NIS2 Identity Governance Requirements

What the NIS2 Directive requires for identity and access management, how to demonstrate compliance, and what auditors actually check.

NIS2 compliance: EU member states required transposition by October 2024

On this page

  1. 1. What is NIS2?
  2. 2. Identity and access requirements
  3. 3. Article 21 breakdown
  4. 4. What auditors look for
  5. 5. Meeting requirements
  6. 6. NIS2 and Entra ID
  7. 7. FAQ

What is NIS2?

The Network and Information Security Directive 2 (NIS2) is an EU cybersecurity regulation that entered into force in January 2023. It replaces the original NIS Directive and significantly expands the scope of which organizations must comply and what they must do.

NIS2 covers organizations in essential and important sectors: energy, transport, banking, financial market infrastructure, health, water, digital infrastructure, ICT service management, public administration, space — and important sectors including postal services, waste management, chemicals, food, manufacturing, digital providers, and research.

Unlike the original NIS Directive, NIS2 introduces stricter security requirements, incident reporting obligations, and personal liability for management. Non-compliance penalties reach up to €10 million or 2% of global annual turnover.

NIS2 identity and access management requirements

Article 21 of NIS2 sets out the cybersecurity measures that organizations must implement. Several of these requirements directly map to identity governance:

Access control policies

Organizations must have documented policies for who has access to systems and data, how access is granted and removed, and how access rights are reviewed. This requires more than just having Entra ID — it requires governance processes.

Privileged access management

NIS2 specifically addresses privileged access: accounts with elevated permissions must be managed under stricter controls, with just-in-time access, approval workflows, and enhanced audit logging.

Regular access reviews

Access rights must be reviewed periodically to ensure they remain appropriate. Reviews must be documented and evidence must be available for regulators.

Lifecycle management

User provisioning and deprovisioning processes must be defined, documented, and consistently followed. Informal processes and manual checklists are not sufficient evidence of control.

Article 21 — the security measures clause

Article 21(2) of NIS2 lists the minimum cybersecurity measures. The identity-relevant requirements include:

  • Human resources security, access control policies, and asset management (Article 21(2)(i))
  • The use of multi-factor authentication or continuous authentication solutions, secured voice, video, and text communications, and secured emergency communication systems within the entity (Article 21(2)(j))
  • Policies and procedures regarding the use of cryptography and, where appropriate, encryption (Article 21(2)(h)) — which requires knowing who has encryption keys
  • Supply chain security including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers (Article 21(2)(d)) — third-party access governance

Article 21 also requires that measures are proportionate — based on risk, scale, and sector. This means smaller organizations don't need to implement enterprise IGA platforms; they need to implement controls appropriate to their risk profile.

What auditors and regulators look for

When assessing NIS2 compliance, regulators and auditors want to see evidence, not promises. Common questions:

  • Show me the last three months of access review records — who reviewed, what they decided, and when
  • What happens when an employee leaves? Walk me through the offboarding process and show me the audit trail for the last five departures
  • Who approved this user's access to this system, and when? Show me the approval record
  • How do you know there are no former employees with active accounts?
  • What is your process for reviewing privileged access? How often, who reviews it, and what happens to access that is no longer needed?
  • Show me your access control policy — and show me that it is actually followed

Meeting NIS2 identity governance requirements

The requirements are clear. Here is what you need to have in place:

Documented access control policy

A written policy covering who can access what, how access is requested and approved, and how it is removed. This does not need to be 50 pages — it needs to accurately describe how you actually operate.

Automated provisioning and deprovisioning

Consistent, logged processes for account creation and removal. Manual checklists create gaps and cannot be audited effectively. Automation provides the evidence regulators need.

Regular access review cycle

At minimum, an annual review of all access rights. High-risk systems warrant quarterly reviews. Reviews must be structured, with outcomes documented and acted on.

Privileged access controls

Separate tracking and approval process for administrative accounts. Just-in-time access where practical. Regular review of all privileged access rights.

Audit trail

An immutable log of who had access to what, when it was granted, who approved it, and when it was removed. This is the evidence that makes everything else credible.

NIS2 compliance for Microsoft Entra ID environments

Most organizations in NIS2 scope run Microsoft 365 and Entra ID as their identity infrastructure. Meeting NIS2 requirements in this environment requires a governance layer on top of Entra ID — the native tools provide a starting point but not the full control set.

What Entra ID provides for NIS2 compliance: user management, MFA, conditional access, audit logs, and basic lifecycle workflows.

What you need that Entra ID's native tools don't fully cover: structured access review campaigns with documented outcomes, consistent automated provisioning connected to HR data, comprehensive audit trail across the full identity lifecycle, and compliance-ready reports that don't require manual data assembly.

Adcyma adds the governance layer that turns Entra ID into a NIS2-compliant identity system. Pre-built NIS2 compliance reports, structured access reviews, and automated lifecycle management — deployed in a day, not months.

Frequently asked questions

Does NIS2 require identity governance?

Yes. Article 21 of NIS2 requires organizations to implement access control policies, privileged access management, and regular reviews of user access rights. These are core identity governance controls.

Which companies are covered by NIS2?

NIS2 applies to organizations in essential and important sectors operating in the EU. Essential sectors include energy, transport, banking, health, water, digital infrastructure, and public administration. Important sectors include postal services, waste management, chemicals, food, manufacturing, digital providers, and research.

What is the deadline for NIS2 compliance?

NIS2 entered into force in January 2023 and EU member states were required to transpose it into national law by October 2024. Companies in scope should be implementing compliance measures now.

What happens if we fail a NIS2 audit?

Sanctions for non-compliance include fines of up to €10 million or 2% of global annual turnover for essential entities, and up to €7 million or 1.4% of turnover for important entities. Management can also be held personally liable.

Can Adcyma help us meet NIS2 access control requirements?

Yes. Adcyma covers the identity governance aspects of NIS2 compliance: automated provisioning and deprovisioning, structured access reviews, privileged access controls, and compliance reporting. Free for up to 25 users.

Related guides

Identity governance for Entra IDJoiner-Mover-Leaver process guideIGA buyer's guideTools: NIS2 compliance checklist

Get NIS2-ready identity governance

Free for up to 25 users. Pre-built NIS2 compliance reports and structured access reviews, ready when your auditor asks.

Start Free Trial