Wissen Sie, was in Ihrer Software steckt?

NIS2-ready: How protected identities and privileged access pave the way for companies

June 1, 2026 in Blog

feature-image

NIS2-ready: How protected identities and privileged access pave the way for companies

The NIS2 Implementation Act has been in force in Germany since December 6, 2025. This means that the focus is no longer limited to traditional critical infrastructure operators. Many other “important” and “essential” entities are now also affected. More than 30,000 organizations are required to strengthen their risk management, incident reporting, technical measures and governance. But what exactly needs to be done often remains unclear for those responsible. After all, the requirement to take appropriate, proportionate, technically effective and organizational measures is deliberately formulated in broad terms. Identity and Access Management (IAM) and Privileged Access Management (PAM) provide good starting points.

ℹ️ Already one step ahead?

Are you already aware that IAM and PAM can help your company move toward NIS2 compliance? Then you can jump straight to our checklist.

Getting started doesn’t have to be hard

Protecting IT infrastructure and processes, ensuring confidentiality, preventing disruptions and minimizing the impact of security incidents — these are important goals pursued by the NIS2 Directive. Yet the path toward achieving them still raises many questions. NIS2 describes what needs to be achieved, but not exactly how organizations should get there. Anyone reading through the legal text will therefore not find a concrete list of measures.

What is clear, however, is that the requirements are risk-based. Organizations must assess for themselves which approaches are appropriate and proportionate. Which controls are adequate? Which systems are particularly critical and require quick solutions? And where are the greatest risks?

ℹ️ Implementing acts as guidance

For certain digital services and infrastructures, however, there is already a framework: Implementing Regulation (EU) 2024/2690. It defines EU-wide requirements for risk management measures. It applies, for example, to DNS service providers, cloud computing service providers, online search engines and social networking service platforms.

Companies should therefore keep an eye on relevant EU implementing acts as well as ENISA’s accompanying technical guidance.

Not explicitly named, but essential

This is exactly where Identity and Access Management and Privileged Access Management become relevant. NIS2 does not explicitly mention these terms, but many of the required objectives can be implemented in practice through IAM and PAM. Four areas of action are particularly important.

Security boundaries are shifting

For a long time, security was a matter of perimeter protection. If firewalls, network boundaries and internal network safeguards were in place, the infrastructure was considered secure. In today’s IT landscape, this logic no longer works. Cloud services, mobile workplaces, external service providers and partners now dominate, alongside APIs, service accounts and machine identities. As a result, the security perimeter has to expand significantly.

NIS2 requires risk-based protective measures. It is no longer enough for companies to secure only their systems. They must also make access to systems and data controllable. In its technical guidance, ENISA explicitly names topics such as “roles and responsibilities,” “access control,” “access rights” and “asset management” as relevant building blocks.

The new guiding principle is this: access controls are no longer organized primarily around network boundaries, but increasingly around identities and permissions.

Multi-factor authentication

Username plus password equals access. Especially in critical contexts, this formula should no longer be the only barrier to entry. Strong authentication is needed. In Article 21(2), NIS2 explicitly refers to multi-factor authentication or continuous authentication. Companies that combine knowledge, possession and, where appropriate, biometric factors are best protected.

Critical access, sensitive systems and privileged accounts require a rethink. The new minimum requirement is therefore multi-factor authentication.

Lifecycle management

Identities are often created once and then forgotten. If rights are revoked too late, permissions are not adapted to changed roles, or service accounts exist without clear responsibilities, vulnerabilities can arise. The entire lifecycle of an identity must therefore be taken into account.

The connection to NIS2 is clear: the directive requires traceability, risk-based protection and effective measures. All of this can only be achieved if clean identity lifecycle management is in place. Joiners, movers and leavers — meaning new people or accounts, changed roles or responsibilities, and offboarding — are the three key stages organizations need to manage.

Governance and accountability

Many still treat NIS2 as a purely technical issue — but that falls short. Above all, the directive focuses on the responsibility of management bodies. In other words, it is not enough to be “somehow secured” from a technical perspective. Companies must implement measures in a way that is controllable, verifiable and organizationally embedded.

On the one hand, documented roles, reviewable permissions and clear responsibilities are becoming more important. On the other hand, not only protection but also accountability is gaining relevance. What many identity security experts have been saying for a long time becomes clear here: IAM and PAM are operational admin topics, but they must also be anchored in governance.

Laying the foundation with identity security

Of course, NIS2 covers much more: incident handling, business continuity, supply chain security and cyber hygiene, including cybersecurity training. Ultimately, however, many requirements lead back to measures for identities and access. Four examples illustrate this:

  • Incident response requires clarity about accounts and permissions.
  • Business continuity requires robust access models.
  • Security policies require traceable roles and responsibilities.
  • Auditability often fails because privileged accounts and access rights are unclear.

However, organizations that already use IAM and PAM should not celebrate too soon. Anyone implementing NIS2 requirements will quickly realize that many weaknesses still exist — often stemming from traditional IAM and PAM systems.

  • role and rights concepts that have grown over many years
  • missing recertifications
  • no clean separation between privileged and non-privileged accounts
  • shared admin accounts
  • unclear responsibilities for service accounts
  • missing offboarding
  • missing documentation of exceptions
  • privileged access without sufficient control or traceability
  • insufficiently recorded technical identities and non-human identities

A pragmatic start toward NIS2

A sensible first step toward NIS2 compliance can be to modernize IAM and PAM. Even though this is not explicitly stated as a legal obligation, companies move significantly closer to the overall goal by implementing the individual to-dos.

IAM to-dos

  • Clearly define roles and responsibilities
  • Set up rights assignment in a more risk-oriented way
  • Consistently implement need-to-know and least privilege
  • Review joiner-mover-leaver processes
  • Reassess authentication for critical access
  • Anchor management approval and governance
  • Establish regular reviews instead of treating it as a one-off Project

PAM to-dos

  • Inventory privileged accounts
  • Separate administrative and standard access
  • Establish session control and traceability
  • Reduce permanently elevated privileges
  • Document approvals and exceptions
  • Monitor privileged access

Does this look like a long list? Don’t worry. The first step is to create transparency. Those responsible should carry out an as-is analysis of critical systems, privileged accounts and sensitive roles. This should then be followed by prioritization. Systems or access rights where misuse or incorrect handling would have particularly serious consequences should be addressed first. After that, organizations can gradually improve policies, role models, recertifications, session controls and technical identities.

ℹ️ NIS2 and software supply chain security

NIS2 does not only draw attention to identities, permissions and privileged access. Transparency around the software components in use is also becoming more important. SBOMs, security reports and vulnerability analyses help make risks in the software supply chain visible at an early stage and provide more reliable evidence.

You can learn more on our page “Because binaries don’t tell lies”.

IAM and PAM for NIS2

NIS2 raises the bar for controllability, traceability, accountability and risk-based access controls. Optimizing IAM and PAM is not explicitly mentioned. But companies that view these areas as part of their NIS2 readiness quickly move closer to the bigger picture.

Are your IAM and PAM systems ready for NIS2? Find out with our checklist.


Has NIS2 been on your agenda for some time, but getting started still feels difficult? Let’s identify suitable protective measures together.

Book a meeting

umbrella.associates

  • Mergenthalerallee 73-75
    65760 Eschborn/Frankfurt
  • +49 (0) 6196 204 8237

Navigation

We take your security to the next level

...and boldly go, where new identities need protection. Be it your employees or customers, your partners or admins or even your devices and machinery. We create the management plane that covers YOUR identity needs!

© 2026 umbrella.associates