Bottom Line: NIS2 and IGA mandate structured Identity Governance as a compliance obligation, not as a technical option.
The NIS2 Directive and the Information Protection Act (IGA) elevate Identity Governance and Administration (IGA) to a strategic leadership task. CISOs must anchor access control and access rights management as core components of their cybersecurity architecture.
Both regulatory frameworks address access rights management as a direct vector for security risks: unintended or outdated access, uncontrolled admin accounts and missing audit trails for user assignments enable compliance violations and security incidents.
NIS2 explicitly requires critical infrastructure operators and Digital Service Providers to document, monitor and demonstrate access — including for historical audits. The Information Protection Act similarly targets transparency and traceability of all identity operations. Both require central, automated systems instead of manual ad-hoc administration.
For CISOs, this means: IGA solutions are no longer just an IT Ops topic, but a strategic compliance requirement. This includes automated access provisioning and deprovisioning (lifecycle management), continuous access reviews, role-based access control (RBAC) and comprehensive audit logs. Accountability lies at the executive level.
Source: news.google.com · Published June 30, 2026
Lumi AI News — AI-assisted curation in accordance with Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.2.