In a nutshell: Automated identity governance enables companies to meet NIS2 requirements while significantly reducing license costs and audit overhead.
The NIS2 Directive requires around 30,000 German companies to systematically manage access rights. Manual processes create hidden costs – from the waste of orphaned licenses to elaborate audit preparations.
The hidden costs of manual access rights management are substantial. When employees change departments, projects are completed, or staff leave the company, access and licenses are often withdrawn with weeks or months of delay – or not at all. This creates so-called orphaned accounts – active accounts with no living owner. In medium to large companies, these account for between 20 and 30 percent of all user accounts. A company with 500 employees and average monthly license costs of 40 euros per person wastes around 4,000 euros per month or approximately 50,000 euros annually with 20 percent orphaned accounts.
Recertifications exacerbate the problem. According to Forrester Research studies, manual access reviews consume two to four hours per reviewer per cycle. For a company with 100 reviewers conducting quarterly certifications, this means 800 to 1,600 hours of work effort per year – excluding documentation and follow-up. At 80 euros per hour for specialists, this alone results in annual personnel costs of 64,000 to 128,000 euros. Add to this the error-proneness: manual processes lead to gaps and contradictory entries.
With NIS2, identity and access rights issues have gained regulatory priority. The directive, which came into force in Germany on December 7, 2025, affects approximately 30,000 companies in 18 critical infrastructure sectors. It requires measures for access control, identity and access management, and authentication – and mandates documented traceability: who accessed which systems on what grounds. The penalties are severe: essential entities risk fines of up to 10 million euros or 2 percent of global annual revenue.
A centralized IGA platform addresses both problems. It prevents the creation of orphaned accounts through automated deprovisioning logic, reduces recertification effort through automation, and creates comprehensive documentation for audits. Without a centralized platform, audit preparation is time-consuming: access rights information is scattered across Active Directory, ITSM systems, spreadsheets, and other documents. Based on practical experience, the effort to consolidate historical states, escalation paths, and exception rules is several person-weeks per audit cycle – with high risk of errors.
Source: www.it-daily.net · Published June 30, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification through Lumi News Pipeline v1.7.2.