If you work in IT at a Nordic company and haven't heard about NIS2 yet, buckle up. The EU's updated Network and Information Security Directive is already in effect, and the national implementations across Sweden, Denmark, Norway, and Finland are rolling out. For a lot of mid-sized companies, this is the first time they're being held to serious cybersecurity requirements.
And a surprising chunk of those requirements comes down to one thing: knowing who has access to what, and being able to prove it.
Wait, what even is NIS2?
Quick background. The original NIS Directive from 2016 mostly targeted big infrastructure operators. Power companies, telecoms, that sort of thing. NIS2 massively expands the scope. It now covers "important" and "essential" entities across a wide range of sectors, including manufacturing, food production, waste management, postal services, and digital providers.
The threshold is roughly 50 employees and 10 million EUR in revenue. If your company hits those numbers and operates in one of the covered sectors, you're likely in scope.
And even if you're technically below the threshold, your customers might start requiring NIS2-like practices as part of their supply chain security. So this isn't something you can just ignore.
What does NIS2 say about identity and access?
NIS2 doesn't hand you a specific technical checklist. It's more principle-based, which honestly makes it harder to implement because you have to figure out the "how" yourself.
But the directive and the national guidance documents are pretty clear on a few things:
Access control policies. You need documented policies for who gets access to what systems, based on their role and responsibilities. "Everyone is admin" is definitely not going to fly.
Principle of least privilege. Users should only have the access they need to do their job. Not more. This sounds obvious, but look at your Entra ID right now. How many people have access to things they haven't touched in six months?
Account lifecycle management. When someone joins, their access should match their role. When they leave, their access should be revoked promptly. When they change roles internally, their old permissions should be reviewed and adjusted.
Incident reporting and audit trails. If something goes wrong, you need to show what happened, who had access, and what you did about it. That requires logging. Detailed logging.
Regular access reviews. You can't just set up access once and forget about it. NIS2 expects periodic reviews to make sure current access levels are still appropriate.
Why this hits Nordic mid-market companies hard
Here's the thing. Large enterprises have been doing this stuff for years. They have dedicated IAM teams, expensive governance platforms, and consultants on speed dial.
Companies with 50 to 500 employees? They're usually managing access in Entra ID with a combination of manual processes, informal knowledge, and maybe a spreadsheet or two. The IT team is small, probably two to five people, and they're already handling everything from laptop repairs to cloud infrastructure.
Now they need to:
- Document access policies
- Implement least privilege
- Automate account provisioning and deprovisioning
- Run regular access reviews
- Maintain audit logs
- Report incidents within 24 hours
That's a massive lift for a small team. And the traditional approach of buying an enterprise IGA platform like SailPoint or Saviynt? That's going to cost hundreds of thousands and take six to twelve months to implement. For a 200-person company, that makes zero sense.
What you actually need to do
Let's break it down into practical steps.
First, figure out if you're in scope. Check your country's NIS2 transposition. In Sweden, it's being handled through updates to existing legislation. MSB (Myndigheten för samhällsskydd och beredskap) has guidance on their website. Denmark has their national implementation through the Danish Authority for IT Security. Finland through Traficom.
Second, do an access inventory. Before you can govern access, you need to know what access exists. Pull a report from Entra ID of all users, their group memberships, app assignments, and roles. This is your baseline.
Third, define roles and access levels. What does someone in the finance team actually need access to? What about a developer? A project manager? Write it down. It doesn't have to be perfect on day one, but it needs to exist.
Fourth, automate provisioning and deprovisioning. This is the highest-impact change you can make. When someone joins, they get the right access automatically. When they leave, it gets revoked automatically. No gaps, no delays, no "we forgot about the Azure subscription."
Fifth, set up regular access reviews. Quarterly is a good starting point. Have managers review their team members' access and confirm it's still appropriate. This catches permission creep before it becomes a problem.
Sixth, build your audit trail. Every access change should be logged. Who requested it, who approved it, when it happened. This is what you'll hand to an auditor (or a regulator) when they come asking.
The timeline is tighter than you think
The directive is already live at the EU level. National transpositions are happening right now. Some countries are further along than others, but the direction is clear: enforcement is coming, and companies that aren't prepared will face consequences.
We're not talking theoretical fines here. NIS2 includes penalties of up to 10 million EUR or 2% of global annual turnover for essential entities. And management can be held personally liable. That last part tends to get executive attention pretty quickly.
You don't need an enterprise solution to be compliant
The good news? NIS2 doesn't require you to buy a half-million-euro governance platform. It requires you to have effective access controls, proper lifecycle management, and auditable processes.
For companies running on Microsoft 365 and Entra ID, you can get most of the way there with the right tooling. You need something that automates the boring, repetitive, error-prone parts of identity management and gives you the audit logs that regulators want to see.
That's exactly what we built Adcyma to do. Not a massive enterprise platform, but a focused tool that handles provisioning, deprovisioning, access reviews, and compliance reporting for companies that use Entra ID.
If this sounds like your situation, Adcyma is free for up to 25 users. For larger teams, you can start a free 14-day trial. No credit card, no consultants.