The EU’s Network and Information Security Directive 2 (NIS2) significantly expanded the number of sectors covered by the cybersecurity legislation and placed stricter cyber risk management protocols on organizations.

The Directive places emphasis on identity and access management (IAM) as a cornerstone of effective cybersecurity and implores organizations to be proactive in their cyber resilience.

One challenge for CISOs in achieving NIS2 compliance lies in hardening Active Directory (AD), the backbone of IAM for most organizations.

AD often becomes a prime target for attackers because it controls authentication and authorization across critical systems. Under NIS2, CISOs must ensure robust password policies, enforce multi-factor authentication (MFA), and implement least privilege access without disrupting business operations.

Legacy AD environments frequently suffer from weak or inconsistent password rules, shared accounts and excessive privileges. Ultimately this is not sufficient to meet the requirements of NIS2.

NIS2 also introduces the need for continuous monitoring and auditability. Cybersecurity leaders must demonstrate compliance through logs and reports, proving that password hygiene and AD configurations meet NIS2 standards.

The NIS2 requirements offer organizations the opportunity to review their cybersecurity postures, password policies and AD environments and implement the changes necessary to not only meet legal obligations but also adopt a proactive cyber-defense strategy.

Why AD Hardening Matters for NIS2

Active Directory is central to IAM in most organizations as the AD stores information about identities, including people and systems. The fact that AD controls access to critical systems and data means it is a prime target for cybercriminals.

If an AD environment is misconfigured or vulnerable, attackers can escalate privileges, move laterally and compromise critical systems. Through a compromised AD attackers can essentially access the entire network, ultimately violating NIS2’s core security principles.

AD password policy limitations include:

• Limited password complexity rules
• Failure to check against already breached passwords
• Lack of contextual policies based on location, device or behaviors
• Insufficient real-time breach detection
• Static policies that do not adapt to evolving threats or user behavior

A strong domain password policy is essential for protecting your organization’s systems and maintaining compliance with NIS2.

Password Policy Improvements

To ensure AD has sufficient password policies to meet NIS2 standards, here are some recommendations for steps that can be taken:

• Implement Fine Grained Password Policies (FGPP) to define different password and account lockout policies for different sets of users in a domain.
• Change and review the default password policies created by Active Directories as these are applied to all computers in the domain. Use the FGPP to specify which policies should apply to which users.
• Use passphrases instead of complex passwords, enforcing length rather than unique characters. Combinations of random words or a memorable sentence are easier for users to remember yet significantly harder for attackers to crack.

• Integrate compromised password detection and enforce password resets for flagged accounts.

• Set up MFA for all users and service accessing AD.

Beyond Basic MFA

Setting up MFA is core to preventing attackers from forcing entry into systems and using already breached credentials. It is also a essential requirement as part of NIS2 compliance. However, not all MFA is created equal and modern MFA tools are a necessity.

Cybercriminals have evolved techniques to exploit basic SMS or email-based one-time password (OTP) MFA, meaning phishing-resistant MFA is vital.

Hackers can use social engineering to manipulate users into revealing their OTPs either directly to a cybercriminal or via a fake website in the same way they would steal a user’s credentials.

The US Cybersecurity and Infrastructure Security (CISA) agency has urged organizations to implement MFA for all services. It notes that phishing-resistant MFA is the gold standard and strongly urges it for high-value targets and system administrators at a minimum. 

FIDO/WebAuthn is the most widely available phishing-resistant authentication method. Developed by the FIDO Alliance and standardized by W3C, it’s supported across major browsers, operating systems and mobile devices.

WebAuthn works with FIDO2 to provide strong authentication using either physical tokens (“roaming” authenticators) or built-in device options (“platform” authenticators). These can include additional factors like biometrics or PINs, and FIDO2-compliant tokens are available from multiple vendors.

AD Account Lifecycle Management

The full lifecycle of all forms of Active Directory accounts should be managed to maintain compliance with the NIS2 directive and its cybersecurity risk management requirements.

Privileged Accounts

Privileged accounts for instance are a major focus under NIS2. Companies should be able to list all accounts with elevated privileges for access control compliance.

Cybersecurity practitioners should consider how local privileged accounts behave differently than general privileged accounts and how they should be treated differently.

Local accounts control is particularly vulnerable as the same admin password can often be used on multiple machines, and if attackers gain local admin rights they can be used for lateral movement and malicious activity within a network.

Applying only the permissions necessary for a role or task aligns with NIS2’s principles and avoids credential misuse, privilege escalation and lateral movement by would-be attackers.

Service Accounts

Service accounts are a key pilar of Active Directory. These non-human accounts allow applications, services or automated processes to perform tasks without requiring a human user to log in.

However, these service accounts are often overlooked in the management of AD accounts and can often have elevated privileges that can be exploited by cybercriminals.

Monitoring under NIS2 extends to non-human identities (NHIs) as well as user accounts.

Dormant Accounts

Dormant accounts, those that are inactive but still enabled, pose a significant risk but can oftentimes go unchecked. Firms must have a means by which such accounts are flagged, and reviews can be trigged. Part of the AD account workflow should encompass offboarding as well as secure onboarding of accounts.

The NIS2 directive mandates that identities and accounts should be regularly reviewed and if they are no longer needed, they must be deactivated immediately.

Producing Compliance Evidence

Organizations must provide reporting capabilities to demonstrate compliance with NIS2 requirements as the legislation mandates audit-ready access records and the ability to report incidents within 24 hours. This reporting requirement is a marked shift from the original NIS requirements which did not dictate a strict timeline.

NIS2 also requires that organizations must provide continuous updates as more details occur, meaning that firms must have sufficient recoding capabilities to meet this.

AD event logs must be retained for forensic investigation if a breach were to occur.

As well as being prepared to report incidents, organizations covered by NIS2 must document processes and governance efforts comprehensively, including by detailing their password reset processes.

Reset workflows must include secure channels to conduct password resets and each reset ought to be logged with details like who initiated it, where from and when. This goes towards incident reporting and forensic analysis requirements if an incident was to occur.

Ultimately, NIS2 demands secure, auditable identity processes, which includes activities like password resets and comprehensive record-keeping to enable rapid incident reporting and forensic analysis.

How Specops Solutions Support NIS2 Identity Requirements

To meet NIS2’s identity requirements, reporting obligations and AD hardening going it alone can be overwhelming. Using a trusted supplier to support these activities can both ensure you’re meeting compliance obligations as well as removing the burden from in-house teams.

Tools like Specops Password Policy can help organizations meet compliance requirements while offering real-time breach password protection and advanced policy capabilities.

As discussed, adding phishing-resistant MFA is crucial for NIS2 compliance and the Specops Secure Access ensures the lates protection while fulfilling compliance requirements.

Meanwhile, Specops Password Auditor scans Active Directory environments and detects security-related weaknesses, specifically related to password settings and elapsed user accounts.

Conclusion

NIS2 has become non-negotiable for a wide range of organizations and employees to implement an active approach to cyber risk management. This encompasses identity and access management.

Proactive measures, such as Active Directory hardening, implementing MFA and maintaining auditable technical controls, are essential for resilience in today’s evolving threat landscape.

Ultimately, NIS2 compliance is more than a legal obligation, it’s an opportunity to build a foundation for long-term, proactive, cyber defenses.