NIS2 without IAM? Mission impossible.

Published :

10/2025

| Updated on

-
Articles
>
Cybersecurity
Between regulatory requirements and reality in the field, NIS2 sheds light on a point that is often overlooked: access management. Without IAM, it's hard to be ready on audit day.

Summary

Imagine: an auditor turns up at your premises. First question, without even opening his computer: "Can you prove to me that all the user accounts that have been deactivated for the last three months have been shut down?" You turn to your Excel files, your helpdesk tickets, your cobbled-together scripts... and you're already feeling the cold sweat.

This is exactly where the NIS2 directive puts the pressure. Since October 2024, all essential and important entities - companies, administrations, digital service operators - must demonstrate that they have their cybersecurity under control. And this is no longer an option: fines of several million euros, reinforced audits by the competent national authority (ANSSI in France), and a scope extended to critical sectors such as healthcare, transport or energy.

The question is not " Am I concerned? but " Am I ready? Because the text demands concrete security measures: risk management, service continuity... and above all, relentless control of user accounts and access rights. Without an IAM solution capable of automating onboarding, offboarding and access traceability, NIS2 compliance quickly looks like a mission impossible.

Why does NIS2 require industrialized access management?

An IT manager recently told me: "My fear with NIS2 is not just the fine: it's the audit. Being able to extract access and revocation history in two clicks - that's what I'm going to be asked for, not an out-of-date spreadsheet, it's IT's credibility that's at stake."

And that's exactly where the problem lies. The NIS2 directive not only lays down the main principles of cybersecurity, it also requires proof that your information systems are protected. And this proof comes first and foremost from identity and access management.

Why? Because the majority of security incidents reported in Europe - almost 80% according to ENISA - are of human origin: accounts that are not deactivated, rights that are too broad, or service providers who retain access after their assignment has ended. These are all flaws that are invisible on a day-to-day basis, but fatal on the day of an audit or cyber-attack.

In the majority of small and medium-sized businesses, access management still relies on Excel files, email requests and a few in-house scripts. Problem: these tools are designed to troubleshoot, not guarantee compliance. Every update delay, every forgotten line in the spreadsheet or every misrouted ticket can result in a ghost account that remains in the directory. And the day an auditor asks for proof of your deactivations, an Excel file simply isn't enough.

With NIS2, the obligations become clear:

  • apply the principle of least privilege,
  • document each access grant and revocation,
  • guarantee that both onboarding and offboarding are carried out without delay,
  • regularly recertify sensitive rights.

In other words, move from manual management to industrialized access. This is not a cosmetic option: it's the only way to reduce risk, ensure compliance and prove to thecompetent national authority that your organization is up to the expected level of security.

What does the "access" perimeter in NIS2 really cover?

When it comes to access management, many people think only of Active Directory and internal accounts. But the NIS2 directive goes much further: it requires you to control all the digital identities that interact with your information systems.

In concrete terms, this includes: your employees, of course, but also external service providers, temporary staff, subcontractors, and sometimes even partners who have occasional access to your critical applications. One oversight in this area, and you're exposed to immediate non-compliance... or to a security incident that starts with a simple forgotten account.

Let's take a very common example: the bank consultant or temporary back-office worker. During their assignment, they need access to sensitive tools (finance, HR, internal messaging). With no clear rules and no automatic expiry of their rights, they may retain access long after they've left. The result: a "dormant" account that becomes an ideal entry point for a cyber attack. NIS2 requires you to document and justify every creation and deletion of rights, and above all to prove that you have applied the principle of least privilege.

The scope is not limited to identities. It also covers SaaS applications used by your teams, Active Directory groups inherited from ten years of history, privileged rights for administrators, or even temporary sessions opened over a VPN. In short: everything that gives direct or indirect access to your information system.

Without a tool-based approach, this mapping process quickly turns into a nightmare. Between shadow IT, uncleared histories and exceptions granted on an "emergency" basis, how can you demonstrate to the relevant national authority that you really are in control? That's precisely where an IAM solution comes in: identify, trace and audit every access within an ever-expanding perimeter.

What is the minimum IAM foundation needed to meet NIS2 requirements?

When we talk about IAM, many people imagine an interminable project, with integrators, months of scoping and a complete overhaul of the information system. As a result, we postpone, delay... and end up missing the NIS2 deadline.

But there is another way: build a minimum viable IAM brick, in less than 90 days, without breaking the bank. Not a "miracle solution", but a measurable foundation that shows your management and theNIS2 auditor that you have embarked on a structured approach.

Here's what this realistic MVP looks like:

  • Phase 1 (weeks 1-3): consolidate a single identity repository by connecting your main sources (HRIS, Active Directory, main SaaS applications). We're not looking for exhaustiveness, but 80% of critical coverage.
  • Phase 2 (weeks 4-6): set up automatic onboarding and offboarding rules. Each new employee or service provider obtains rights according to their role. Each departure leads to automatic deactivation within 24 hours.
  • Phase 3 (weeks 7-9): introduce a first layer of RBAC (Role-Based Access Control) on key professions (finance, HR, IT) and launch quarterly recertification on sensitive rights.
  • Phase 4 (weeks 10-12): centralize visibility in a single dashboard, capable of producing audit reports in two clicks (who has access to what, who has validated, when).

The benefits are fast and quantifiable: onboarding reduced from 2 hours to 5 minutes, over 98% of accounts deactivated within 24 hours of departure, and a halving of "missing access" tickets within the first quarter. In other words, you can move from manual reaction to industrial access control, without destabilizing your teams or your IS.

With Youzer, an instance can be structured in six one-hour workshops. The pace depends on the IT department's schedule: some of our customers have centralized and automated their account management in just two weeks, while others prefer to spread it out over three months. Three months remains a realistic timeframe, in line with feedback from the field, if internal resources are limited.

Why this speed?

  • Dedicated and specific connectors enable rapid integration of the main identity sources (AD, HRIS, SaaS).
  • Automation is based on standard workflows, without unnecessary complexity.
  • The real work is mainly theoretical: defining upstream the rules for assigning rights and access. Once this framework has been established, it is transposed into Youzer's parameter settings.

Once in place, centralization is automatic: a dashboard unifies accounts, accesses and anomalies in real time. Youzer immediately detects any discrepancy between the defined rule and the rights actually held by a user.

Finally, rights reviews are simplified: managers can validate or correct their teams' access by simple email, targeted on a few applications to start with. No need for sprawling audits: start small, demonstrate, then expand.

The result: you move from scattered manual management (Excel, tickets, scripts) to structured IAM governance that satisfies NIS2 auditors, with tangible proof and full traceability.

What an NIS 2 listener will ask... and how to answer without suffering

On the day of the audit, there's no room for improvisation. The competent national authority (in France, the ANSSI) or its representative will not come to check the beauty of your processes, but your ability to provide tangible proof.

Here are the classic requests:

  • Access logs by role and application: who has access to what, and why. Without IAM, this requires hours of manual extraction; with a centralized brick, the report is just a click away.
  • The "who gave what, when, why" history: the auditor wants to trace every decision to grant or revoke a ticket. Lost ticket, forgotten email = immediate non-compliance.
  • Signed recertification certificates: proof that managers have periodically validated the sensitive rights of their teams. Here again, it's impossible to keep track of hundreds of users.
  • Le journal des désactivations : chaque départ ou fin de mission doit être suivi d’une désactivation, idéalement <24h. C’est l’indicateur le plus scruté, car c’est la première source de comptes fantômes.
  • JIT (Just-In-Time) reports: duration of elevation of rights, justification of request, identified approver. This guarantees that your administrators do not have permanent privileges.

All these elements are based on two conditions: centralization (a single point of truth for identities and accesses) andreal-time updating. An audit cannot be prepared at the last minute: it is automation that ensures, on a day-to-day basis, that evidence is continuously available.

With an IAM solution like Youzer, where an IT manager used to spend nights consolidating Excel files to respond to an RGPD audit, he can now produce NIS 2 evidence in a few clicks - stress-free and DIY-free.

What pitfalls to avoid and what trade-offs to make in a multi-BU ETI?

Implementing an IAM brick in an SME with 3,000 users, spread over several BUs, often means coming up against a reality that is far less "clean" than in the slides of an integrator. The pitfalls are well known:

  • Active Directory debt: groups created ten years ago, never cleaned up, no one knows what they're for anymore... but no one dares delete them.
  • Uninventoried SaaS: each BU has adopted its own tools, sometimes with shared accounts. It's impossible to claim to have a complete vision without a prior inventory.
  • Business exceptions: "this one needs permanent admin access", "this one needs to see all data to work"... These are all exceptions that quickly get out of hand.
  • Delegation to managers without RBAC: when IT lets managers distribute rights on demand, it's a case of "copying and pasting" a colleague's access. Result: exponential drift.
  • Shadow IT: the "off-the-radar" applications that teams use to get ahead, but which completely escape governance and therefore NIS2 compliance.

Faced with this reality, we have to accept that not everything will be perfect right from the start. The pragmatic approach is to set clear trade-offs:

  • Start small: target ten or so key applications (HR, finance, messaging, office automation). These are where 80% of the risks are concentrated.
  • Create a glossary of roles: define 10 to 15 cross-functional roles, and stick to them. It's this common language that will prevent wild exceptions.
  • Limit exceptions: when a derogation is unavoidable, set an automatic expiry date (30 days, 90 days).
  • Clean up gradually: rather than trying to settle 15 years of AD debt at once, plan targeted waves of clean-up, linked to recertifications.

NIS2 does not demand immediate perfection, but a controlled and auditable approach. Showing that you've set a framework, that you're moving forward step by step, and that every exception is traced and bounded, is enough to turn a weakness into proof of governance.

Third-party users and turnover: the underestimated risk that puts NIS 2 compliance on the rocks

During a cybersecurity audit, auditors mandated by the competent national authority (such asANSSI in France) don't stop at permanent employees. They know that, for an essential or important entity, the weak link in the information system often lies elsewhere: external service providers, temporary staff, consultants, freelancers. These temporary identities multiply, renew themselves and often evade the security measures imposed by the European NIS2 directive.

Let's take a concrete example: a financial consultant joins a BU for three months. He needs access to HR tools, payroll and internal messaging. In many companies, he is provisioned "like the others", with no time limit, and his account remains active after his departure. The result: a dormant account, invisible to IT, but exploitable by an attacker. This type of vulnerability is one of the most frequent internal threats identified in ENISA reports on security incidents in Europe.

The NIS2 directive requires a rigorous approach to access management:

  • apply the principle of least privilege,
  • limit the duration of rights,
  • trace each action,
  • and prove the implementation of these controls during a compliance audit.

In concrete terms :

  • Strictly necessary rights - no "copying and pasting" from an existing profile, but a defined perimeter of authorizations.
  • Limited duration - an account whose expiry date corresponds to the end of the mission.
  • Immediate offboarding - automatic deactivation within 24 hours, not dependent on a forgotten HR email.
  • Just-In-Time (JIT) access - for peak requirements, temporary elevation of privileges, with approval and justification.

With the right IAM solution, this scenario ceases to be a nightmare. With Youzer, for example, you can centralize these temporary accounts and automate their deactivation as soon as the assignment is completed. Traceability and audit proof become immediate: a dashboard unifies accounts, rights and anomalies. The organization thus strengthens its cybersecurity, limits risk and proves its NIS2 compliance without depending on Excel or manual procedures.

How Youzer fits into this NIS2 plan (without any "big bang")

Youzer's strength lies in the fact that it doesn't require you to overhaul your information system, or to undertake a lengthy project. The solution plugs in where your identities and applications already are, and provides governance where your manual processes reach their limits.

In practice :

  • Direct connection to HRIS, Active Directory and major SaaS applications via dedicated connectors. No need for specific development to get started.
  • As soon as a connector is connected, the first anomalies are immediately apparent: active accounts for users who have already left, accounts still attached to an inactive manager, orphaned accounts with no identified owner, or costly licenses still assigned to deleted profiles. These weak signals, invisible in an Excel file, become visible and actionable in a matter of minutes.
  • Rapid business role modeling (RBAC): you define "core" accesses for a few priority BUs, then gradually expand. Approval workflows are integrated, with full traceability.
  • Automatic offboarding: an inactive account or completed mission = immediate deactivation. Third-party rights expire automatically, without manual intervention.
  • Simplified rectifications: a manager receives a targeted email, validates his team's sensitive rights, and Youzer records the attestation for auditing purposes.
  • Unified dashboard: CIOs and CISOs have a real-time view of accounts, access, anomalies and compliance. Exports in the format required by auditors are just a click away.

No "big bang", then, but incremental integration: you start with 5 critical applications, structure your roles, automate onboarding and offboarding... and you're already in a position to present a credible NIS2 plan. IT stays in control, workloads remain manageable, and compliance becomes demonstrable.

Conclusion

NIS2 is not just another directive: it's a maturity test for all critical and important organizations. And this test is not won with Excel files or scattered tickets, but with operational control of identities and access.

Audits will scrutinize your evidence: controlled onboarding, immediate offboarding, regular recertification, justification of high rights. Without an IAM foundation, compliance is fragile. With a well-thought-out building block, however minimal, you can turn a regulatory constraint into a lever for governance and IT credibility.

Experience in the field proves it: in just a few workshops, it's possible to centralize accounts, automate rights and generate the reports expected by auditors. Youzer integrates like a plug-in brick, without any big-bang, and enables you to face the ANSSI or an audit firm not with promises... but with figures and tangible proof.

So the real question is no longer "am I affected by NIS2?", but "when do I give myself the means to prove my compliance?". And the longer you wait, the higher the staircase will be.

👉 Want to see what an NIS2-oriented IAM implementation looks like in practice?

Need to estimate the cost of an IAM project?

Download this white paper on the cost of inaction in IAM :

We have been unable to confirm your request.
Your request for a white paper has been taken into account.

Recommended Articles

Self-Service Password Reset: The key to enhanced productivity at work
5 good reasons why you'll love MFA/2FA
Shadow IT and former users: The IT manager's nightmare