The point: Orphaned accounts in decentralized cloud services constitute a direct breach of NIS2 requirements and trigger personal liability for company executives.
Unregulated cloud services within the enterprise lead to orphaned user accounts that exist outside central identity management. The NIS2 Directive holds executives personally liable when such access control gaps are identified.
The NIS2 Directive shifts cybersecurity responsibility to the executive level. Article 20 requires governing bodies of essential and important entities to approve risk management measures and oversee their implementation. This obligation is non-delegable – neither to the CIO nor to external service providers.
In practice, compliance gaps arise from decentralized cloud services known as shadow IT. Business departments independently subscribe to SaaS platforms for project management, collaboration, or AI services. The user accounts created in the process remain outside central identity management and are invisible to the IT department. The critical point comes during offboarding: while the primary account in the central directory service is deleted, accounts in unintegrated cloud applications remain active – so-called orphaned accounts. These accounts can exist for years without being noticed and may provide former employees or third parties potential access to internal data, project plans, or customer lists.
The penalties for violations are substantial. Serious non-compliance with NIS2 carries fines of up to ten million euros or two percent of global annual turnover – whichever is higher. Furthermore, the supervisory authority can impose temporary professional bans on executive management. In certain circumstances, managers are also personally liable with their private assets for damages resulting from inadequate governance.
For CISOs and IT security teams, this creates a dual mandate: on one hand, all decentralized cloud services must be identified and integrated into a unified identity management system. On the other hand, it is necessary to document transparent and rule-based control of all access paths in order to credibly demonstrate in audits that risk management measures – as defined in Article 20 – are actually implemented and monitored.
Source: www.it-daily.net · Published 6 June 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrasing and classification by Lumi News Pipeline v1.6.5.