Executive summary: NIS2 elevates access control from an internal best practice to a regulated requirement-introducing board-level liability and fines that mirror GDPR. By 2026, SSO-only and spreadsheet-driven access management stop being sufficient and start generating audit findings, especially for the 80% of applications your SSO doesn't cover.

This article explains how NIS2 (particularly Article 21) redefines identity and access management, where single sign-on (SSO) leaves critical gaps, and what practical, NIS2-ready identity governance looks like for lean IT and security teams.

NIS2 in 2026: What Actually Changes for Access Control

NIS2 isn't just another round of cybersecurity paperwork. It codifies access control, identity management, and auditability into EU law for thousands more organizations.

EU member states had to transpose the NIS2 Directive (EU 2022/2555) into national law by October 17, 2024, with national measures generally applying from October 18, 2024.1twelvesec.com In Germany, the NIS2 implementation law came into force on December 6, 2025, with full enforcement ramping through 2026.2pwc.de

Who is in scope now

NIS2 greatly expands the number and type of regulated entities:

  • Estimates suggest around 160,000 entities across the EU are now in scope, a sharp rise from NIS1.3terrazone.io
  • Essential and important entities include:
    • Energy & utilities (electricity, gas, oil, hydrogen, district heating)
    • Transport (air, rail, road, water)
    • Health (hospitals, labs, pharma manufacturing)
    • Banking & finance infrastructure
    • Digital infrastructure & B2B ICT services (cloud, data centers, DNS, IXPs)
    • Public administration & space
    • Manufacturing, water, waste, postal, and other critical sectors.4digital-strategy.ec.europa.eu

If your business operates in energy, manufacturing, healthcare, or transport in DACH/EU, and has more than 50 employees and over €10m in revenue, it's increasingly likely that you are in scope.

The penalty structure: why access decisions are now board-level

NIS2's fines closely mirror those of GDPR:

  • Essential entities face fines up to €10 million or 2% of global turnover, whichever is higher; important entities up to €7 million or 1.4%.5glocertinternational.com
  • National laws may add non-monetary sanctions: mandatory third-party audits at your cost, public naming, and management bans.5glocertinternational.com

For German organizations, this is immediate. A 2026 survey cited by Heise found 48% of German companies underestimate their NIS2 obligations, despite the law being in effect and providing for these maximum fines.6heise.de

Bottom line: access control is now a regulatory, not just IT, concern.

Where Single Sign-On Stops: The Identity Blind Spots NIS2 Cares About

SSO efficiently reduces password sprawl and fortifies authentication, but it is not a comprehensive identity governance solution.

From Iden's experience with SaaS-heavy organizations, the pattern is clear:

  • Most SSO deployments automate provisioning for about 20% of apps-the "enterprise," SCIM-enabled tools-leaving the other ~80% handled manually.

That 80% is where NIS2 auditors will focus.

The SSO coverage problem, in practical terms

In a typical 500-2,000-employee company:

  • Okta/Entra manage logins and group assignments for major systems (M365, Salesforce, Workday, etc.).
  • But access to:
    • Collaboration (Slack, Notion, Miro, Confluence)
    • Product & engineering (GitHub, GitLab, Jira, Linear)
    • Data & analytics (Looker, Snowflake, Metabase)
    • Niche tools (vertical SaaS, local vendors)

...is often handled via:

  • Ad-hoc Slack/Teams messages
  • Jira/ServiceNow tickets with free-text requests
  • Local admins adding users manually
  • Manual offboarding checklists that frequently miss accounts

To regulators, this shows:

  • No consistent policy enforcement
  • No clear least-privilege model
  • No reliable evidence of timely deprovisioning

Exactly what Article 21 aims to address.

Article 21 Through an Identity Lens: What EU Auditors Will Look For

Article 21 is central to NIS2 requirements on identity and access control. It specifies 10 cybersecurity risk-management measures for every essential and important entity.

Article 21(2) requires measures covering risk analysis, incident response, business continuity, supply chain security, secure development, effectiveness assessment, hygiene and training, cryptography, HR security with access control and asset management, and multi-factor or continuous authentication.7glocertinternational.com

Several of these map directly to identity governance.

Joiner-Mover-Leaver processes with evidence

Auditors will expect:

  • Each joiner is provisioned only with the access required for their role, across all apps-not just those supporting SCIM.
  • Each mover prompts a review; extra rights are removed if no longer needed.
  • Each leaver loses all access quickly, including long-tail SaaS and shared accounts.

In practice, they'll ask for:

  • A documented JML policy linked to roles and systems
  • Logs of who approved access, when it was granted, and when it was revoked
  • The ability to export this evidence in minutes

If your process relies on HR emailing IT and hoping someone updates 40 systems, that's a clear risk.

Least privilege and fine-grained access

While Article 21 doesn't say "least privilege," the combined requirements for access control and secure authentication demand it.

In SaaS terms:

  • Engineers shouldn't all have org-admin on GitHub "just in case."
  • Production access should be strictly limited and time-bound.
  • Access to Slack channels, Notion spaces, Jira projects should be granular, not all-or-nothing.

SCIM-only approaches usually fall short here. SCIM can assign a role but rarely restrict access to specific repos or environments for set periods.

Continuous access reviews and real-time audit trails

Article 21 requirements overlap with Article 23's incident reporting: you must prove what was done, and when. Auditors expect:

  • Regular access reviews with manager certification of permissions
  • Time-stamped decisions tied to user identities
  • Centralized logs of admin actions and privilege changes

Spreadsheets exported from 30 apps annually won't qualify as evidence in 2026's enforcement climate.

Why Manual Governance and SSO-Only Are Now Regulatory Liabilities

If you're an IT Director, CISO, or Compliance Officer, you've likely heard:

"We run SSO, MFA, and have documented procedures. We're set for NIS2."

Under NIS2, that's outdated.

What regulators see when they look past SSO

From an auditor's view, familiar patterns mean:

  • Tickets as control

    • Risk: Approvals lost in Slack/Jira/email, lacking a single audit trail.
    • Impact: Can't prove access was granted per policy.

  • Local admins as process

    • Risk: Untracked access via local admins.
    • Impact: Privilege creep and orphaned accounts.

  • Checklists for offboarding

    • Risk: Human error for contractors/third parties.
    • Impact: Dormant accounts in key systems-precisely what NIS2 targets.

Coupled with major fines and management accountability, manual identity management is now a balance-sheet liability.

Designing NIS2-Ready Identity Governance for Critical Sectors

A massive IAM overhaul isn't required. You need to close the coverage and process gaps that SSO and manual approaches leave.

At minimum, NIS2-aligned identity governance should deliver:

  • Universal app coverage-including non-SCIM SaaS and internal tools
  • Fine-grained entitlements-from channels to repos to projects
  • Policy-driven JML automation-driven by HR/SSO events
  • Automated access reviews-with exportable Article 21 & 23 evidence
  • Real-time audit trails-immutable logs of approvals and access
  • Cost control-license reclamation and right-sizing to keep SaaS spend in check

Comparison: SSO vs. legacy IGA vs. complete governance

Capability / Requirement SSO-only (Okta/Entra) Legacy IGA (SailPoint/Saviynt) Complete IGA for NIS2 (e.g., Iden)
Single sign-on & MFA ✅ Strong ✅ Via SSO integration ✅ Via SSO integration
Coverage of non-SCIM / long-tail SaaS ❌ Mostly manual ⚠️ Possible but costly to build ✅ Universal connectors (SCIM/API or neither)
Fine-grained, resource-level permissions ❌ Group/role level ⚠️ Complex to configure ✅ Channel/repo/project/env level
Automated JML across all apps ⚠️ Limited to SCIM ✅ But 6-12 month projects ✅ Policy-driven, live in ~24 hours
Automated access reviews with exportable evidence ❌ Not native ✅ But heavy to operate ✅ Continuous reviews + one-click evidence
License reclamation & SaaS spend optimization ❌ Out of scope ⚠️ Add-ons / custom ✅ Built-in reclamation, no SCIM tax
Fit for 50-2,000-employee, lean IT teams ✅ For auth ❌ Overkill / consulting heavy ✅ Designed for lean teams

Takeaway: SSO covers login. NIS2 demands governance. Legacy IGA ticks boxes but with complexity and cost that don't fit fast-moving mid-market organizations.

How Iden Closes NIS2 Identity Gaps Without Legacy Overhead

Iden is designed for this moment-where SSO and manual processes no longer suffice, but legacy IGA is overly complex for 50-2,000-person companies.

Universal coverage, including the 80% your SSO misses

Iden's universal connector technology integrates with any app in your stack-SCIM, API, or neither.

  • Iden automates provisioning and governance for 175+ apps, including Notion, Slack, Figma, Linear, GitHub, and other long-tail SaaS-with 48-hour delivery for custom connectors as needed.
  • Connectors extend to the channel, repository, and project level, so least privilege is practical, not just theoretical.

For NIS2, this means you can demonstrate complete app coverage, not just coverage for SCIM-enabled systems.

Policy-driven JML and zero-touch offboarding

With Iden, HR or SSO triggers lead to automatic access updates:

  • New engineering hire in Berlin? They receive the exact apps, roles, and resources for their role and region.
  • Internal transfer? Old access is flagged for removal, new access is approved and provisioned in a single workflow.
  • Departures-employee, contractor, or vendor? All access and licenses are revoked across all systems with one, logged action.

This directly supports Article 21's mandates on HR security, access control, and asset management-with verifiable evidence for audits.

Automated access reviews and live compliance evidence

NIS2 shifts organizations toward evidence-based compliance. Iden delivers:

  • Scheduled access reviews for critical roles and systems
  • Manager and system-owner attestation with one-click approve/revoke
  • Immutable audit trails detailing every approval and change

With Iden, manual compliance work is reduced by about 120 hours/quarter, while providing auditors a single, trusted data source.

No more scramble before a NIS2 audit-walk in with live, exportable proof that controls are working as intended.

Governance that also drives cost efficiency

Effective governance should control, not inflate, your SaaS spend.

  • Iden identifies unused licenses and stale access
  • Revocation workflows reclaim seats automatically
  • Customers typically eliminate about 30% of SaaS waste through license reclamation and avoiding unnecessary "SCIM tax" upgrades

With NIS2, improved security, compliance, and cost efficiency becomes a competitive edge.

Talk with Iden

Actionable Next Steps for 2026 NIS2 Audits

For 2026, follow a targeted, identity-first framework.

1. Map scope and crown-jewel systems

  • Determine if you are an essential or important NIS2 entity
  • Catalog critical services and dependent systems
  • Identify applications affecting safety, operations, or regulated data

2. Perform an identity & access control gap assessment

For each critical system:

  • Is access managed via SSO, manual process, or unmanaged?
  • Who grants access, and is it centrally logged?
  • How are joiners, movers, and leavers processed?
  • When was the last access review-and is there evidence?

Map findings against Article 21, focusing on access control and asset management.

3. Prioritize automation for high-impact gaps

Automation begins with the most scrutinized systems:

  • Environments tied to patient data, grid operations, trading, or critical processes
  • Admin and break-glass accounts
  • Third-party and broad-access machine identities

4. Move from "tickets and screenshots" to continuous evidence

  • Replace ad-hoc approvals with policy-driven workflows
  • Standardize review cadences for core systems
  • Centralize logs and approvals, using solutions that export NIS2-ready evidence instantly

5. Involve the board early

Article 20 holds management directly responsible for approving and overseeing cybersecurity.

  • Show your NIS2 identity posture in three segments:
    • Coverage: Which apps/identities are governed
    • Controls: Where JML, MFA, and least privilege exist
    • Evidence: How fast you can prove it

This simplifies budget and prioritization-especially under threat of fines and personal liability.

Frequently Asked Questions

How tightly does NIS2 define "access control"-do we need a specific product?

NIS2 is technology-neutral. Article 21 requires "human resources security, access control policies and asset management" plus multi-factor or continuous authentication, but does not mandate any vendor.7glocertinternational.com

However, SSO plus manual processes become unmanageable at scale. Regulators care less about specific tools than your ability to demonstrate consistent, least-privilege access with evidence on demand.

We're already ISO 27001 and SOC 2 compliant. How much more work is NIS2 for access control?

ISO 27001 and SOC 2 provide a solid foundation-many Article 21 measures align with those controls.7glocertinternational.com

However, NIS2 is:

  • More explicit about supply-chain and critical sector requirements
  • Stricter on management accountability and penalties
  • More operational in incident reporting and evidence expectations

If you still rely on manual JML, spreadsheets, and partial SaaS coverage, expect extra work-mainly around comprehensive app coverage, automation, and audit trails.

Is SSO still valuable if we use a complete identity governance platform like Iden?

Definitely. SSO and identity governance address related but distinct needs:

  • SSO manages authentication-who logs in, with which factors.
  • Iden manages governance-who gets which entitlements, their approvals, reviews, and proof.

For NIS2, you need both: SSO for credential security and MFA; Iden to close the 80% gap, ensure least privilege, and provide audit evidence.

We're a rapidly growing company with a small IT team. Is NIS2-grade governance realistic?

Yes-if you start with automation and complete coverage.

Iden is built for 50-2,000-person, SaaS-driven organizations with lean teams. Deployments typically go live in 24 hours, reducing manual access tickets by up to 80% in weeks and saving around 120 hours per quarter on reviews.

That enables you to meet NIS2 without burning out your IT team.

How does NIS2 relate to rules like DORA or HIPAA?

For many, NIS2 is part of a broader regulatory landscape-sometimes alongside DORA, sectoral controls, or HIPAA-like mandates.

The advantage: strong identity governance (universal coverage, automated JML, continuous reviews, easy evidence) works across multiple frameworks. Investing in complete identity governance delivers:

  • Clear NIS2 audit responses
  • Resilience for DORA
  • Strong evidence trails for privacy and sectoral reviews

That's why Iden serves as the identity backbone for multi-regulation compliance.

Talk with Iden