Identity is the new perimeter
With hybrid work, cloud services and API integrations, the traditional network perimeter has dissolved. Today, identity and access control is the most important line of defence.
NIS2 recognises this by explicitly requiring control over access to networks and systems.
The fundamental question: Can you today list exactly who has access to your critical systems and why they have that access?
NIS2 requirements for access control
Article 21.2j — Human resources security, access control procedures and asset management:
Organisations shall take appropriate measures for:
- Control of access to network and information systems
- Asset management
- Human resources security and awareness training
In practice:
- Document who has access to what
- Ensure permissions are justified
- Review permissions regularly
- Remove permissions when roles change/terminate
- Implement strong authentication
Fundamental principles
Grant only necessary permissions. Start with zero and add what's needed, not the other way around.
Access to information only for those who need it for their job duties.
Critical processes require multiple people. No one should be able to act alone in sensitive processes.
Multiple layers of controls. If one layer fails, the next one is there.
The access review process
- Inventory permissions Collect data on who has access to which systems. Include user accounts, service accounts, API keys and external users.
- Identify anomalies Compare actual permissions against roles and responsibilities. Do users have more access than they need? Are there accounts for terminated employees?
- Decision: keep or remove For each permission: is it justified? If yes, document why. If no, remove it.
- Implement changes Remove unjustified permissions. Update access documentation. Communicate changes.
- Document and follow up Save decisions and justifications. Plan the next review. Report status to management.
Frequency for access reviews
| Category | Frequency | Examples |
|---|---|---|
| Privileged accounts | Quarterly | Administrators, root, service accounts with high access |
| Critical systems | Quarterly | Financial systems, customer data, production |
| Sensitive data | Semi-annually | Personal data, trade secrets |
| Other systems | Annually | Support systems, internal tools |
| Upon change | Immediately | Role changes, termination, organisational changes |
Common mistakes
Users change roles but keep old permissions. After a few years, they have more access than the CEO.
The "Admin" account everyone knows about. No traceability, no accountability.
Accounts for terminated employees that are never closed. Potential backdoor.
Service accounts with static passwords that are never changed. Compromised forever.
"Give admin rights and it'll work" — the standard response that creates risks.
Critical systems without multi-factor authentication. Stolen passwords are enough for breach.
MFA everywhere
Where MFA should be implemented:
- All external access points (VPN, RDP, webmail)
- Critical systems and applications
- Privileged accounts (administrators)
- Cloud services and SaaS
- Console access to servers and network equipment
Not just password + SMS: SMS is better than nothing, but weaker than:
- Authenticator apps (TOTP)
- Hardware keys (FIDO2/WebAuthn)
- Push notifications with number matching
Automation
Provisioning
- Automate assignment of standard permissions based on role
- Integration between HR systems and identity management
- Reduce manual errors and delays
Deprovisioning
- Automatic deactivation upon employment termination
- Integration with HR termination process
- No forgotten accounts
Access certification
- Automated reminders for access reviews
- Workflow for approval/rejection
- Traceability and documentation
Checklist
Fundamentals:
- Inventory of all user accounts
- Documentation of service accounts
- MFA on critical systems
- Process for onboarding/offboarding
Access review:
- Schedule for regular reviews
- Process to identify anomalies
- Documentation of decisions
- Reporting to management
Automation:
- Integration with HR systems
- Automated provisioning
- Automated deprovisioning
- Workflow for access requests
Access control is one of several requirement areas in NIS2. See our NIS2 framework overview for a complete picture of all requirements, or use our NIS2 classification tool to check if you are in scope.
How Securapilot can help
Securapilot supports access control and access reviews:
- Risk management — Identify risks linked to access
- Documentation — Policies and procedures
- Follow-up — Track reviews and decisions
- Reporting — Status for management
- Suppliers — Control over external access
Book a demo and see how we can support your access control.
Frequently asked questions
What is least privilege?
The principle of giving users only the permissions required to perform their job duties, nothing more. Reduces damage if an account is compromised.
How often should access reviews be conducted?
Depends on risk. Critical systems and privileged accounts: quarterly or more frequently. Other systems: semi-annually or annually. All changes should be documented.
What is separation of duties?
Distributing critical tasks among multiple people so no single individual can perform a malicious action. Example: those who approve payments should not be able to register them.
Is MFA mandatory under NIS2?
NIS2 doesn't explicitly mention MFA, but requires appropriate technical measures for access control. In practice, MFA is a fundamental control that is expected.
