Cybersecurity is becoming everyday concern to more companies and brings along new legislative framework, trying to regulate this fast-changing digital environment. With more and more laws passed in the local legislation, NIS2 Compliance is becoming a hot topic. Most recently, Germany and Bulgaria passed the laws in December 2025 and February 2026 respectively. The questions most companies ask are: Are we affected, and what should we do about it?
Let`s start with the first question – are we affected.
At first, the answer looks clear – there are concrete criteria who should comply defining the industries or sectors in question- essential or significant, company size over 50 employees and annual turnover of over 10 million euros.
Actually, the answer is not so simple. There is one major difference, however– suppliers of these companies should also comply with NIS2. This is a game changer: companies are now accountable for their entire supply chain. Noncompliance no longer just risks fines — it can cost customers and damage business relationships, since buyers won’t work with noncompliant suppliers. Because customers spread around multiple countries, companies must factor cross–border expectations and regulations into their compliance strategies.
After figuring our if they should comply or not, and what noncompliance would mean in their case, companies should go to the second question.
What should be done to achieve compliance and who should do it.
This requires close collaboration between legal and tech teams: lawyers and auditors make case-by-case decisions, while IT must implement the technical measures to support those decisions. In the case of NIS2, the measures defined by the legal team must be fulfilled and the defined procedures must be implemented.
Identity Management can satisfy these measures, because it is either directly or indirectly mentioned. Sometimes the measures depicted can be done using Identity Management tools and techniques. Sometimes Identity Management is “hard coded” in the law of regulation. Applying Identity Management can cover most of the things but don’t forget the final word is said by the lawyers.
We are going to focus mostly over 3 measures, all defined in Article 21, paragraph 2
- supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;
This is a very important point, because as we said before, now companies are responsible for their suppliers. Using Identity Governance and Administration tools allows us to control and govern the access of all types of employees, thus modelling the access that external suppliers have to our system, applying principles of “least privilege” and “need to know”. It serves directly also another measure mentioned in NIS2:
- basic cyber hygiene practices and cybersecurity training;
To satisfy this point, 3 types of tools come very handy, when we speak about cyber hygiene.
Identity Governance and Administration tools help with the following concepts
- Role Management – Defining roles with their corresponding access rights
- Separation of Duties – Making sure to identify conflicts of interest in terms of roles
- Recertification – checking periodically if access rights are still needed
Privileged Access Management
- Password Rotation Policies – ensuring passwords are safely rotated to avoid breach
- Session Management – Recording every administrator session and limiting the allowed commands and resources
Access Management
- Using the Smart MFA we can ensure to a big extent that the people who try to login are indeed the people
This corresponds to the last of the three measures as per NIS2 text:
- the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications, and secured emergency communication systems within the entity, where appropriate.
As mentioned in the previous point access management solutions enable the use of multi-factor authentication.
Overall, legislative regulations like NIS2 should not be seen as a burden but as protection for companies and their data in a fast‑changing digital landscape. By setting clear standards for risk management, incident reporting and supply‑chain resilience, these rules help organisations build trust, reduce exposure to cyber threats and unlock safer ways to innovate. In short, thoughtful regulation is an enabler of secure growth—not an obstacle to it.
Curious to learn more about NIS2 and how Identity Management could your partner in this journey? Contact us!
0 Comments