EU Directive 2022/2555 · In force October 2024
Do I Need User Access Review for NIS2?
The Network and Information Security Directive 2 sets mandatory cybersecurity requirements for critical infrastructure and important entities across the EU — and access control is front and centre.
OUR INTERPRETATION
Why NIS2 mandates User Access Reviews?
NIS2 Article 21 establishes mandatory risk management measures for all essential and important entities. Access control — including the principle of least privilege — is explicitly listed. Without User Access Review, you cannot continuously enforce who should have access to critical systems, making periodic review a direct compliance requirement.
Does NIS2 apply to your organisation?
NIS2 covers 18 critical sectors including energy, transport, banking, healthcare, digital infrastructure, cloud providers, and managed services. If you operate in the EU and employ 50+ people (or have €10M+ turnover), you are very likely in scope. Senior management is personally liable for non-compliance.
Access Control Policies
NIS2 explicitly requires entities to implement “policies and procedures regarding the use of cryptography and, where appropriate, encryption” and access control measures based on least privilege. Reviewing who has what access is the mechanism for maintaining this.
Multi-Factor Authentication & IAM
NIS2 mandates MFA and secure authentication measures. To be effective, these must be paired with Identity and Access Management practices — which inherently require periodic review to remain valid and current.
Risk-Based Approach
Entities must take “appropriate and proportionate technical, operational and organisational measures to manage the risks.” Unreviewed access rights represent a measurable, concrete risk to network and information system security.
Management Accountability
Senior management must approve and be held liable for cybersecurity risk management measures. Regular access reviews are a key governance control that management must be able to demonstrate and oversee.
Directly from NIS2 Directive Text
Source: Directive (EU) 2022/2555 of the European Parliament and of the Council — Official Journal of the EU
eur-lex.europa.eu · Directive (EU) 2022/2555 · Article 21
Article 21(1) — Cybersecurity Risk-Management Measures
“Member States shall ensure that essential and important entities take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services.”
Article 21(2)(i) — Access Control (explicit)
“The measures referred to in paragraph 1 shall be based on an all-hazards approach that aims to protect network and information systems and the physical environment of those systems from incidents, and shall include at least the following: … (i) policies and procedures regarding the use of cryptography and, where appropriate, encryption; policies on access control and asset management.” — Access control policies must address who has access and whether it remains appropriate.
Article 21(2)(j) — Authentication & Access
“The use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.” — Enforcing MFA requires knowing which users exist and what systems they access — a function of access review.
Where to find this in the directive?
→ EUR-Lex → Directive (EU) 2022/2555 → Chapter IV → Article 21 (Cybersecurity Risk-Management Measures)
→ EUR-Lex → Directive (EU) 2022/2555 → Chapter IV → Article 20 (Governance — Management Liability)
→ ENISA NIS2 Implementation Guidance → Chapter on Access Control and IAM
→ National transposition laws — e.g., Germany (NIS2UmsuCG), Austria (NISG), etc.
→ ENISA Technical Guidelines for NIS2 — Section on Minimum Security Measures
Squarum's Interpretation
What this means in practice?
Least privilege is an explicit NIS2 obligation
NIS2 guidance and implementing acts reinforce that access must follow the least-privilege principle. User Access Review is the primary control for enforcing and evidencing this across your organisation’s systems.
C-suite and board members are personally liable
Under Article 20, management bodies can be held personally liable for NIS2 breaches. This means executives must be able to demonstrate that access governance processes exist and are being followed — including periodic reviews.
Supply chain access is also in scope
NIS2 Article 21(2)(d) explicitly covers supply chain security. If third-party suppliers or contractors have access to your systems, their access rights must be reviewed as part of your NIS2 compliance programme.
Incident reporting depends on knowing who has access
NIS2’s strict 24-hour early warning and 72-hour full-notification timelines require knowing quickly whether a compromise involved authorised users. Access review logs are essential forensic evidence in an incident.
€10M
or 2% global turnover Important Entities
or
€7M
or 1.4% global turnover Essential Entities
NIS2 fines are among the highest in EU cybersecurity law. Beyond financial penalties, executives can face personal liability, temporary bans from management roles, and mandatory public disclosure of breaches.
Make NIS2 access compliance effortless with Squarum
Squarum maps directly to NIS2 Article 21 requirements — automate your access reviews, manage third-party access, and give your board the evidence they need to demonstrate governance.