NIS2 Compliance Resource

NIS2 Identity Controls
Checklist 2026

12 must-have identity and access management controls to satisfy Article 21, support 24-hour incident reporting, and protect the board from personal liability.

Run Free Maturity Assessment →

01 — GOVERNANCE

Management body approval of identity risk framework

NIS2 Article 20 requires the board to explicitly approve cybersecurity risk measures, including IAM policies. Document the approval date and minutes.

Regular board-level identity risk reporting

Establish a quarterly or bi-annual report covering privileged access metrics, NHI inventory status, and open high-risk findings.

Documented executive training on identity threats

Board members must demonstrate "sufficient knowledge" of risks. Keep attendance records and materials for audits.

02 — ACCESS CONTROL

Phishing-resistant MFA for all privileged accounts

Hardware keys (FIDO2) or platform authenticators required for admin, service account management, and remote access. SMS and push are insufficient.

Just-in-time (JIT) privileged access

No standing privileged access. All elevated rights must be requested, approved, time-boxed, and automatically revoked.

Complete inventory of all identities (human + NHI)

Every service account, API key, OAuth app, and bot must be owned, classified by risk, and reviewed on a defined schedule.

03 — LOGGING & REPORTING

Tamper-evident logging of all identity events

Authentication, privilege use, credential changes, and access grants must be logged with cryptographic integrity and retained for at least the regulatory period.

Automated 24-hour incident classification workflow

Clear criteria and ownership for classifying an identity-related event as "significant" under NIS2 Article 18/19. Practice the timeline quarterly.

04 — THIRD-PARTY IDENTITY

Maintain an up-to-date inventory including what identities they use, what systems they can reach, and contractual audit rights.

MFA + session recording for all vendor privileged access

No exceptions. All external privileged sessions must be recorded and reviewed.

NEXT STEP

Get your scored gap analysis

Run the free Identity Maturity Assessment to see exactly which of the 12 controls are weak in your environment.

Start Free Assessment

Takes ~60 seconds • Instant results • No obligation

Related resources: Full NIS2 Hub · NIS2 vs DORA · Executive Liability

NIS2 Identity Controls Checklist 2026

Get your scored gap analysis

NIS2 Identity Controls
Checklist 2026