NIS2: the dangers of non-compliance

Technology

Steve Bradford at SailPoint explains why so many organisations are dragging their feet on NIS2 compliance, and why non-compliance is a major risk

Although NIS2, the European Union’s updated cyber-security Directive, came into force in October 2024, many organisations are still grappling with compliance. As of July 2025, only 14 out of the 27 EU Member States had transposed the directive into national law.

And, whilst NIS2 is an EU regulation, many UK businesses with existing operations in the EU could face fines or potential legal repercussions for non-compliance.

NIS2 was initially introduced to strengthen the security posture of ‘essential services’, including industries such as transport, financial services, and energy. For these industries, which often have legacy systems in place and a distributed infrastructure, fending off cyber-attacks remains a significant challenge.

Yet, in 2025, a robust cyber-security framework has become non-negotiable for businesses if they are to stay afloat; evidenced by the recent surge of attacks on the retail sector. These incidents are part of a wider-scale issue. The UK Government’s 2025 Cybersecurity Breaches Survey highlighted that over 600,000 British businesses experienced a cyber-attack in the past twelve months alone.

So, adherence with NIS2 shouldn’t just be viewed as a box-ticking exercise. It’s a call to action to achieve operations that are more agile, secure, and resilient amidst an exploding threat landscape. Let’s look at why so many businesses are struggling to close the NIS2 compliance gap, as well as the technologies available to address these challenges.

The consequences of non-compliance

IT strategists will likely find themselves under increased pressure following the introduction of NIS2. They’ll be tasked with successfully enforcing the Directive effectively across the business whilst juggling the rollout of new technologies in the era of AI. Whilst it might be tempting to prioritise the deployment of new products and initiatives, sidelining NIS2 compliance could result in costly fines, as well as significant reputational damage to the business.

One key requirement outlined by NIS2 is that organisations must be able to demonstrate that they have robust access control policies in place. This includes the ability to limit access to networks and systems based on user roles and responsibilities. Without the ability to automate access controls, organisations remain reliant on spreadsheets, email or paper trails to manage permissions. These manual processes are often subject to human error, with permissions not being updated promptly when employees change roles, leave the company, or when contractors’ projects end. Users and ex-employees retain access to sensitive systems and data long after they need it.

This significantly increases the risk of insider threats – whether accidental, with dormant user accounts targeted by cyber-criminals, or intentional, such as a disgruntled employee or ex-employees stealing, destroying or altering company information for personal gain. Businesses and public sector organisations should be taking insider threats seriously, which constituted almost half of breaches (49%) within EMEA organisations in 2024.

Secure and scalable access controls

Luckily, the tools are available today to support organisations to achieve compliance with NIS2 and ensure greater data security at the same time. Automated identity management tools make it easier than ever for organisations to seamlessly manage the entire identity lifecycle, from onboarding to offboarding.

Imagine a financial consultant is brought in on a temporary contract at a major bank to cover for a colleague on leave. The consultant should only be able to access the specific client accounts and financial records necessary for their assignment. Through a tailored role and access profile, they might receive temporary permissions to view select client portfolios or transaction histories. However, they would be left without administrative system privileges, for example, access to internal audit logs, executive dashboards, or regulatory compliance reports to minimise risk.

After a specific time frame (the close of the contract), the consultant would no longer be able to access client information or company systems. This concept, ‘Just-in-time privilege’, operationalises zero trust by granting access based on real-time needs, revoking it once tasks are complete. Access remains role-specific and is granted or rescinded when employees are onboarded or offboarded. Offboarding processes that are quick, seamless and secure are fast becoming a ‘must-have’ for UK employers; particularly for organisations that experience high staff turnover.

A unified view of access permissions

Alongside role-based access, NIS2 requires businesses which provide ‘essential services’ to clearly document and keep a record of user access permissions. This includes, but is not limited to, energy, transport, financial services and digital infrastructure.

Manually reviewing and collating a record of existing permissions across an organisation can prove to be an incredibly time-consuming task, as well as a significant drain on IT and security team resources. Identity security platforms eradicate the need to manually document and search for a list of access permissions. IT teams can easily view the number of users with privileged access via an interactive dashboard, as well as a record of outstanding access review tasks. This ‘single pane of glass’ overview makes it possible for organisations to easily review historical access changes and understand which admins granted or revoked access, and when.

Importantly, visualisation via a dashboard equips organisations with the ability to showcase and demonstrate compliance with NIS2 during regulatory inspections. Dashboard data is updated in real-time, providing a single source of truth by bringing together data across a complex network of suppliers, contractors, and other third parties operating within an organisation’s supply chain.

An opportunity, not a burden

Businesses might be tempted to view NIS2 as a tedious ‘box-ticking’ exercise in compliance. But NIS2 should instead be seen as a major opportunity: a catalyst for businesses to strengthen their cyber-security posture and future-proof their operations.

Closing the compliance gap might seem like a daunting prospect for IT strategists, who are already under pressure to make high-stakes decisions about the adoption and integration of new technologies amidst the AI boom. However, solutions such as identity security platforms can help to alleviate some of this pressure by equipping IT leaders with a 360 overview across the entire supply chain.

These identity tools are essential for businesses that need to monitor and manage complex access permissions, including third parties, with greater accuracy and control. In a climate where business success is increasingly dependent on digital services, automated identity and access controls must form the cornerstone for every organisation’s cyber-security strategy.

Steve Bradford is Senior Vice President EMEA at SailPoint

Main image courtesy of iStockPhoto.com and MF3d