NIS2 may have been in force since October 2024 but
as of July 2025, only 14 out of the 27 EU Member States had transposed the directive into national law. NIS2 was initially introduced to compel providers of essential services, such as healthcare, energy, finance and transport, to enhance their cybersecurity
resilience. Yet, for many organisations burdened by outdated systems and siloed operations, warding off cyber threats is no mean feat.
Although NIS2 is an EU directive, many UK organisations with operations in the EU will still be expected to demonstrate compliance. And, with more than 70% of business leaders anticipating that a cybersecurity incident will
disrupt their business in the next 12 – 24 months, it’s clear that leaders need to re-examine their cybersecurity posture. Placing cybersecurity on the backburner can have disastrous results, both financially and reputationally. For instance, the
Cyber Monitoring Centre estimated the total financial toll for the recent retail attacks in the UK to be between £270 to £440 million.
With the stakes so high, one thing is clear. NIS2 should not be regarded as a simple ‘box ticking’ exercise. It represents a critical call to action: a timely opportunity for organisations to create operations that are secure and resilient against future
threats. Let’s look at the main roadblocks for businesses needing to close the compliance gap, and the technologies available to address them.
What will happen if organisations don’t comply?
IT security managers are perhaps under the most pressure following the introduction of NIS2, responsible for successfully implementing and enforcing the Directive effectively across an organisation. And the stakes have never been higher: with non-compliance
resulting in significant legal, financial and reputational consequences. For essential entities, including financial institutions, non-compliance can incur
costly fines.
One
key requirement outlined by NIS2 is that organisations must be able to demonstrate that they have robust access control policies in place. This includes the ability to limit access to networks and systems based on user roles and responsibilities. Without
the ability to automate access controls, organisations remain reliant on spreadsheets, email or paper trails to manage permissions. These manual processes are often subject to human error, with permissions not being updated promptly when employees change roles,
leave the company, or when contractors’ projects end. Users and ex-employees retain access to sensitive systems and data long after they need it.
This significantly increases the risk of insider threats – whether accidental, with dormant user accounts targeted by cyber criminals, or intentional, such as a disgruntled employee or ex-employees stealing, destroying or altering company information for
personal gain. Businesses and public sector organisations should be taking insider threats seriously, which
constitute almost half of breaches (49%) within EMEA organisations.
Managing the identity lifecycle to drive compliance
Luckily, the technology is available today to support organisations to achieve compliance with NIS2 and enable greater data security at the same time. Automated identity management tools make it easier than ever for organisations to seamlessly manage the
entire identity lifecycle, from onboarding to offboarding.
Imagine a financial consultant is brought in on a temporary contract at a major bank to cover for a colleague on leave. The consultant should only be able to access the specific client accounts and financial records necessary for their assignment. Through
a tailored role and access profile, they might receive temporary permissions to view select client portfolios or transaction histories. However, they would be left without administrative system privileges, for example, access to internal audit logs, executive
dashboards or regulatory compliance reports to minimise risk.
After a specific time frame (the close of the contract), the consultant would no longer be able to access client information or company systems. This concept, ‘Just-in-time privilege’, operationalises zero trust by granting access based on real-time needs,
revoking it once tasks are complete. Access remains role-specific and is granted or rescinded when employees are onboarded or offboarded. Offboarding processes that are quick, seamless and secure are fast becoming a ‘must-have’ for UK employers; particularly
for organisations that experience high staff turnover.
Show and tell: how to demonstrate compliance
Alongside role-based access, NIS2 requires organisations which provide
‘essential services’ to clearly document and keep a record of user access permissions.
The impact of NIS2 will therefore be felt across a wide range of industries, including, but not limited to, financial services, energy, transport, digital infrastructure, public administration and healthcare.
Manually reviewing and collating a record of existing permissions across an organisation can prove to be an incredibly time-consuming task, as well as a significant drain on IT and security team resources. Identity security platforms eradicate the need to
manually document and search for a list of access permissions. IT teams can easily view the number of users with privileged access via an interactive dashboard, as well as a record of outstanding access review tasks. This ‘single pane of glass’ overview makes
it possible for organisations to easily review historical access changes and understand which admins granted or revoked access, and when.
Importantly, visualisation via a dashboard equips organisations with the ability to showcase and demonstrate compliance with NIS2 during regulatory inspections. Dashboard data is updated in
real-time, providing a single source of truth by bringing together data across a complex network of suppliers, contractors, and other third parties operating within an organisation’s supply chain.
A call to action, not tedious admin
Organisations might initially view NIS2 compliance as just another regulatory box to tick. But in reality, it offers a critical opportunity for leaders to re-think traditional approaches to their cybersecurity posture and build operations that are more resilient,
secure, and agile. Instead of approaching it as a burden, organisations can use NIS2 as a springboard for digital transformation.
Modern identity security platforms can play a pivotal role in this shift. By providing granular visibility across users, systems and the extended supply chain, they enable IT and security teams to manage access with greater speed, accuracy, and control.
In a world where digital services underpin almost every aspect of business and society, automated identity and access management must form the foundation of every effective cybersecurity risk strategy.
