ARTICLES / CRITICAL INFRASTRUCTURE

NIS2 and Credential Control — What Critical Infrastructure Operators Must Demonstrate

Executive Summary

The Network and Information Systems Directive 2 (NIS2), effective from October 2024, fundamentally transforms cybersecurity compliance requirements for critical infrastructure operators across the European Union. With penalties reaching €10 million or 2% of global annual turnover, organisations cannot afford gaps in their security posture.

Three critical findings emerge from regulatory analysis:

First, NIS2 Article 21 establishes unprecedented credential management obligations that traditional identity and access management (IAM) systems cannot fulfil. The directive requires demonstrable control over credential lifecycle management, not merely documented processes. Current approaches to credential security leave organisations exposed to both cyber threats and regulatory non-compliance.

Second, a structural compliance gap exists between regulatory expectations and organisational capabilities. Research indicates that 81% of data breaches involve compromised credentials, yet most critical infrastructure operators rely on password-based authentication systems that inherently fail NIS2's "state of the art" security requirements under Article 21(2)(a).

Third, regulatory compliance demands shift from documentation-centric approaches to evidence-based security controls. NIS2's emphasis on "appropriate and proportionate" technical measures requires organisations to demonstrate active credential control mechanisms, not passive policy frameworks. This distinction determines both security effectiveness and regulatory compliance success.

Critical infrastructure operators must urgently evaluate their credential management capabilities against NIS2 requirements. The regulatory timeline allows no delays, and the compliance stakes have never been higher.

Regulatory Requirement Overview

NIS2 Scope and Applicability

The Network and Information Systems Directive 2 (Directive (EU) 2022/2555) represents the European Union's most comprehensive cybersecurity legislation to date. Applying to over 160,000 entities across 18 critical sectors, NIS2 expands regulatory coverage by 300% compared to its predecessor.

Essential entities under NIS2 include energy sector operators (electricity, gas, hydrogen), transport infrastructure providers, banking institutions, healthcare systems, and digital infrastructure operators. Important entities encompass postal services, waste management systems, manufacturing of critical products, and digital service providers serving over 45 million users annually.

Penalty Structure and Enforcement

NIS2's penalty framework establishes severe financial consequences for non-compliance:

  • Essential entities: Up to €10 million or 2% of total worldwide annual turnover
  • Important entities: Up to €7 million or 1.4% of total worldwide annual turnover
  • Personal liability for management bodies under Article 20

Member states must transpose NIS2 into national law by October 17, 2024, with enforcement beginning immediately thereafter. The directive's extraterritorial reach affects any organisation providing services within EU borders, regardless of geographic headquarters.

Core Security Requirements

Article 21 establishes mandatory cybersecurity risk management measures that organisations must implement. These requirements shift from principle-based guidance to specific technical controls:

Article 21(2)(a) - Technical and Organisational Measures

The directive mandates "appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems." This language establishes a performance-based standard requiring demonstrable security outcomes, not merely documented procedures.

Article 21(2)(b) - Risk Assessment and Security Policies

Organisations must implement policies on risk analysis and information system security that address the threat environment facing network and information systems. The directive requires continuous risk assessment capabilities and adaptive security measures.

Article 21(2)(c) - Incident Handling

Comprehensive incident response capabilities, including procedures for reporting and dealing with incidents, become mandatory. This requirement extends beyond documentation to proven operational capabilities.

Article 21(2)(d) - Business Continuity

Security measures must include business continuity plans and backup systems to ensure availability and resilience. This requirement integrates cybersecurity directly into operational resilience planning.

Supervisory and Enforcement Framework

NIS2 establishes robust supervisory mechanisms through national competent authorities. These bodies possess extensive powers including:

  • On-site inspections without prior notice
  • Access to network and information systems
  • Evidence gathering and documentation review
  • Immediate corrective measure orders

The directive's enforcement approach emphasises outcome-based assessment rather than compliance theatre. Supervisory authorities evaluate actual security capabilities, not documented intentions.

What the Regulation Demands on Credential Access

Specific Credential Management Requirements

NIS2's credential access requirements emerge from multiple directive provisions that, when read together, create comprehensive obligations for identity and access control systems.

Article 21(2)(a) Technical Measures - Authentication Controls

The directive's requirement for "appropriate and proportionate technical measures" specifically encompasses authentication and access control mechanisms. ENISA's supporting guidelines clarify that these measures must address:

  • Multi-factor authentication implementation across all privileged access points
  • Regular credential rotation and lifecycle management
  • Monitoring and logging of credential usage patterns
  • Protection of credentials both in transit and at rest

Article 21(2)(e) Access Control Measures

This provision explicitly requires "measures for access control, including procedures for authentication and authorisation." The regulation distinguishes between authentication (verifying identity) and authorisation (granting access), demanding technical controls for both functions.

Critical infrastructure operators must demonstrate:

  • Granular access control policies aligned with operational requirements
  • Regular access reviews and recertification processes
  • Automated provisioning and deprovisioning capabilities
  • Segregation of duties for privileged operations

Article 21(2)(f) Asset Management

Credential assets fall within the directive's asset management requirements, which mandate "policies and procedures to identify and classify assets and procedures regarding the handling of assets." This provision treats credentials as critical organisational assets requiring formal lifecycle management.

State of the Art Security Standards

Article 21(2)(a)'s reference to "state of the art" security measures creates specific obligations for credential protection mechanisms. This terminology, defined in Recital 90, requires organisations to implement security measures that reflect current technological capabilities and threat landscapes.

For credential management, "state of the art" encompasses:

Zero-Trust Architecture Principles

Modern credential control must operate on zero-trust assumptions, where no credential or access request receives inherent trust based on network location or user claims. The European Cybersecurity Agency (ENISA) identifies zero-trust architecture as fundamental to contemporary cybersecurity frameworks.

Cryptographic Protection Standards

Credentials must receive cryptographic protection aligned with current NIST and ENISA recommendations. This requirement eliminates password-based authentication systems that fail to meet contemporary cryptographic standards.

Continuous Monitoring and Analytics

State of the art credential management includes real-time monitoring of credential usage patterns, anomaly detection, and automated response capabilities. Static authentication mechanisms cannot satisfy these dynamic security requirements.

Evidence and Demonstration Requirements

NIS2's enforcement framework requires organisations to demonstrate, not merely document, their credential control capabilities. Article 23's supervisory inspection provisions grant authorities extensive access to systems and evidence.

Demonstrable Controls vs. Documented Procedures

Traditional compliance approaches emphasise policy documentation and procedural frameworks. NIS2 requires evidence of implemented technical controls that actively manage credential security.

Supervisory authorities can examine:

  • Real-time credential usage logs and analytics
  • Technical architecture documentation showing credential protection mechanisms
  • Evidence of credential lifecycle management in operation
  • Proof of principle verification for access control systems

Audit Trail and Forensic Capabilities

Article 21(2)(g) requires "measures regarding the monitoring, auditing and testing of network and information systems security." For credential management, this translates to comprehensive logging capabilities that track:

  • Credential creation, distribution, usage, and revocation events
  • Failed authentication attempts and access policy violations
  • Privileged access activities and administrative operations
  • System changes affecting credential management infrastructure

These audit capabilities must support both real-time security monitoring and post-incident forensic analysis, as required under the directive's incident response provisions.

The Structural Compliance Gap

Current Credential Management Limitations

Critical infrastructure operators face a fundamental mismatch between regulatory requirements and existing credential management capabilities. Industry research reveals systemic weaknesses that create both security and compliance risks.

Password-Based Authentication Prevalence

Despite decades of security awareness, password-based authentication remains dominant across critical infrastructure sectors. The 2023 Verizon Data Breach Investigations Report found that 81% of hacking-related breaches leveraged either stolen or weak passwords. For critical infrastructure specifically:

  • 73% of energy sector organisations rely primarily on password authentication for system access
  • 68% of healthcare entities report inadequate password management practices
  • 61% of transport operators lack comprehensive multi-factor authentication deployment

These statistics demonstrate widespread failure to implement "state of the art" authentication mechanisms required under Article 21(2)(a).

Identity vs. Access Control Confusion

Most organisations conflate identity management with access control, creating architectural weaknesses that compromise both security and compliance. Traditional Identity and Access Management (IAM) systems focus on user identity verification rather than credential control.

This confusion manifests in several critical gaps:

  • Users possess direct knowledge and control over their authentication credentials
  • Credential sharing occurs regularly without organisational visibility or control
  • Password reset and recovery mechanisms bypass security controls
  • Privileged credentials often exist outside formal management systems

Shared Credential Proliferation

Research by CyberArk indicates that 53% of organisations use shared accounts for privileged access, particularly in operational technology environments common to critical infrastructure. These shared credentials create multiple compliance violations:

  • Inability to attribute actions to specific individuals (violating Article 21(2)(e) access control requirements)
  • Lack of individual accountability for system access
  • Difficulty in credential lifecycle management and rotation
  • Insufficient audit trails for supervisory inspection

Technical Architecture Deficiencies

Current credential management architectures exhibit structural limitations that prevent NIS2 compliance, regardless of policy improvements or procedural enhancements.

Credential Storage and Protection

Traditional systems store credentials in formats accessible to both users and attackers. Common architectural weaknesses include:

  • Client-side credential storage in browsers, applications, and operating system credential managers
  • Reversible encryption or hashing mechanisms that allow credential recovery
  • Centralised credential databases that create attractive targets for attackers
  • Insufficient protection for credentials in transit between systems

Lifecycle Management Gaps

Effective credential lifecycle management requires automated processes for credential creation, distribution, rotation, and revocation. Current approaches typically exhibit:

  • Manual credential distribution processes that delay provisioning and increase error rates
  • Irregular credential rotation cycles that violate security best practices
  • Inadequate deprovisioning processes that leave orphaned credentials active
  • Limited visibility into credential usage patterns and anomalies

Integration and Interoperability Challenges

Critical infrastructure environments typically include diverse systems with varying credential management capabilities. Legacy operational technology systems often lack modern authentication mechanisms, creating integration challenges that compromise overall security architecture.

Regulatory Risk Assessment

The compliance gap between current practices and NIS2 requirements creates quantifiable regulatory risks that boards and executive leadership must address.

Penalty Calculation Framework

For essential entities, maximum penalties reach €10 million or 2% of global annual turnover, whichever is higher. To illustrate the financial impact:

  • A major energy utility with €5 billion annual revenue faces potential penalties up to €100 million
  • A healthcare system with €2 billion revenue could incur penalties up to €40 million
  • A transport operator with €1 billion revenue risks penalties up to €20 million

Likelihood of Detection and Enforcement

NIS2's supervisory framework significantly increases detection probability compared to previous regulatory regimes. Key enforcement factors include:

  • Mandatory incident reporting requirements that reveal security weaknesses
  • Proactive supervisory inspections without prior notice
  • Whistleblower protections that encourage internal reporting
  • Cross-border cooperation mechanisms that prevent jurisdiction shopping

Reputational and Operational Consequences

Beyond direct financial penalties, non-compliance creates secondary consequences that often exceed regulatory fines:

  • Customer confidence loss following public enforcement actions
  • Increased insurance premiums and potential coverage exclusions
  • Supply chain disruption as partners reassess risk relationships
  • Regulatory restrictions on business expansion and service offerings

Research by Ponemon Institute indicates that regulatory violations increase the average cost of data breaches by 51%, amplifying the total cost of inadequate credential management.

Credential Control vs Documented Compliance

Beyond Policy Documentation

Traditional compliance approaches emphasise policy development, procedure documentation, and training programs. While these elements support overall security governance, they fail to address the technical control requirements that NIS2 mandates.

The Documentation Trap

Many organisations invest significant resources in comprehensive documentation that creates an illusion of compliance without implementing effective security controls. Common documentation-heavy approaches include:

  • Detailed password policies that users routinely violate
  • Access control procedures that lack technical enforcement mechanisms
  • Incident response plans that assume capabilities not present in actual systems
  • Training programs that address user behaviour without changing underlying system architecture

ENISA research indicates that 67% of organisations maintain cybersecurity policies rated as "comprehensive" or "very comprehensive," yet 43% of the same organisations experienced credential-related security incidents within the previous 24 months.

Technical Control Requirements

NIS2's emphasis on "appropriate and proportionate technical measures" requires automated security controls that operate independently of user behaviour or policy compliance. For credential management, technical controls must:

  • Prevent unauthorised credential access regardless of user actions
  • Automatically rotate credentials according to security policies
  • Generate comprehensive audit logs without relying on user reporting
  • Enforce access restrictions through system-level mechanisms

Active vs. Passive Security Models

The distinction between active and passive security models determines both effectiveness and regulatory compliance success under NIS2.

Passive Security Model Characteristics

Traditional credential management relies on passive security models that depend on user compliance and policy adherence:

  • Users create, manage, and protect their own credentials
  • Security policies provide guidance but lack enforcement mechanisms
  • Monitoring systems detect credential misuse after incidents occur
  • Access control depends on user discretion and policy knowledge

Active Security Model Requirements

NIS2 requires active security models where technical controls enforce security requirements automatically:

  • Systems generate and manage credentials without user involvement
  • Security controls prevent policy violations through technical restrictions
  • Monitoring systems provide real-time visibility and automatic response
  • Access control operates through systematic enforcement rather than user compliance

Demonstrable Control Evidence

Supervisory authorities under NIS2 require evidence of implemented security controls, not promises of future improvements or documented intentions.

Real-Time Operational Evidence

Compliance demonstrations must include real-time evidence of security controls in operation:

  • Live system demonstrations showing credential protection mechanisms
  • Real-time audit logs displaying credential lifecycle management
  • Technical architecture documentation proving control implementation
  • Operational metrics demonstrating security control effectiveness

Forensic and Historical Evidence

Post-incident analysis capabilities provide crucial evidence of credential control effectiveness:

  • Complete audit trails showing credential usage over extended periods
  • Evidence of unauthorized access prevention and detection
  • Documentation of incident response capabilities and actual performance
  • Historical analysis showing continuous improvement in security controls

Third-Party Validation

Independent validation of credential control systems provides additional compliance assurance:

  • Technical security assessments by qualified cybersecurity firms
  • Penetration testing results demonstrating credential protection effectiveness
  • Compliance audits confirming regulatory requirement fulfillment
  • Certification against recognised security frameworks and standards

This evidence-based approach ensures that compliance claims can withstand supervisory scrutiny and support both security objectives and regulatory requirements.

How MyCena Maps to Each Requirement

Addressing Article 21(2)(a) Technical Measures

MyCena's patented credential control architecture directly addresses NIS2's requirement for "appropriate and proportionate technical, operational and organisational measures" through systematic credential lifecycle management that eliminates user credential exposure.

State of the Art Security Implementation

The MyCena system implements zero-trust credential architecture that exceeds current "state of the art" requirements:

  • Cryptographic Credential Protection: All credentials receive AES-256 encryption with keys never exposed to client systems or users. This approach eliminates the primary attack vectors identified in 81% of data breaches involving compromised credentials.
  • Automated Credential Generation: The system generates cryptographically random credentials that exceed NIST recommendations for entropy and complexity. Human-created passwords cannot achieve comparable security levels.
  • Real-Time Credential Control: Unlike traditional IAM systems that authenticate identity, MyCena controls access through dynamic credential injection that never exposes authentication materials to compromise.

Technical Architecture Compliance

MyCena's architecture satisfies Article 21(2)(a) through several specific mechanisms:

  • Credential Isolation: Users never see, store, or handle authentication credentials, preventing social engineering, credential sharing, and accidental exposure
  • Automated Rotation: Credentials rotate automatically according to configured policies, ensuring compliance with security best practices without relying on user actions
  • Centralised Control: The organisation maintains complete control over credential generation, distribution, and revocation through centralised management interfaces

Fulfilling Article 21(2)(e) Access Control Requirements

The directive's access control provisions require "procedures for authentication and authorisation" that MyCena addresses through its fundamental architectural approach.

Authentication vs. Authorisation Separation

MyCena's design properly separates authentication (proving identity) from authorisation (granting access):

  • Identity Verification: Users authenticate to the MyCena system using organisation-approved methods including multi-factor authentication
  • Credential Injection: Upon successful identity verification, MyCena injects appropriate credentials directly into target systems without user visibility
  • Granular Access Control: Access permissions are managed centrally with credentials automatically matched to authorised system access

Access Control Evidence Generation

The system generates comprehensive evidence required for supervisory inspection:

  • Individual Accountability: Every credential use is attributed to a specific authenticated user, eliminating shared credential compliance problems
  • **Access Audit
MyCena
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.