until they don’t.

Manual steps are not just slow. They make evidence nearly impossible to reconstruct later.

Ghost accounts

Nobody knows who owns them.
Nobody dares to remove them.
Everyone hopes they are not being used.

Hope is rarely a control.

A realistic 30-day starting point for NIS2

If you want progress without chaos:

Week 1
List your critical systems. Identify identity sources. Map privileged access paths.

Week 2
Define ownership. Who approves what. Write a minimum viable access policy.

Week 3
Tighten MFA where it matters most. Clean up roles in a few key systems.

Week 4
Collect evidence. Access reviews. Provisioning logs. Deprovisioning timelines.
This is what you will actually be assessed on.

Where Adcyma fits in (briefly, without the sales pitch)

NIS2 identity work usually comes down to:

  • lifecycle control
  • automation
  • clear ownership
  • traceability

All of that is significantly easier when identities are managed centrally instead of manually, system by system.

ILM that actually works makes compliance far less dramatic.

Final thoughts

NIS2 is not about perfection.
It is about control, accountability, and being able to show how things work when someone asks.

And the first thing they usually ask about is identity.

If you have that under control, the rest becomes much easier.

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    Everyone should be able to afford good security.
    Solutions
    Home Features
    Support
    Pricing Documentation Terms, Policies, and Legal Agreements Status
    Company
    About Blog
    © 2026 Adcyma AB. All rights reserved.