The master NIS2 compliance checklist for access control — clause-by-evidence mapping, recertification cadences, ISO 27001 crosswalk, and 90-day quick-start for GRC teams.
← Back to hub · Prev: Privileged access
Purpose: the single reference that ties every access-control and lifecycle control back to the NIS2 article, the CIR (EU) 2024/2690 Annex clause, the evidence an auditor will request, and the owner accountable for it. This is the page GRC lives in.
TL;DR (📋 GRC): NIS2 access-control findings are rarely "you don't have the control." They are "you can't show it operates." Each control below pairs a requirement with the artifact that proves it. Build a control register from this matrix, assign owners, set review cadences, and keep the evidence current. If you run ISO/IEC 27001, you are most of the way there — section 8 maps the overlap.
See also SOC 2 access reviews and KINT pricing for tooling that produces the access-review evidence this checklist requires.
1. Master mapping matrix
Audience key: 👔 Leadership · 📋 GRC · 🔧 Engineering. Cadence = recommended review frequency (tune to risk; not a fixed legal figure unless stated).
| # | Control area | NIS2 Article | CIR 2024/2690 Annex | Core requirement | Evidence artifacts | Owner | Cadence | Guide page |
|---|---|---|---|---|---|---|---|---|
| G1 | Governance & management approval | Art. 20(1) | 1.1, 1.2 | Management body approves & oversees measures; can be liable; named reporting line | Signed approval record + date; org chart with security reporting line; management-review minutes | 👔 Board / CISO | Annual + on major change | 01 |
| G2 | Management & staff training | Art. 20(2) | 8.1, 8.2 | Board training; staff awareness & role-specific training | Training records, dates, content, attendance | 👔/📋 CISO + HR | Annual | 01 |
| AC1 | Access control policy | 21(2)(i) | 11.1 | Documented topic-specific policy for access by persons & systems; approved & reviewed | Approved policy; approval date; last-review date | 📋 CISO | Annual + on change | 02 |
| AC2 | Management of access rights | 21(2)(i) | 11.2 | Grant/modify/review/revoke on least privilege & business need | Entitlement model export; request→approval→justification records; revocation logs | 🔧 IAM + app owners | Continuous; review per AC8 | 02 |
| AC3 | Least privilege & need-to-know | 21(2)(i) | 11.1, 11.2 | Minimum access, scoped to classification | Role definitions; baseline vs. requested access; CIEM right-sizing reports | 🔧 IAM | Quarterly (priv.) / annual | 02 |
| AC4 | Segregation of duties | 21(2)(i) | 1.2, 11.2 | Conflicting duties separated; toxic combos prevented/detected | SoD conflict matrix; enforcement/violation reports | 📋/🔧 IAM + risk | Semi-annual | 02 |
| AC5 | Remote / third-party / network access | 21(2)(i) | 11.1, 11.2, 6.8 | Need-based, time-boxed, MFA-protected; supplier access authorised & time-bound | VPN/ZTNA config; supplier access authorisations with expiry; segmentation design | 🔧 Network + IAM | Quarterly (3rd-party) | 02 |
| LC1 | HR security — background verification | 21(2)(i) | 10.1 | Role-proportionate screening before sensitive access; GDPR-lawful | Screening records (redacted); access-gate evidence | 📋 HR + security | Per hire / role change | 03 |
| LC2 | HR security — terms & conditions | 21(2)(i) | 10.2 | Security duties in employment/contractor terms | Signed acknowledgements; contract clauses | 📋 HR | Per hire | 03 |
| LC3 | HR security — disciplinary process | 21(2)(i) | 10.3 | Documented, communicated process for policy violations | Disciplinary procedure; communication evidence | 📋 HR | Annual review | 03 |
| LC4 | HR security — termination/role change | 21(2)(i) | 10.4 | Security responsibilities on exit/change; surviving obligations | Leaver/mover checklist; confidentiality terms | 📋 HR + IAM | Per event | 03 |
| LC5 | Joiner / Mover / Leaver provisioning | 21(2)(i) | 11.2 (+10.x) | HR-driven, event-based provisioning & timely deprovisioning | Sample JML cases w/ timestamps; time-to-deprovision metric | 🔧 IAM | Continuous | 03 |
| LC6 | Return / deletion of assets on exit | 21(2)(i) | 12.5 | Recover or securely delete assets, devices, credentials, media on termination | Asset-return records; wipe/retire confirmations | 📋/🔧 IT asset + IAM | Per leaver | 03 |
| LC7 | Access reviews / recertification | 21(2)(i) | 11.2 | Periodic review with explicit approve/revoke; revocations actioned | Review campaigns; decisions; resulting revocations | 📋 IAM + owners | See §2 | 03 |
| AU1 | Identification (unique identity) | 21(2)(j) | 11.5 | Unique identity per actor incl. non-human; no shared accounts | Shared-account exception register; identity inventory | 🔧 IAM | Annual | 04 |
| AU2 | Authentication & credential policy | 21(2)(j) | 11.6 | Risk-proportionate auth; secure credential mgmt; password policy | Auth/password policy; SSO config; token-invalidation capability | 🔧 IAM | Annual | 04 |
| AU3 | Multi-factor / continuous authentication | 21(2)(j) | 11.7 | MFA (ideally phishing-resistant) for remote, sensitive & privileged; adaptive where appropriate | MFA coverage report (admins/remote = 100%); factor types; conditional-access policies; exception register | 🔧 IAM | Quarterly coverage check | 04 |
| AU4 | Secured communications | 21(2)(j) | — (Art. 21(2)(j)); supports 4.3 | Encrypted internal & emergency/crisis comms | Crisis-comms plan; out-of-band channel test records | 🔧 IT + BCM | Annual test | 04 |
| PA1 | Privileged & system-admin accounts | 21(2)(i)/(j) | 11.3 | Separate admin identities; JIT; no standing priv.; vaulted creds; break-glass | Privileged account inventory; PIM/JIT config; vault logs; break-glass records | 🔧 Platform + security | Quarterly | 05 |
| PA2 | Administration systems | 21(2)(i) | 11.4 | Hardened, dedicated admin systems (PAW/bastion); brokered admin paths; tiering | PAW standard; bastion/jump-host config; tiering model | 🔧 Platform | Annual + on change | 05 |
| PA3 | Privileged activity logging | 21(2)(b) | 3.2 | Log auth events, all privileged access & admin activity; tamper-resistant | Log samples; immutability/retention config; alerting rules | 🔧 SecOps | Continuous | 05 |
| AM1 | Asset classification (enables need-to-know) | 21(2)(i) | 12.1 | Classify assets by sensitivity/risk to drive access decisions | Classification scheme; classified asset register | 📋 Asset owners | Annual | 03 |
Clauses outside this guide's scope (e.g., 12.2–12.4 handling/removable-media/inventory, section 13 physical access) still interact with access control; include them in your full NIS2 control register.
2. Recertification & review cadence (recommended baseline) 📋 🔧
The CIR requires review "at planned intervals and after significant incidents or changes." It does not fix exact frequencies — these are risk-based recommendations:
| Item | Recommended cadence | Trigger-based review |
|---|---|---|
| Access control & related policies | Annual | After significant incident or major change |
| Privileged / admin access | Quarterly (or continuous via JIT) | On role change/exit (immediate revoke) |
| High-classification / critical-system access | Quarterly–semi-annual | On classification change |
| Standard application/role access | Annual | On mover events |
| Non-human / service accounts | Quarterly | On owner change |
| Third-party / external access | Quarterly + expiry enforcement | On contract end |
| MFA coverage & exceptions | Quarterly | After any bypass grant |
| Management approval & review of measures | Annual | After significant incident/change |
3. Evidence checklist (print and tick) 📋
Governance
- Management-body approval record of the access-control & identity measures (with date)
- Security reporting line to the management body documented
- Board + staff training records
- Management review minutes (annual + post-incident)
Policy & access control
- Approved access control policy (11.1) — covers persons and systems; review date current
- Entitlement/role model export (11.2)
- SoD matrix + enforcement evidence
- Remote/third-party access authorisations with expiry
- Non-human account inventory with owners
Lifecycle & HR security
- JML procedure + HR-security policy (10.1–10.4)
- Background-check records (proportionate, GDPR-lawful)
- Sample joiner / mover / leaver end-to-end with timestamps
- Time-to-deprovision metric for leavers
- Access review campaign records with explicit approve/revoke decisions
- Asset return/deletion records on termination (12.5)
- Orphan/local-account reconciliation results
Authentication
- Authentication/password policy (11.6)
- MFA coverage report (11.7) — admins & remote = 100%; factor types; phishing-resistant for high-value
- MFA exception register (ideally empty) with justification & expiry
- Adaptive/conditional-access configuration
- Unique-identity evidence / shared-account exception register (11.5)
- Secured crisis-communications evidence
Privileged access
- Privileged account inventory (human + non-human)
- Separate admin identities evidence
- JIT/PIM config; standing-vs-JIT report
- Vault usage (check-out, rotation, no embedded secrets)
- Break-glass procedure + use/review records
- PAW / bastion standards & config (11.4)
- Privileged session logs with integrity & retention (3.2)
4. ISO/IEC 27001 & 27002 cross-reference 📋
CIR 2024/2690 was drafted to align with European and international standards, so it maps cleanly onto ISO/IEC 27001:2022 (and the 27002:2022 controls). If you hold ISO 27001, reuse the evidence — but note NIS2 adds obligations ISO does not (e.g., management-body liability, regulator reporting). ISO certification is supporting evidence, not automatic NIS2 compliance.
| This guide / CIR | ISO/IEC 27002:2022 controls (indicative) |
|---|---|
| Access control policy (11.1) | 5.15 Access control |
| Management of access rights (11.2) | 5.18 Access rights · 8.2 Privileged access rights |
| Identity lifecycle / JML | 5.16 Identity management |
| HR security (10.1–10.4) | 6.1 Screening · 6.2 Terms & conditions · 6.4 Disciplinary process · 6.5 Responsibilities after termination/change |
| Identification (11.5) | 5.16 Identity management |
| Authentication (11.6) | 5.17 Authentication information · 8.5 Secure authentication |
| MFA / continuous auth (11.7) | 8.5 Secure authentication |
| Privileged accounts & admin systems (11.3, 11.4) | 8.2 Privileged access rights · 8.18 Use of privileged utility programs |
| Privileged logging (3.2) | 8.15 Logging · 8.16 Monitoring activities |
| Asset classification / return (12.1, 12.5) | 5.9 Inventory · 5.10 Acceptable use · 5.11 Return of assets · 5.12 Classification |
Indicative mapping for reuse of evidence; confirm against your Statement of Applicability.
5. Preparing for a competent-authority audit 📋 👔
- Stand up a control register from the matrix in §1: control → owner → evidence location → last review → status.
- Name owners for every row; gaps without owners are the first thing that slips.
- Run a self-assessment / gap analysis against the CIR Annex clauses; for each gap, log a corrective action with a date — Art. 21(4) expects remediation "without undue delay," so an open, tracked plan is far better than an unacknowledged gap.
- Pull a live evidence sample before the audit: pick 3–5 recent joiners/movers/leavers and trace them end-to-end; export current MFA coverage; export the latest access review with its revocations. If those three are clean, most of access control is demonstrably working.
- Rehearse the narrative for leadership (Art. 20): who approved the measures, when, how the board oversees them, what training they completed.
- Keep dates fresh. Most findings are stale: policies past review date, reviews not run, exception registers not cleared. A quarterly "evidence freshness" check prevents this.
6. 90-day quick-start (if you're behind) 🔧 📋
| Days | Focus | Outcome |
|---|---|---|
| 0–30 | MFA everywhere for admins + remote (phishing-resistant); inventory privileged accounts; confirm leaver deprovisioning works | Close the highest-risk, most-checked gaps |
| 30–60 | Approve/refresh access control & HR-security policies (get management sign-off); stand up the control register; define roles/SoD | Documentation + governance evidence exists |
| 60–90 | Run first access-review campaign (priv. + critical systems); implement JIT for admins; start orphan/local-account reconciliation | Operating evidence + least-privilege progress |
Sources
- NIS2 Directive (EU) 2022/2555 — EUR-Lex · Art. 20 · Art. 21
- Commission Implementing Regulation (EU) 2024/2690 — EUR-Lex
- ISO/IEC 27001:2022 & 27002:2022 (control cross-reference)
FAQ
What evidence does a NIS2 auditor typically request for access control? The core evidence set covers: (1) the signed access control policy with management-approval date, (2) the role/entitlement model export, (3) sample joiner/mover/leaver cases end-to-end with timestamps, (4) the MFA coverage report showing 100% for admins and remote access, (5) the latest access-review campaign with explicit approve/revoke decisions and resulting actions, and (6) privileged account inventory with JIT configuration and break-glass records. Stale dates — policies past review, reviews not run, exception registers not cleared — are the most common finding.
Does ISO 27001 certification satisfy NIS2? ISO 27001 certification is supporting evidence, not automatic NIS2 compliance. The CIR aligns closely with ISO/IEC 27002:2022, so existing ISO evidence can often be reused. However, NIS2 adds obligations that ISO does not: the management-body approval and liability requirement (Art. 20), the specific incident-reporting obligations, and the competent-authority supervision regime. Confirm gaps with your legal and compliance function.
What is the recommended NIS2 access review cadence? The CIR requires periodic review but does not fix specific frequencies. A risk-based baseline: quarterly for privileged and admin accounts and non-human/service accounts; quarterly to semi-annually for high-classification or critical-system access; annually for standard application access; quarterly with expiry enforcement for third-party access. Every review must produce explicit approve/revoke decisions and a retained record.
How should we prioritise NIS2 access control remediation? The 90-day quick-start in section 6 reflects auditor priorities. Days 0–30: close the highest-risk gaps — MFA for all admins and remote access (phishing-resistant), privileged account inventory, and confirmation that leaver deprovisioning works end-to-end. Days 30–60: get documentation and governance in place — approved policies, control register with named owners, SoD definition. Days 60–90: generate operating evidence — first access-review campaign, JIT for admins, orphan reconciliation.
Does NIS2 require a formal control register? The directive and CIR do not use the term "control register" but the audit-readiness requirements in practice demand one: each measure needs an owner, a current evidence location, a last-review date, and a status. Without a register, gaps without owners slip through, evidence goes stale, and a competent-authority audit surfaces everything at once. CIR 1.1 requires the security policy to be reviewed at planned intervals; a register is how you track that for every control.
Is NIS2 enforceable yet in all EU member states? No. NIS2 had a transposition deadline of 17 October 2024, but national enforcement dates are staggered. Germany brought national law into force on 17 March 2026; the Netherlands expects national law around Q2 2026; Czech Republic from 1 November 2025; Austria from 1 October 2026 (Austria only). Many member states were late through 2025. There is no single EU-wide enforcement date — check the specific national statute for each country where you operate.
How KINT helps: KINT automates the joiner, mover, and leaver access lifecycle across your SaaS apps and produces signed, timestamped access-review evidence mapped to SOC 2 CC6 — the kind of evidence NIS2 Article 21 expects you to be able to show. It is early-stage and self-serve, and runs without an identity provider. See how KINT handles the lifecycle, review SOC 2 access reviews, check pricing, or book a 15-minute walkthrough.
Gowtham Palanisamy
Founder of Kingsley Integrators, building KINT in public. Writes about identity lifecycle, SaaS access, and audit evidence.