Although NIS2, the European Union’s updated Cybersecurity Directive, came into force in October 2024, many organizations are still grappling with compliance. As of July 2025, only 14 out of the 27 EU Member States had transposed the directive into national law. And, whilst NIS2 is an EU regulation, many UK businesses with existing operations in the EU could face fines or potential legal repercussions for non-compliance.
NIS2 was initially introduced to strengthen the security posture of ‘essential services’, including industries such as transport, financial services, and energy. For these industries, which often have legacy systems in place and a distributed infrastructure, fending off cyberattacks remains a significant challenge.
Although NIS2, the European Union’s updated Cybersecurity Directive, came into force in October 2024, many organizations are still grappling with compliance. As of July 2025, only 14 out of the 27 EU Member States had transposed the directive into national law. And, whilst NIS2 is an EU regulation, many UK businesses with existing operations in the EU could face fines or potential legal repercussions for non-compliance.
NIS2 was initially introduced to strengthen the security posture of ‘essential services’, including industries such as transport, financial services, and energy. For these industries, which often have legacy systems in place and a distributed infrastructure, fending off cyberattacks remains a significant challenge.
Senior Vice President for EMEA at SailPoint.
The risks of sidelining NIS2 compliance
IT strategists will likely find themselves under increased pressure following the introduction of NIS2. They’ll be tasked with successfully enforcing the Directive effectively across the business whilst juggling the rollout of new technologies in the era of AI. Whilst it might be tempting to prioritize the deployment of new products and initiatives, sidelining NIS2 compliance could result in costly fines, as well as significant reputational damage to the business.
One key requirement outlined by NIS2 is that organizations must be able to demonstrate that they have robust access control policies in place. This includes the ability to limit access to networks and systems based on user roles and responsibilities. Without the ability to automate access controls, organizations remain reliant on spreadsheets software, email or paper trails to manage permissions.
These manual processes are often subject to human error, with permissions not being updated promptly when employees change roles, leave the company, or when contractors’ projects end. Users and ex-employees retain access to sensitive systems and data long after they need it.
This significantly increases the risk of insider threats – whether accidental, with dormant user accounts targeted by cyber criminals, or intentional, such as a disgruntled employee or ex-employees stealing, destroying or altering company information for personal gain. Businesses and public sector organizations should be taking insider threats seriously, which constituted almost half of breaches (49%) within EMEA organizations in 2024.
Seamlessly managing the identity lifecycle through automation
Luckily, the tools are available today to support organizations to achieve compliance with NIS2 and ensure greater data security at the same time. Automated identity management tools make it easier than ever for organizations to seamlessly manage the entire identity lifecycle, from onboarding to offboarding.
Imagine a financial consultant is brought in on a temporary contract at a major bank to cover for a colleague on leave. The consultant should only be able to access the specific client accounts and financial records necessary for their assignment. Through a tailored role and access profile, they might receive temporary permissions to view select client portfolios or transaction histories. However, they would be left without administrative system privileges, for example, access to internal audit logs, executive dashboards or regulatory compliance reports to minimize risk.
After a specific time frame (the close of the contract), the consultant would no longer be able to access client information or company systems. This concept, ‘Just-in-time privilege’, operationalizes zero trust by granting access based on real-time needs, revoking it once tasks are complete. Access remains role-specific and is granted or rescinded when employees are onboarded or offboarded. Offboarding processes that are quick, seamless, and secure are fast becoming a ‘must-have’ for UK employers; particularly for organizations that experience high staff turnover.
A ‘single pane of glass’ overview of access permissions
Alongside role-based access, NIS2 requires businesses which provide ‘essential services’ to clearly document and keep a record of user access permissions. This includes, but is not limited to, energy, transport, financial services, and digital infrastructure.
Manually reviewing and collating a record of existing permissions across an organization can prove to be an incredibly time-consuming task, as well as a significant drain on IT and security team resources. Identity security platforms eradicate the need to manually document and search for a list of access permissions.
IT teams can easily view the number of users with privileged access via an interactive dashboard, as well as a record of outstanding access review tasks. This ‘single pane of glass’ overview makes it possible for organizations to easily review historical access changes and understand which admins granted or revoked access, and when.
Importantly, visualization via a dashboard equips organizations with the ability to showcase and demonstrate compliance with NIS2 during regulatory inspections. Dashboard data is updated in real-time, providing a single source of truth by bringing together data across a complex network of suppliers, contractors, and other third parties operating within an organization's supply chain.
NIS2: a call to action for organizations in the UK
Businesses might be tempted to view NIS2 as a tedious ‘box-ticking’ exercise in compliance. But NIS2 should instead be seen as a major opportunity: a catalyst for businesses to strengthen their cybersecurity posture and future-proof their operations.
Closing the compliance gap might seem like a daunting prospect for IT strategists, who are already under pressure to make high-stakes decisions about the adoption and integration of new technologies amidst the AI boom. However, solutions such as identity security platforms can help to alleviate some of this pressure by equipping IT leaders with a 360 overview across the entire supply chain.
These identity tools are essential for businesses that need to monitor and manage complex access permissions, including third parties, with greater accuracy and control. In a climate where business success is increasingly dependent on digital services, automated identity and access controls must form the cornerstone for every organization's cybersecurity strategy.
We've featured the best business VPN.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.