NIS2 may have come into force last October, but compliance is still a challenge for many. As of May 2025, 19 of the 27 EU member states still hadn’t transposed the directive into national law. NIS2 is designed to push ‘essential services’ like healthcare, energy, financial services and transport to strengthen their security posture. For many institutions with legacy systems and sprawling infrastructure, defending against cyberattacks is especially difficult, and the need to take proactive steps to bolster cyber resilience is more pressing than ever.
But meeting compliance needs must go above and beyond a box-ticking exercise. Now, a robust cybersecurity posture has become non-negotiable as the threat landscape continues to intensify, highlighted by the recent slew of attacks on retailers. In the UK, the problem is widespread, with the government’s 2025 Cybersecurity Breaches Survey revealing that approximately 612,000 British businesses experienced a cyberattack in the past year.
Although NIS2 is an EU regulation, UK organisations with operations in the EU must still demonstrate compliance. Let’s take a look at the main challenges for organisations looking to adhere with NIS2, and the technologies available to address them.
The challenge ahead
IT security managers are perhaps under the most pressure following the introduction of NIS2, responsible for successfully implementing and enforcing the Directive effectively across an organisation. And the stakes have never been higher: with non-compliance resulting in significant legal, financial and reputational consequences. For essential entities, including financial institutions and the transport and healthcare sectors, non-compliance can incur costly fines.
One key requirement outlined by NIS2 is that organisations must be able to demonstrate that they have robust access control policies in place. This means the ability to limit access to networks and systems based on user roles and responsibilities. Without the ability to automate access controls, organisations remain reliant on spreadsheets, email or paper trails to manage permissions. These manual processes are often subject to human error, with permissions not being updated promptly when employees change roles, leave the company, or when contractors’ projects end. Users and ex-employees retain access to sensitive systems and data long after they need it.
This significantly increases the risk of insider threats – whether accidental, with dormant user accounts targeted by cyber criminals, or intentional, such as a disgruntled employee or ex-employees stealing, destroying or altering company information for personal gain. Businesses and public sector organisations should be taking insider threats seriously, which constitute almost half of breaches (49%) within EMEA organisations.
The solution: managing the identity lifecycle
Thankfully, the technology is available today to support organisations to achieve compliance with NIS2 and enable greater data security at the same time. Automated identity management tools make it easier than ever for organisations to seamlessly manage the entire identity lifecycle, from onboarding to offboarding.
Imagine a consultant is working on a contractual basis at a hospital, filling in for another doctor whilst they are on leave. The visiting consultant should only be able to access selected patient records or imaging relevant to their case. Through a custom role and profile, they would be granted temporary access to EHR (Electronic Health Records), but left without administrative system privileges such as scheduling, billing systems, and hospital-wide data reports.
After a specific time frame (the close of the contract), the consultant would no longer be able to access patient information or company systems. This concept, ‘Just-in-time privilege’, operationalises zero trust by granting access based on real-time needs, revoking it once tasks are complete. Access remains role-specific and is granted or rescinded when employees are onboarded or offboarded. Offboarding processes that are quick, seamless and secure are fast becoming a ‘must-have’ for UK employers, who continue to experience consistent staff turnover.
Knowledge is power
Alongside role-based access, NIS2 requires organisations which provide ‘essential services’ to clearly document and keep a record of user access permissions. The impact of NIS2 will therefore be felt across a wide range of industries, including, but not limited to, energy, transport, financial services, digital infrastructure, public administration and healthcare.
Manually reviewing and collating a record of existing permissions across an organisation can prove to be an incredibly time-consuming task, as well as a significant drain on IT and security team resources. Identity security platforms eradicate the need to manually document and search for a list of access permissions. IT teams can easily view the number of users with privileged access via an interactive dashboard, as well as a record of outstanding access review tasks. This ‘single pane of glass’ overview makes it possible for organisations to easily review historical access changes and understand which admins granted or revoked access, and when.
Importantly, visualisation via a dashboard equips organisations with the ability to showcase and demonstrate compliance with NIS2 during regulatory inspections. Dashboard data is updated in real-time, providing a single source of truth by bringing together data across a complex network of suppliers, contractors, and other third parties operating within an organisation’s supply chain.
NIS2: an opportunity as well as a challenge
It might be tempting for organisations to simply view NIS2 as a regulatory hurdle to overcome. However, NIS2 compliance also presents as an opportunity for organisations to prioritise their cybersecurity posture, and ensure that day-to-day operations are more resilient, agile and secure. Modern identity security platforms emerge as a key enabler because they empower IT and security teams with full visibility across the entire supply chain, managing access across an organisation with greater speed and precision. As the economy and wider society have become increasingly reliant on digital services, proactive and automated identity and access management must form the pillars for every organisation’s cybersecurity risk management strategy.
