IGA and NIS2 — how to prepare your organization for new obligations

Damian Surma
20 October 2025
5 min

With the entry into force of the NIS2 Directive, many organizations in Europe face the need to adapt their security and compliance processes to significantly higher requirements. One of the key areas that becomes central to this transformation is identity and access management (IGA – Identity Governance & Administration). In this article, we look at what requirements NIS2 introduces, why IGA is essential, and how the sara.next solution can support organizations in preparing for these changes.

What is NIS2 and why does it matter?

The NIS2 Directive (Network and Information Systems 2) updates the earlier NIS Directive, with the goal of increasing the EU’s resilience to cyber threats by defining obligations for “essential” and “important” entities from the perspective of critical infrastructure. In practice, this means that organizations covered by the directive must implement comprehensive security programs – including access management, conducting audits, having incident response procedures, and ensuring management accountability.

As One Identity’s analysis notes: “The NIS2 Directive strengthens … access control, incident handling, supply-chain security, among others.” (One Identity, 2024).

Why is IGA so critical in the context of NIS2?

NIS2 requires control over who has access to systems and data - IGA lets you model, assign, and regularly review access rights across the organization.
The directive imposes documentation and reporting obligations — IGA provides auditable trails of user actions and access events.
It calls for continuous identity management, including suppliers and supply chains — proper governance of non-human identities and external access becomes critical.

How to prepare an IGA implementation for NIS2 compliance?

Permission mapping & risk identification

Start by analyzing which applications, systems, and roles are critical for your organization. Identify who has which access and whether it matches business needs and minimum-security requirements.

Implement access review & certification processes

Regular access reviews (access recertifications) and proper documentation are core to NIS2 compliance. They help eliminate excessive or unused privileges.

Apply least privilege & automate provisioning/offboarding

Automating access grants, changes, and removals reduces errors and delays — which directly improves operational resilience under NIS2.

Integrate IGA with IT/HR processes and identity directories

IGA should be fully integrated with HR systems and identity stores (e.g., Active Directory, Azure AD) and governed through business and technical role management.

Reporting, auditing & monitoring

Ongoing reports and dashboards (review outcomes, audit trails of user actions, anomaly detection) are necessary to prove compliance and respond properly to incidents.

How does sara.next support NIS2 compliance?

A central application and role management panel enables permission modeling, role assignment, and defining processes aligned with the least privilege principle.
Automated access reviews and generation of audit-ready reports support audit preparedness and compliance documentation.
Integrations with directories and HR systems enable a consistent user lifecycle - from onboarding, through role changes, to offboarding.
Automated management of external access and monitoring of non-human identities supports NIS2 requirements related to suppliers, partners, and supply-chain security.

Recommendations for the organization

Phase 1: Pilot IGA implementation

Start with a pilot IGA implementation for one critical domain (e.g., finance or production) and use it as a foundation to scale.

Phase 2: KPIs and progress tracking

Define KPIs that measure compliance progress: percentage of reviewed access, number of deprovisioned accounts, time to react to role changes.

Phase 3: Management involvement (NIS2)

Include leadership’s role in internal communication – NIS2 requires board-level accountability for cybersecurity.

Phase 4: Training and communication

Provide recurring training and communication so users understand that roles and permissions should not be treated as permanent.

Phase 5: Exception monitoring and analysis

Implement continuous monitoring and automated exception analysis – this increases detection capability and speeds up response.

Compliance with the NIS2 Directive is a challenge – but also an opportunity to raise your security posture and improve the effectiveness of identity governance across the organization. By implementing modern IGA with a solution like Sara.Next, organizations can not only meet legal requirements, but above all gain an advantage in access governance, risk reduction, and auditability. It’s time to start preparing today – because tomorrow’s compliance requires action now.

Sources

Omada Identity, “Seven Ways NIS2 Requirements Are Driving the Need for Modern IGA”, 2024.
ConductorOne, “The NIS2 Directive: What to Know and What It Means for Identity”, 2024.
Elimity, “The 8 Crucial Identity Security Controls for NIS2-Compliance”, 2024.
PointSharp, “Identity and Access Management: The Foundation for NIS2 Compliance”, 2024.
OpenIAM, “Solutions for NIS2 Compliance – Meet the EU’s cybersecurity mandate”, 2024.