BeyondTrust - Secure Remote Access and Privileged Access Management
Announcement:
Be among the first to secure AI coworkers before they act. Request early access to AI Agent Security.

What is NIS2?

The Network and Information Security 2 (NIS2) Directive is a landmark European Union (EU) cybersecurity law that establishes a high, common standard of protection for network and information systems across Member States. Replacing the original NIS Directive, NIS2 strengthens security governance, incident reporting, and accountability requirements for both public and private organizations operating within critical and digital sectors.

Controlling privilege and access remains a cornerstone of basic cyber hygiene, supply chain security, and effective cybersecurity risk management. Yet many organizations still lack holistic visibility into their identities, accounts, privileged access, and entitlements—making it difficult to analyse and assess identity-related risk with confidence.

The Directive outlines a set of minimum coverage requirements with one overarching goal: build a more unified, resilient, and transparent cybersecurity ecosystem across the EU.

Who does NIS2 apply to?

NIS2 significantly broadens the scope of the original directive, capturing a wider set of organizations that operate or depend on operational technology (OT) and critical infrastructure. The Directive now applies to two core categories:

Essential entities, including operators in energy, transport, water, healthcare, digital infrastructure, and public administration—sectors where OT systems are fundamental to safety and service continuity.

Important entities, such as manufacturers of critical products, managed service providers, waste management, postal and courier services, and digital providers that support or interconnect with industrial and cyber-physical systems (CPS).

While NIS2 generally targets medium and large enterprises, small and micro businesses (fewer than 50 employees and under €10M annual turnover) are typically out of scope. However, Member States can designate smaller organizations as in scope if they deliver services that are directly essential or contribute to a critical supply chain.

For example:

  • A small business that manufactures bottles for a drinking water supplier is considered part of an essential supply chain and may fall under NIS2.

  • A small business that sells bottles for craft supplies would likely remain out of scope.

In practice, NIS2 uses an end-to-end model: if an essential or important entity relies on a particular provider, that provider may also be required to meet NIS2 obligations. Each EU Member State identifies which organizations qualify, but all in-scope entities must demonstrate strong identity and access governance, incident response maturity, and supply chain risk controls across both IT and OT environments.

Additionally, for those organizations that are already ISO 27001 compliant, your NIS2 alignment may already be on strong footing, as those controls closely map to the measures described in Article 21.

NIS vs NIS2 – What are the key differences?

Broader scope and OT impact

NIS2 widens coverage from a limited set of “operators of essential services” to two categories—essential and important entities—bringing more industrial and critical-infrastructure operators (energy, water, transport, health, digital infrastructure, public administration, manufacturers of critical products, MSPs, etc.) into scope.

Additionally, compared to NIS1, the entities covered in NIS2 increased from 1000 to over 100,000.

Aspect

NIS1

NIS2

Entities Covered

~1,000 operators

100,000+ organizations

Sectors

7 critical sectors

18 sectors (essential + important)

Approach

Principles-based

Prescriptive requirements

Incident Reporting

72 hours

24-hour early warning + 72 hours

Management Liability

None

Personal liability for executives

  1. 1.Table data sourced from https://www.nis2-requirements.info/

NIS vs NIS2 - Comparison Table

For OT teams, the expansion of NIS2 translates to higher expectations around segmentation, identity / privilege control on ICS/SCADA, and supply chain assurance.

For example:

Hospitals have numerous OT devices (X-Ray scanners, MRI and CT machines, etc.) that frequently run on outdated operating systems. While these machines are critical, they cannot simply be updated or easily replaced. To be compliant, essential or important entities must work toward risk management measures, such as implementing the principle of least privilege across their entire identity fabric, including IT / OT systems.

Higher security expectations

NIS2 mandates risk-based technical and organizational measures that map directly to OT realities: enforcing least privilege, hardening remote / vendor access, monitoring privileged sessions, and proving supply chain diligence across plants and sites. It also tightens incident reporting timelines and expands the level of details required in documentation (early warning in 24 hours, full notification in 72 hours, and a final report within one month).

Stronger supervision and enforcement

Competent authorities gain broader powers (on-site inspections, independent audits, binding instructions, and orders to cease infringing conduct). For essential entities, authorities may even temporarily suspend certifications / authorizations for services if security deficiencies aren’t properly remedied.

Increased personal accountability

NIS2 places clear, enforceable duties on an organization’s management body—typically the board and senior leadership—to oversee cybersecurity risk management, approve related policies, and ensure regular training. Unlike the original directive, NIS2 introduces personal liability for gross negligence in the event of a serious security incident.

Supervisory authorities can impose individual consequences, including administrative fines, formal reprimands, and mandatory public disclosure of violations that identify the responsible persons and the nature of the failure. For essential entities, regulators may also temporarily ban executives or legal representatives from holding management positions in cases of repeated or severe non-compliance.

This shift reinforces that cybersecurity risk is no longer an “IT issue,” but a board-level responsibility with direct legal and reputational implications for leadership.

Bottom line for OT

NIS2 elevates operational resilience expectations and raises the cost of failure. OT programs must evidence identity-centric controls (least privilege / JIT, vendor access governance, privileged session oversight), rapid incident reporting across sites, and auditable board oversight to avoid service suspensions and high-impact fines.

Together, these updates mark a shift from reactive protection to proactive resilience, aligning cybersecurity obligations with modern threats, cloud infrastructures, and identity-centric risks.

OT Security Challenges

Downtime icon orange
Costs of downtime
Unplanned OT downtime halts production, disrupts essential services, and creates safety and financial risks—sometimes with national-level impact.
Legacy systems OT environments orange icon
Legacy systems
Many OT assets run on outdated hardware and software, making patching, monitoring, and secure integration difficult.
IT OT convergence zones orange icon
IT–OT convergence
As IT and OT networks merge, shared authentication and unsecured remote access can let corporate breaches spread into critical industrial systems.
Visibility orange
Limited visibility and control
OT environments often lack centralized visibility over privileged users, credentials, and vendor sessions, making unauthorized activity hard to spot.
OT industry icon orange
Supply chain and vendor risk
Compromised or insecure hardware / software from third-party vendors can introduce hidden vulnerabilities, backdoors, or weak components—undermining the entire OT environment.
OT vendors risk orange icon
Human error and insider risk
Under-trained operators and engineers, or staff mistakes—such as misconfigurations, insecure credential use, or improper vendor-access practices—can open paths for attackers or cause system failures.
“In-tune with our goal to be ISO 27001 and HDS certified, we looked for an easy-to-manage product with tracking options and strong authentication features and control capacities across all our account. BeyondTrust’s Privilege Remote Access solution proved to support our requirements.”

—Alain Astgen, Service Center Manager & CISO, Axians

“BeyondTrust Endpoint Privilege Management really is a perfect solution. Not only does it implement least privilege, protect, and monitor our privileged accounts, it also allows us to maintain compliance with several regulations, which is hugely beneficial to us.”

—Orwill Sebastian, Project Manager, Zensar

"Our use case (with BeyondTrust Privileged Remote Access) only touches the tip of the iceberg of what we can be doing…We've been searching for a long time for a partner that could help us with different types of issues we have in the OT environment, and BeyondTrust is it for us."

—VP of Industrial Cyber and Digital Security, Global Industrial Automation Company

Benefits of NIS2 Compliance

Achieving and maintaining NIS2 compliance isn’t just about avoiding fines—it’s about building resilience, trust, and operational efficiency across both IT and OT systems.

Organizations that align early stand to gain lasting advantages:

Control 3

Improved Operational Resilience

Strengthen both IT and OT environments with standardized controls that minimize the risk of cyber incidents, downtime, and supply chain disruption.
Visibility

Enhanced Visibility and Governance

Gain unified insight into users, credentials, and access pathways across plants, facilities, and digital assets—helping leadership make informed, auditable decisions.
Compliance

Stronger Trust and Market Confidence

Demonstrating compliance signals to regulators, partners, and customers that your organization prioritizes security, accountability, and business continuity.
Financial liabilities blue icon

Reduced Risk of Penalties and Liability

NIS2 compliance reduces exposure to financial penalties, service suspension, and executive accountability—protecting both revenue and reputation.

Improving NIS2 Compliance Using BeyondTrust Solutions

With BeyondTrust Identity Security and Privileged Access Management (PAM) solutions, you can:

  • Enforce least privilege and just-in-time access across IT, OT, and cloud environments to reduce the blast radius of attacks, prevent lateral movement, and align with NIS2’s access-control and governance requirements.

  • Secure and audit all privileged access with VPN-less remote connectivity, session recording, and granular control for employees, vendors, and service desks—ensuring every privileged action is authorized and traceable.

  • Manage and protect every privileged credential including passwords, SSH keys, and DevOps secrets, eliminating shared accounts and aligning to NIS2 authentication and accountability mandates.

  • Gain unified visibility into identity-based threats with our Identity Security Insights® product, leveraging capabilities like True Privilege Graph™ to uncover hidden Paths to Privilege™ and high-risk identities. Centralized dashboards and integrations with leading IAM solutions, including SailPoint, support faster incident reporting and continuous compliance across complex environments.

  • Strengthen supply chain and OT security by isolating critical assets, extending AD governance to Unix / Linux systems, and enforcing zero-trust controls across industrial environments. Replace risky VPN-based vendor access with granular, monitored third-party sessions that reduce exposure across interconnected networks.

  • Disrupt ransomware and advanced attack chains by locking down remote pathways, controlling applications, and preventing privilege escalation across hybrid and cloud infrastructures.

  • Improve evidence quality with comprehensive, tamper-proof audit logs and easily accessible reports that streamline auditor reviews and demonstrate full alignment with NIS2 requirements.

Talk to an expert

PRA contact sales

Contact us today to discuss your NIS2 compliance requirements.