IAM Maturity Assessment for NIS2
NIS2 (Directive (EU) 2022/2555) sets cybersecurity risk management duties for essential and important entities across EU member states. Article 21(2) explicitly lists access control policies and multi-factor authentication among the measures entities are expected to adopt, alongside governance and accountability obligations.
- Maturity threshold
- 2.0 / 4.0
- Mapped questions
- 10
- IAM domains
- 3
- Assessment scope
- All scopes
What NIS2 Expects from Identity Programs
The identity-relevant themes below reflect the AXIS capabilities mapped to NIS2 citations in the question bank. They paraphrase where identity fits, not the legal text itself.
- Multi-factor and phishing-resistant authentication, single sign-on coverage, device trust, and hardened account recovery
- Governance and accountability for identity: data ownership, executive risk visibility, policy enforcement, and a defined operating model
- Ongoing identity posture and attack-surface management
AXIS Questions Mapped to NIS2
10 of the 37 questions in the AXIS bank carry NIS2 citations, including 2 domino controls (foundational capabilities that cap the overall score when weak).
| Question | Domain | Capability | NIS2 references |
|---|---|---|---|
| AUTH-01 Domino | Auth/SSO | Adaptive MFA | NIS2 Art. 21(2) |
| AUTH-02 | Auth/SSO | Single Sign-On (SSO) Coverage & Enforcement | NIS2 Art. 21(2) |
| AUTH-03 | Auth/SSO | Device Trust & Zero Trust Enforcement | NIS2 Art. 21(2) |
| AUTH-04 | Auth/SSO | Phishing-Resistant MFA & Session Integrity | NIS2 Art. 21(2) |
| AUTH-05 | Auth/SSO | Account Recovery & Identity Verification Resistance | NIS2 Art. 21(2)(j) |
| SEC-05 | Security | Identity Posture & Attack-Surface Management (ISPM) | NIS2 Art. 21(2)(a) |
| GOV-01 Domino | Governance | Identity Data Ownership | NIS2 Art. 21(2) |
| GOV-02 | Governance | IAM Metrics, Risk & Executive Visibility | NIS2 Art. 21(2) |
| GOV-03 | Governance | IAM Policy Definition, Enforcement & Drift Control | NIS2 Art. 21(2) |
| GOV-04 | Governance | IAM Operating Model and Skills | NIS2 Art. 21(2) |
How AXIS Scores NIS2 Alignment
A threshold model: each mapped control either meets the NIS2 maturity bar or it does not, and the alignment percentage is the share that does.
Threshold: 2.0 of 4.0
Each framework in AXIS carries a research-derived maturity threshold (Methodology Section 7.2). For NIS2, a mapped control counts as passing when its answered maturity level reaches 2.0: documented and repeatable. The alignment percentage is the share of mapped controls at or above that bar.
Citations live on individual answer options, so the exact set of controls counted for NIS2 in a given assessment reflects the answers selected. The table above lists every question whose answer options carry NIS2 citations.
80%+
Aligned
60-79%
At Risk
<60%
Non-Compliant
Scope and Industry Awareness
NIS2 appears in every assessment scope: workforce, customer identity (CIAM), and full.
It is shown when the assessed organization operates in: Financial Services, Healthcare, Energy & Utilities, Technology/SaaS, Public Sector. Other industries see only the frameworks relevant to them.
Indicative Alignment, Not Certification
This page describes how the AXIS assessment maps its question bank to NIS2 Directive. Alignment scores are indicative: they are not a certification, an audit opinion, or legal advice. Whether and how NIS2 applies depends on your organization, sector, and jurisdiction; consult qualified counsel or auditors for formal compliance determinations.
See Where You Stand Against NIS2
Run the AXIS assessment and get your maturity score, NIS2 alignment, and a prioritized roadmap in one pass. No signup required to start.