How a password manager enables NIS2 compliance

NIS2 is an expansion of the previous EU cybersecurity directive, NIS, which was adopted in 2016 as a set of requirements for securing network and information systems across the EU. NIS2 was introduced in 2020 and came into effect on January 16, 2023.

The directive mandates businesses identified as operators of essential services to implement appropriate measures to enhance cybersecurity and comply with legal obligations. NIS2 encompasses several organizations that were not part of the original directive, expanding the affected sectors from 7 to 15 to protect even more vital areas. The list of entities included under NIS2 now includes:

• Energy

• Health

• Transportation

• Finance

• Water Supply

• Digital Infrastructure

• Public Administration

• Digital Providers

• Postal Services

• Waste Management

• Space

• Foods

• Manufacturing

• Chemicals

• Research

On top of that, NIS2 increases the requirements for enforcing cybersecurity, includes stricter rules for incident reporting, and has more severe penalties for noncompliance. Relevant authorities play a crucial role in supervising compliance and facilitating incident reporting across vital sectors of the economy and society. According to the official site, it takes approximately 12 months for the typical NIS2 compliance process, which includes security assessments, auditing, consulting, and tool implementation.

With enforcement now accelerating throughout the EU, organizations are under real pressure to demonstrate their cybersecurity posture. Article 21 has the most impact as it relates to the secure management of credentials, which provision auditors are examining closely.

Of all 45 articles in the NIS2 Directive, Article 21 is the one most organizations will spend the most time on. It establishes the minimum cybersecurity risk management measures that all essential and important entities must implement and be able to demonstrate in practice.

The directive uses deliberate language: measures must be "appropriate and proportionate" based on the entity's size, risk exposure, and the likelihood and severity of incidents. This is outcomes-based, not prescriptive.

Article 21(2) lists ten minimum measures every in-scope organization must implement:

• (a) Risk analysis and information system security policies

• (b) Incident handling

• (c) Business continuity — backup management and disaster recovery

• (d) Supply chain security

• (e) Security in network and information system acquisition, development, and maintenance

• (f) Policies to assess effectiveness of cybersecurity measures

• (g) Basic cyber hygiene practices and cybersecurity training

• (h) Cryptography and encryption policies

• (i) Human resources security, access control policies, and asset management

• (j) Multi-factor authentication or continuous authentication solutions

Article 21 is outcomes-based, which means auditors are not just reviewing policy documents, they are verifying whether controls are operational and evidenced. Three gaps are being flagged most consistently:

• Missing or inconsistently enforced MFA

  Having a multifactor authentication (MFA) policy is not the same as having MFA enforced. Auditors look for organizational-level enforcement, not individual user adoption.

• Over-privileged accounts

  Access control under Article 21(2)(i) expects least-privilege principles to be applied and documented.

• Unmanaged service credentials

  API keys, service account passwords, and shared credentials that live outside any managed system are a recurring audit finding.

The common thread: auditors are checking whether security is managed as a repeatable, demonstrable process.

The biggest issue with the original NIS was that it was too broad, too vague, and lacked viable enforcement capabilities.

Now, penalties for noncompliance are significant: essential entities face fines of up to €10 million or 2% of global annual revenue; important entities face up to €7 million or 1.4%.

During the early days of COVID, many businesses across the EU switched to remote work and it became apparent quickly that the original NIS was ineffective at its stated goals.

Auditors reviewing Article 21 compliance are not reading policy documents in isolation. They are looking for evidence that controls are enforced, consistent, and documented across the organization. The three gaps flagged most often: inconsistent MFA enforcement, over-privileged accounts, and unmanaged credentials, are also the gaps a password manager is best positioned to close.

Bitwarden allows organizations to require two-step login across the entire organization through enterprise policy controls. Bitwarden also integrates with Duo for centralized MFA enforcement and monitoring. Additionally, vault health reports include an Inactive 2FA report that highlights any credentials stored without a TOTP seed included.

Role-based access controls, collection-level permissions, and user group policies allow administrators to apply least-privilege principles to every credential in the organization. Organization owners can also modify collection settings to restrict administrator access to shared credentials, ensuring that even elevated roles do not have blanket visibility into sensitive credentials.

Service account passwords, and shared credentials that live in spreadsheets, email threads, or personal vaults are a blind spot auditors look for specifically. Bitwarden brings these into a governed, auditable environment where access is controlled, logged, and revocable. Bitwarden Secrets Manager also brings centralized security control to API keys.

The Bitwarden admin console event logs capture who accessed which credentials, when, and from where. Integrations with SIEM tools or the use of API keys allow these events to be ingested and processed with other event monitoring in the company infrastructure.

Bitwarden encrypts data client-side before it leaves the user's device. The zero-knowledge architecture and open-source codebase means encryption implementation can be independently verified. Encryption is clearly documented in the Bitwarden security whitepaper.

For organizations with strict data residency requirements, Bitwarden offers a dedicated EU cloud service and a self-hosted deployment option where data remains entirely within your own infrastructure.

Organizations can share credentials with vendors through Bitwarden secure sharing features of Bitwarden Send or using RBAC and temporarily onboarding a contractor. When a vendor relationship ends, access is revoked through the platform.

A password manager directly supports a culture of security by making strong, unique passwords the path of least resistance for every user. In addition, Bitwarden enterprise users also receive a free families account so that they can practice proper security habits at home as well.

NIS2 enforcement is accelerating across the EU, and Article 21 sets a clear bar: controls must be implemented, enforced, and evidenced. The organizations that will withstand audit scrutiny are those that can show regulators a documented and operational security posture, credential by credential.

Bitwarden gives organizations both sides of that requirement. Enterprise policy controls enforce MFA, access permissions, and least-privilege principles across every user. Admin console event logs and SIEM integrations create the audit trail that proves those controls are working. And as an open-source platform with EU cloud and self-hosted deployment options, Bitwarden supports the data sovereignty requirements of EU organizations.

Compliance does not have to be a long, expensive infrastructure project. A password manager is one of the fastest ways to close the credential gaps auditors are checking for and to build the evidence record they will ask to see.

Get started with a free Bitwarden business trial today.

What is the NIS2?

NIS2 emphasizes cybersecurity risk management processes, which are designed to require businesses to adopt measures to prevent or mitigate cybersecurity threats. It covers risks and measures related to AI, including cybersecurity testing, documentation, and mitigation strategies.

What is the difference between NIST and NIS2?

Unlike NIS2, the NIST Cyber Security Framework does not contain an actionable list. Using a NIST-specific cybersecurity resilience framework can aid organizations in preparing to comply with the information security directive effectively.

What is the NIS2 implementing act?

The NIS2 Directive now encompasses medium and large public and private entities in more critical sectors for cyber resilience.

What is the NIS2 network and information systems?

NIS2, as an EU-wide legislation, emphasizes cybersecurity risk management processes designed to meet the challenge of the evolving cybersecurity threat landscape. The design requires businesses to adopt measures to prevent or mitigate cybersecurity threats. It covers risks and measures related to AI, including cybersecurity testing, documentation, and mitigation strategies.

NIS2 encompasses many more organizations that were not part of the original NIS directive. This includes operators of essential services within critical sectors like healthcare, energy, and transport. The European Union aims to harmonize cybersecurity measures and practices throughout its member states.

It also distinguishes between essential and important entities when setting requirements.