Keeping Up with Data Protection Regulations Thanks to IAM Solutions II

As announced in our blog post «Keeping Up with Data Protection Regulations Thanks to IAM Solutions», where we showed how identity and access management (IAM) can help with FADP, GDPR, and DORA compliance, we are now covering two more important laws.

In this second part, we will take a closer look at the Electronic Identification, Authentication and Trust Services Regulation (eIDAS) and the Network and Information Security Directive (NIS2).  

Interested in knowing how IAM supports eIDAS and NIS2 compliance? And how you can further enhance compliance and thus cybersecurity with non-technical measures, including hands-on tips? Dive right in! 

eIDAS

A general overview

eIDAS aims to create more confidence in electronic interactions across borders and digital services by establishing a framework for digital identity and authentication. This regulation specifically targets electronic identification (e-ID) and trust service providers. Benefits of eIDAS include higher security, convenience, and the ability to conduct activities like submitting tax declarations, enrolling in foreign universities, and setting up businesses across borders. 

The key aspects of the eIDAS are as follows:   

• Mutual recognition of e-IDs issued by EU countries that meet specific regulatory criteria, ensuring secure and acknowledged use across member states. 
• Interoperability of national e-ID schemes with a technology-neutral framework to facilitate cooperation and data exchange.
• Standardized trusted services like Electronic Registered Delivery Services (ERDS), electronic signatures, seals, and time-stamping to ensure secure, verifiable transactions.
• Introduction of qualified trust services, which meet strict legal standards and operate across the EU, to support the digital economy by creating a unified market.
• Guidelines and technical specifications set by the Commission to ensure harmonization and interoperability across EU e-ID systems.    

How does IAM help with eIDAS compliance?

By providing the necessary tools and controls to manage electronic identities, ensure secure transactions, and facilitate the use of trusted services, IAM systems can help support eIDAS compliance in various ways: 

• Electronic identification and mutual recognition 
  IAM systems authenticate and manage electronic identities, integrating with national e-ID schemes to accept e-IDs across the EU. They ensure high security through multi-factor authentication (MFA) as well as secure cross-border transactions by supporting remote identity verification for remote signatures and electronic archiving. 
• Interoperability of e-ID schemes 
  IAM facilitates the interoperability of national e-ID schemes by integrating various e-ID protocols and adhering to technology-neutral frameworks. This enables seamless data exchange and compliance with different e-ID implementations across the EU. 
• Trust services 
  IAM manages and verifies qualified electronic signatures, seals, and certificates. This ensures document integrity and compliance with eIDAS standards. In addition, IAM integrates with Qualified Trust Service Providers (QTSPs) to offer legally recognized services such as electronic time stamps that prove the timing and authenticity of digital transactions. 
• Auditability and reporting 
  IAM systems log all activities related to e-IDs, signatures, and seals, supporting the auditability requirement of eIDAS. Plus, they help organizations respond to security incidents, which strengthens digital operational resilience as required by the regulation. 

NIS2

A general overview 

NIS2, the modernized Network and Information Security Directive, aims to expand cybersecurity standards and fines to ultimately harmonize and improve the level of security in EU member states. Affected by NIS2 are all organizations that play a «critical role» in sustaining the European economy.

Essential vs. important entities

NIS2 expands beyond traditional critical infrastructure, establishing compliance across 18 sectors in the EU economy. Eleven are designated as «essential entities» with higher regulatory requirements than the seven «important entities», including oversight, penalties, and security measures. Compliance depends on company size, with different regulations applying to medium companies (50+ employees or EUR 10 mio.+ revenue) and large companies (250+ employees or EUR 50 mio.+ revenue). National laws can also add smaller companies to NIS2 if they hold significant public interest.   

How does NIS2 affect Swiss companies?

This directive is also relevant for Swiss companies because of its explicit inclusion of supply chains and partner companies. That means that relevant Swiss companies involved in the European economy also need to observe NIS2. 

 What measures do companies need to take?

The main focus of NIS2 is to raise the level of cybersecurity within the EU. Organizations are now required to create an adequate security policy that describes their approach to securing their network and IT systems. This policy must be aligned with the goals of the company, define roles and responsibilities, and be regularly looked at to ensure that it stays up to date with current developments in the area of IT. 

It is also necessary to implement a risk management framework that allows companies to carry out risk assessments and communicate security risks adequately to stakeholders. The organization’s risk management process must follow a cross-risk approach, be based on relevant criteria and be in line with common industry standards. 

NIS2 requires organizations and member states to be adequately prepared to handle any cybersecurity incidents. For example, with a Computer Security Incident Response Team (CSIRT) and a competent national authority for network and information systems. All security incidents must be reported, logged, and communicated. 

In addition to raising the level of cybersecurity within the EU, NIS2 aims to ensure business continuity and disaster recovery within its organization. Therefore, the directive specifically targets organizations playing a «critical role»” in the European economy.  

How does IAM help with NIS2 compliance?

An IAM system can be an integral part of a risk management framework: many of its features, such as access management, directly help in protecting organizations from security risks. 

Keyways how IAM supports compliance with NIS2 include: 

• Security policy 
  Once a security policy is in place, an IAM solution can help enforce it by strictly managing access (incl. to privileged accounts) to an organization’s network and IT systems. 
• Risk management framework 
  One core component of the framework should be ICT risk management, i.e., the protection of information and communications technology. An IAM system enforces access control, MFA, and privileged access management (PAM), protecting from cyberattacks and digital disruptions.
• Cybersecurity incident response 
  In addition to a dedicated in-house team and a national authority, an IAM system can support handling of cybersecurity incidents: it provides real-time monitoring, audit logs, and incident tracking, which enables an organization to detect, manage, report, and respond to incidents quickly.
• Business continuity 
  In case of a security breach, an IAM system can automate and orchestrate backup and recovery tasks, e.g., quick access revocation.

Non-technical measures to ensure regulatory compliance

The regulations described above and in our previous blog are just some of the security requirements a company must meet. Depending on the core offering of a company, different, more specific regulations may apply.

As we have just seen, complying with cybersecurity laws can be a complex task due to constant changes. The key to success here is a structured approach to ensure security, accuracy, and alignment with legal standards. Organizations can achieve this by implementing a number of proven strategies:  

• Keeping track of regulations applicable to your organization
  
  First of all, you need to know which regulations your organization is subject to. Start by identifying all relevant regulatory requirements based on your industry, geographic location, and business model. Maintaining a list of applicable regulations, regularly updating it, and assigning accountability within your organization ensures you are never going to miss any changes. 
  
  → Tip: Subscribe to compliance newsletters in your industry to stay informed about changes in laws and guidelines.  
• Understanding internal processes and conducting internal audits 
  
  Make sure to have a solid understanding of how the processes in your company work. Conduct internal audits to identify weak points in your processes. Then fix them by establishing, documenting, and clearly communicating compliance policies and procedures to all relevant stakeholders. 
  
  → Tip: For comprehensive coverage, establish a cross-functional audit team consisting of IT, HR, legal, and compliance experts. 
• Strengthening internal collaboration and communication 
  
  To ensure alignment with business needs and regulatory requirements, collaboration between IT, HR, legal, and operations is key. Regular training sessions help keep employees informed about compliance policies, reduce errors, and foster a culture of awareness. 
  
  → Tip: Make compliance training engaging and role-specific. Interactive sessions, scenario-based learning, and regular refreshers can increase retention and understanding.
• Implementing an actively managed IAM system 
  
  An IAM system does not replace robust internal processes. However, it helps with automating numerous routine tasks, thus reducing human error and supporting internal governance. A partnership with an IAM service provider also allows you to seek advice from experts and rely on specialist knowledge. 
  
  → Tip: Choose an IAM solution that offers customizable compliance settings, and make sure it integrates with other systems in your organization for seamless data sharing and reporting.

All good, then? Almost.  

Companies can consider compliance as a «box-checking» exercise that satisfies auditors and provides a defense after an incident. However, the real value lies in using compliance as a pathway to robust security measures. Organizations that move beyond minimal standards and focus on strengthening their defenses are more resilient to cyberthreats.

An IAM system plays a crucial role in this effort by enhancing security beyond basic compliance. It is essential to building true security, reducing risks, supporting resilience, and meeting regulatory obligations – whether under FADP, GDPR, DORA, eIDAS, or NIS2.