EU Regulations & Directives

IAM Maturity Assessment for NIS2

NIS2 (Directive (EU) 2022/2555) sets cybersecurity risk management duties for essential and important entities across EU member states. Article 21(2) explicitly lists access control policies and multi-factor authentication among the measures entities are expected to adopt, alongside governance and accountability obligations.

Maturity threshold
2.0 / 4.0
Mapped questions
10
IAM domains
3
Assessment scope
All scopes
Identity Expectations

What NIS2 Expects from Identity Programs

The identity-relevant themes below reflect the AXIS capabilities mapped to NIS2 citations in the question bank. They paraphrase where identity fits, not the legal text itself.

  • Multi-factor and phishing-resistant authentication, single sign-on coverage, device trust, and hardened account recovery
  • Governance and accountability for identity: data ownership, executive risk visibility, policy enforcement, and a defined operating model
  • Ongoing identity posture and attack-surface management
Question Mapping

AXIS Questions Mapped to NIS2

10 of the 37 questions in the AXIS bank carry NIS2 citations, including 2 domino controls (foundational capabilities that cap the overall score when weak).

AXIS assessment questions mapped to NIS2, with domain, capability, and framework references
QuestionDomainCapabilityNIS2 references
AUTH-01
Domino
Auth/SSOAdaptive MFANIS2 Art. 21(2)
AUTH-02Auth/SSOSingle Sign-On (SSO) Coverage & EnforcementNIS2 Art. 21(2)
AUTH-03Auth/SSODevice Trust & Zero Trust EnforcementNIS2 Art. 21(2)
AUTH-04Auth/SSOPhishing-Resistant MFA & Session IntegrityNIS2 Art. 21(2)
AUTH-05Auth/SSOAccount Recovery & Identity Verification ResistanceNIS2 Art. 21(2)(j)
SEC-05SecurityIdentity Posture & Attack-Surface Management (ISPM)NIS2 Art. 21(2)(a)
GOV-01
Domino
GovernanceIdentity Data OwnershipNIS2 Art. 21(2)
GOV-02GovernanceIAM Metrics, Risk & Executive VisibilityNIS2 Art. 21(2)
GOV-03GovernanceIAM Policy Definition, Enforcement & Drift ControlNIS2 Art. 21(2)
GOV-04GovernanceIAM Operating Model and SkillsNIS2 Art. 21(2)
Scoring Model

How AXIS Scores NIS2 Alignment

A threshold model: each mapped control either meets the NIS2 maturity bar or it does not, and the alignment percentage is the share that does.

Threshold: 2.0 of 4.0

Each framework in AXIS carries a research-derived maturity threshold (Methodology Section 7.2). For NIS2, a mapped control counts as passing when its answered maturity level reaches 2.0: documented and repeatable. The alignment percentage is the share of mapped controls at or above that bar.

Citations live on individual answer options, so the exact set of controls counted for NIS2 in a given assessment reflects the answers selected. The table above lists every question whose answer options carry NIS2 citations.

80%+

Aligned

60-79%

At Risk

<60%

Non-Compliant

Scope and Industry Awareness

NIS2 appears in every assessment scope: workforce, customer identity (CIAM), and full.

It is shown when the assessed organization operates in: Financial Services, Healthcare, Energy & Utilities, Technology/SaaS, Public Sector. Other industries see only the frameworks relevant to them.

Indicative Alignment, Not Certification

This page describes how the AXIS assessment maps its question bank to NIS2 Directive. Alignment scores are indicative: they are not a certification, an audit opinion, or legal advice. Whether and how NIS2 applies depends on your organization, sector, and jurisdiction; consult qualified counsel or auditors for formal compliance determinations.

See Where You Stand Against NIS2

Run the AXIS assessment and get your maturity score, NIS2 alignment, and a prioritized roadmap in one pass. No signup required to start.