Address NIS2 Using BeyondTrust Solutions

The Network and Information Security 2 (NIS2) Directive is a landmark European Union (EU) cybersecurity law that establishes a high, common standard of protection for network and information systems across Member States. Replacing the original NIS Directive, NIS2 strengthens security governance, incident reporting, and accountability requirements for both public and private organizations operating within critical and digital sectors.

Controlling privilege and access remains a cornerstone of basic cyber hygiene, supply chain security, and effective cybersecurity risk management. Yet many organizations still lack holistic visibility into their identities, accounts, privileged access, and entitlements—making it difficult to analyse and assess identity-related risk with confidence.

The Directive outlines a set of minimum coverage requirements with one overarching goal: build a more unified, resilient, and transparent cybersecurity ecosystem across the EU.

NIS2 significantly broadens the scope of the original directive, capturing a wider set of organizations that operate or depend on operational technology (OT) and critical infrastructure. The Directive now applies to two core categories:

Essential entities, including operators in energy, transport, water, healthcare, digital infrastructure, and public administration—sectors where OT systems are fundamental to safety and service continuity.

Important entities, such as manufacturers of critical products, managed service providers, waste management, postal and courier services, and digital providers that support or interconnect with industrial and cyber-physical systems (CPS).

While NIS2 generally targets medium and large enterprises, small and micro businesses (fewer than 50 employees and under €10M annual turnover) are typically out of scope. However, Member States can designate smaller organizations as in scope if they deliver services that are directly essential or contribute to a critical supply chain.

For example:

• A small business that manufactures bottles for a drinking water supplier is considered part of an essential supply chain and may fall under NIS2.
• A small business that sells bottles for craft supplies would likely remain out of scope.

In practice, NIS2 uses an end-to-end model: if an essential or important entity relies on a particular provider, that provider may also be required to meet NIS2 obligations. Each EU Member State identifies which organizations qualify, but all in-scope entities must demonstrate strong identity and access governance, incident response maturity, and supply chain risk controls across both IT and OT environments.

Additionally, for those organizations that are already ISO 27001 compliant, your NIS2 alignment may already be on strong footing, as those controls closely map to the measures described in Article 21.

For OT teams, the expansion of NIS2 translates to higher expectations around segmentation, identity / privilege control on ICS/SCADA, and supply chain assurance.

For example:

Hospitals have numerous OT devices (X-Ray scanners, MRI and CT machines, etc.) that frequently run on outdated operating systems. While these machines are critical, they cannot simply be updated or easily replaced. To be compliant, essential or important entities must work toward risk management measures, such as implementing the principle of least privilege across their entire identity fabric, including IT / OT systems.

Higher security expectations

NIS2 mandates risk-based technical and organizational measures that map directly to OT realities: enforcing least privilege, hardening remote / vendor access, monitoring privileged sessions, and proving supply chain diligence across plants and sites. It also tightens incident reporting timelines and expands the level of details required in documentation (early warning in 24 hours, full notification in 72 hours, and a final report within one month).

Stronger supervision and enforcement

Competent authorities gain broader powers (on-site inspections, independent audits, binding instructions, and orders to cease infringing conduct). For essential entities, authorities may even temporarily suspend certifications / authorizations for services if security deficiencies aren’t properly remedied.

Increased personal accountability

NIS2 places clear, enforceable duties on an organization’s management body—typically the board and senior leadership—to oversee cybersecurity risk management, approve related policies, and ensure regular training. Unlike the original directive, NIS2 introduces personal liability for gross negligence in the event of a serious security incident.

Supervisory authorities can impose individual consequences, including administrative fines, formal reprimands, and mandatory public disclosure of violations that identify the responsible persons and the nature of the failure. For essential entities, regulators may also temporarily ban executives or legal representatives from holding management positions in cases of repeated or severe non-compliance.

This shift reinforces that cybersecurity risk is no longer an “IT issue,” but a board-level responsibility with direct legal and reputational implications for leadership.

Bottom line for OT

NIS2 elevates operational resilience expectations and raises the cost of failure. OT programs must evidence identity-centric controls (least privilege / JIT, vendor access governance, privileged session oversight), rapid incident reporting across sites, and auditable board oversight to avoid service suspensions and high-impact fines.

Together, these updates mark a shift from reactive protection to proactive resilience, aligning cybersecurity obligations with modern threats, cloud infrastructures, and identity-centric risks.

With BeyondTrust Identity Security and Privileged Access Management (PAM) solutions, you can:

• Enforce least privilege and just-in-time access across IT, OT, and cloud environments to reduce the blast radius of attacks, prevent lateral movement, and align with NIS2’s access-control and governance requirements.
• Secure and audit all privileged access with VPN-less remote connectivity, session recording, and granular control for employees, vendors, and service desks—ensuring every privileged action is authorized and traceable.
• Manage and protect every privileged credential including passwords, SSH keys, and DevOps secrets, eliminating shared accounts and aligning to NIS2 authentication and accountability mandates.
• Gain unified visibility into identity-based threats with our Identity Security Insights® product, leveraging capabilities like True Privilege Graph™ to uncover hidden Paths to Privilege™ and high-risk identities. Centralized dashboards and integrations with leading IAM solutions, including SailPoint, support faster incident reporting and continuous compliance across complex environments.
• Strengthen supply chain and OT security by isolating critical assets, extending AD governance to Unix / Linux systems, and enforcing zero-trust controls across industrial environments. Replace risky VPN-based vendor access with granular, monitored third-party sessions that reduce exposure across interconnected networks.
• Disrupt ransomware and advanced attack chains by locking down remote pathways, controlling applications, and preventing privilege escalation across hybrid and cloud infrastructures.
• Improve evidence quality with comprehensive, tamper-proof audit logs and easily accessible reports that streamline auditor reviews and demonstrate full alignment with NIS2 requirements.