Will EU regulations take IAM to the next level? .

The EU has introduced numerous regulations, such as NIS2, the Cybersecurity Act, and DORA, related to cybersecurity and cyber resilience. But how do these often complex and difficult-to-interpret regulations affect practical, technical work? Especially when viewed through the lens of Identity and Access Management (IAM), which has traditionally been delivered from the darkest corners of the data center and regarded primarily as an IT concern?

The first question any organization should ask at this point is: "What are we trying to achieve?"
The answer can vary, perhaps to enhance security posture, address audit findings, or align with general or industry-specific regulations.

For IAM professionals, the answer is clear: Let’s do it right. Good practices already exist and should be followed. For example, the NIS2 regulation places IAM at the heart of the information security landscape. NIS2 addresses fundamental principles of cyber hygiene, core practices that are everyday work for information security professionals.

Well-planned and well-executed information security functions will cover most regulatory compliance requirements. However, meeting compliance requirements does not automatically equate to robust information security.

Still, three key changes are likely on the horizon:

1. Proper technical implementation is no longer enough.
   Organizations must implement strong governance around IAM controls and be able to demonstrate evidence of compliance.

2. Increased collaboration across security domains.
   Regulations demand tighter integration between various security and IT functions, including IAM, SIEM, change management, incident management, and risk management.

3. A cultural shift at the organizational level.
   External regulatory pressure is bringing cybersecurity into the spotlight at the management level. Under the NIS2 Directive, sanctions are not limited to corporate fines. Individuals may now face personal consequences for non-compliance.

In practice, information security will become a more integral part of daily operations. Stakeholders across the business and IT must be able to understand and communicate the impacts and requirements. Even within IT, teams must align and work collaboratively toward a shared security objective. Most importantly, organizations must be able to prove compliance.

In our upcoming blogs, we’ll dive deeper into IAM-specific topics such as risk management, identity protection, and practical measures for incorporating IAM into your organization’s overall security posture.

Author:

Build Digital Trust with Epical
If you don’t want to wait for the next blog, feel free to contact Epical's IAM experts. We specialize in helping organizations strengthen their digital trust through a full range of services, including IAM platforms, secure access control solutions, and Identity Governance and Administration (IGA).

Ready to enhance your organization’s digital trust?