Identity Governance for EU Regulatory Compliance
Strategic guide to identity governance for EU-regulated entities covering joiner-mover-leaver lifecycle management, privileged access, separation of duties, non-human identity governance, and regulatory alignment with NIS2, DORA, and GDPR.
- 1
Identity governance is the foundational capability that enables multi-framework compliance across NIS2, DORA, and GDPR without multiplicative effort.
- 2
Automate the joiner-mover-leaver lifecycle by integrating your IGA platform with HR as the authoritative source of employee status and role.
- 3
Replace persistent admin accounts with just-in-time privileged access to minimise standing privilege and reduce blast radius.
- 4
Bring non-human identities (service accounts, API keys, machine certificates) into your governance programme as first-class identity objects.
- 5
Measure programme maturity with outcome metrics: time-to-provision, time-to-deprovision, review completion rates, and SoD violation trends.
1. Identity Governance Fundamentals for Regulated Entities
Identity governance and administration (IGA) is the discipline of ensuring that the right individuals have access to the right resources at the right time for the right reasons — and that this access is continuously validated, documented, and auditable. For EU-regulated entities, IGA is not an IT operations concern; it is a regulatory compliance obligation that sits at the intersection of NIS2's access control requirements, DORA's ICT security policies, GDPR's data protection principles, and the broader expectation of supervisory authorities that organisations can demonstrate who accessed what, when, and why.
The strategic value of identity governance extends beyond compliance. A mature IGA programme reduces the attack surface by enforcing least privilege, accelerates onboarding and offboarding by automating access provisioning, reduces audit preparation effort by maintaining continuous evidence, and supports zero-trust architecture by providing the identity context that access decisions depend on. For organisations pursuing multiple EU compliance frameworks simultaneously, IGA is the foundational capability that enables multi-framework compliance without multiplicative effort — the same identity controls satisfy access control requirements across NIS2, DORA, ISO 27001, and GDPR.
The maturity spectrum of identity governance ranges from manual, reactive processes (spreadsheet-based access tracking, email-based access requests, annual review campaigns) to automated, policy-driven governance (role-based provisioning, real-time access analytics, continuous compliance monitoring). Most EU organisations operate in the lower-middle of this spectrum — they have an identity provider and some access request workflows, but lack comprehensive lifecycle automation, SoD enforcement, and non-human identity governance. The regulatory pressure from NIS2 and DORA is forcing a rapid maturity leap, and organisations that treat this as a strategic investment rather than a compliance tax will gain operational advantages that extend well beyond audit readiness.
2. Joiner-Mover-Leaver Lifecycle Management
The joiner-mover-leaver (JML) lifecycle is the operational backbone of identity governance. Each phase presents distinct security risks and regulatory obligations. The joiner phase must provision access that is sufficient for the new employee to be productive from day one but limited to the minimum necessary for their role — over-provisioning at the joiner stage is the primary driver of entitlement bloat. The mover phase (role changes, transfers, promotions) is the most commonly neglected: when an employee moves from finance to marketing, they typically gain marketing access while retaining finance access, accumulating entitlements that violate least privilege. The leaver phase must ensure complete and timely de-provisioning — DORA's RTS explicitly requires that access be revoked upon termination, and GDPR's storage limitation principle requires that former employees' access to personal data ceases immediately upon departure.
Automate the JML lifecycle by integrating your identity governance platform with your HR system as the authoritative source of truth for employee status, role, and department. When the HR system records a new hire, the IGA platform should automatically provision the baseline access entitlements defined for that role (birthright access). When the HR system records a role change, the IGA platform should provision the new role's entitlements and trigger a review of the previous role's entitlements — do not rely on the manager to remember to revoke old access manually. When the HR system records a termination, the IGA platform should immediately disable the account in the identity provider and initiate revocation of all application-specific entitlements.
The mover phase deserves particular attention because it is where segregation-of-duties violations most commonly arise. An employee who has held roles in both procurement and accounts payable may retain entitlements in both systems — a classic SoD violation that enables fraud. Implement a mover workflow that automatically flags SoD conflicts when new entitlements are provisioned, requires explicit approval from a risk-aware approver (not just the line manager) for any mover event that creates a conflict, and generates an audit record documenting the conflict assessment and approval rationale. The European Banking Authority's ICT risk management guidelines emphasise the importance of role-change procedures in preventing internal fraud, and DORA-regulated financial entities should expect supervisory scrutiny of their mover processes.
The mover phase is the most dangerous stage of the identity lifecycle. Employees who change roles without access adjustment accumulate entitlements that violate least privilege and create segregation-of-duties conflicts. Automate access adjustment on every role change, not just on join and leave.
3. Privileged Access Management and Least Privilege
Privileged access — administrative accounts, root access, database administrator roles, cloud IAM roles with broad permissions — represents the highest-risk category of identity entitlements. A compromised privileged account provides an attacker with the ability to move laterally, escalate privileges further, exfiltrate data, deploy ransomware, or destroy systems. NIS2 Article 21(2)(i) requires access control measures that are proportionate to risk, which necessarily means that privileged access demands stronger controls than standard user access. DORA's RTS on ICT risk management explicitly requires financial entities to implement privileged access management controls including just-in-time access, session recording, and enhanced monitoring.
Implement a privileged access management (PAM) programme built on four principles. First, minimise standing privilege: replace persistent admin accounts with just-in-time (JIT) access that is requested, approved, time-bounded, and automatically revoked upon expiration. Second, enforce multi-factor authentication for all privileged access — NIS2 Article 21(2)(j) makes MFA explicit, and privileged access without MFA is indefensible in any supervisory review. Third, monitor and record privileged sessions: maintain audit logs of all privileged actions that can be reviewed during incident investigations and access reviews. Fourth, separate privileged from unprivileged identities: administrators should use separate accounts for administrative and day-to-day activities, preventing credential theft from a compromised user workstation from yielding administrative access.
The least privilege principle — granting only the minimum access necessary to perform a specific function — is easy to state and difficult to operationalise. Start with role engineering: define standard roles for each job function that include only the entitlements required for that role's duties. Validate role definitions with business stakeholders who understand the actual workflows, not just the theoretical job descriptions. Implement request-approval workflows for any access beyond the standard role, requiring business justification and time-bounded access where possible. Use access analytics to identify entitlements that are granted but never used — these are candidates for removal from the role definition. Over time, the combination of well-defined roles, JIT access for exceptions, and analytics-driven role refinement will converge on a practical implementation of least privilege that is both operationally viable and regulatorily defensible.
Replace persistent admin accounts with just-in-time access wherever possible. JIT access that is requested, approved, and automatically expires after a defined window eliminates the standing privilege that attackers seek to compromise.
4. Separation of Duties Controls
Separation of duties (SoD) is a governance control that prevents a single individual from controlling all phases of a critical business process, thereby reducing the risk of fraud, error, and abuse. In the EU regulatory context, SoD is not merely a financial controls concept — NIS2's requirement for effective access control and DORA's emphasis on ICT security governance both imply that critical ICT functions should be segregated. Common SoD conflicts include combining system administration with security monitoring (the admin could disable monitoring before taking malicious action), combining access provisioning with access review (the provisioner could grant themselves access and approve it), and combining code development with production deployment (the developer could introduce and deploy malicious code without independent review).
Implement SoD controls through a combination of policy definition, preventive enforcement, and detective monitoring. Start by defining a SoD matrix that identifies conflicting role or entitlement pairs across your critical applications and infrastructure. This matrix should be developed collaboratively with business process owners, internal audit, and compliance — IT alone cannot determine which functional combinations create unacceptable risk. Once the matrix is defined, implement preventive controls that block or flag SoD-conflicting access requests at the point of provisioning, and detective controls that identify existing SoD violations through periodic analysis of the access landscape.
SoD enforcement must account for practical business realities. In smaller organisations, strict SoD enforcement may be impossible for certain role combinations — a five-person IT team cannot fully segregate all administrative functions. In these cases, implement compensating controls: enhanced monitoring, dual-approval requirements, or independent review of high-risk transactions performed by individuals with conflicting roles. Document the compensating controls explicitly, including the rationale for why strict segregation is not feasible and how the compensating controls mitigate the residual risk. Supervisory authorities will accept well-documented compensating controls far more readily than undocumented SoD violations discovered during an inspection.
5. Non-Human Identity Governance: Service Accounts, API Keys, and Machine Identities
Non-human identities — service accounts, API keys, machine certificates, bot accounts, and automated workflow credentials — often outnumber human identities in modern IT environments by a factor of 10:1 or more. Despite their prevalence, non-human identities are frequently excluded from identity governance programmes, creating a significant blind spot. These identities often hold elevated privileges (a CI/CD service account may have deployment access to production, a monitoring agent may have read access to all systems), and their credentials are rarely rotated, never reviewed, and not subject to the same lifecycle management controls as human identities. An attacker who compromises a service account credential gains persistent, privileged access that is unlikely to be detected by user-focused security monitoring.
Bring non-human identities into your governance programme by treating them as first-class identity objects. Every service account and API key should have an assigned owner (a human who is accountable for its security and lifecycle), a documented purpose (what the identity does and why it needs the access it has), a defined scope (minimum necessary permissions, not broad admin access for convenience), a credential rotation schedule (90 days maximum for passwords, shorter for API keys in high-risk environments), and inclusion in access review campaigns (the owner reviews whether the service account is still needed and appropriately scoped). NIS2's access control requirements apply to all identities that access network and information systems, not just human users, and supervisory authorities are increasingly aware of the risks posed by unmanaged non-human identities.
API key and secret management requires specific controls beyond traditional identity governance. Store all secrets in a dedicated secret management vault — never in source code, configuration files, environment variables in version control, or shared documents. Implement automated detection for secrets committed to code repositories. Enforce short-lived credentials where the technology supports it: OAuth 2.0 client credentials with short token lifetimes, cloud IAM instance profiles rather than long-lived access keys, and certificate-based authentication with automated renewal. When a service account or API key is decommissioned, ensure that all associated credentials are immediately revoked and that dependent systems are updated — orphaned credentials for decommissioned services are a common attack vector that access reviews should explicitly check for.
Non-human identities typically outnumber human identities by 10:1 or more in modern enterprises. If your identity governance programme only covers human users, you are governing less than 10% of your identity landscape.
6. Building an IGA Programme: Roadmap and Maturity Model
Building an identity governance programme is a multi-year journey that should be planned in phases aligned with regulatory deadlines and organisational capacity. Phase 1 (Months 1-3) should establish the foundation: implement a centralised identity provider if one does not exist, deploy MFA for all users (starting with privileged accounts), document the current access landscape across critical systems, and establish a formal access request-approval workflow. Phase 2 (Months 4-9) should operationalise lifecycle management: integrate the IGA platform with the HR system for automated JML triggers, define and implement role-based access for the top 20 applications by risk, launch the first access review campaign, and define the SoD matrix for critical business processes.
Phase 3 (Months 10-18) should extend governance to the full identity landscape: bring non-human identities into the governance programme, implement just-in-time privileged access for administrative functions, deploy SoD enforcement (preventive and detective), extend access reviews to SaaS and cloud infrastructure, and implement continuous access monitoring for anomaly detection. Phase 4 (Ongoing) is continuous improvement: refine role definitions based on access review outcomes and analytics, reduce standing privilege through progressive JIT adoption, automate compliance reporting across NIS2, DORA, and GDPR, and conduct periodic maturity assessments to identify the next improvement targets.
Measure programme maturity using a capability model that tracks specific outcomes rather than process existence. Key metrics include: mean time to provision (how quickly new hires receive appropriate access), mean time to de-provision (how quickly leavers lose all access — target is under 4 hours), access review completion rate (percentage of entitlements reviewed per campaign — target is 100%), revocation rate trend (should decline over time as entitlement hygiene improves), SoD violation count (should decline as preventive controls mature), and non-human identity coverage (percentage of service accounts and API keys with assigned owners and review schedules). Report these metrics to management body quarterly as part of the NIS2 Article 20 governance obligation.
What is the difference between identity governance and identity management?
Identity management (IdM) covers the operational mechanics of creating, modifying, and deleting identity records — provisioning accounts, managing passwords, synchronising directories. Identity governance (IGA) adds the policy, compliance, and audit layer: who should have access (role definitions), who approved it (request workflows), is it still appropriate (access reviews), and does it comply with regulations (SoD enforcement, compliance reporting). A mature identity programme requires both: management handles the 'how' and governance handles the 'why' and 'whether'.
How does DORA change identity governance requirements for financial entities?
DORA imposes several identity governance requirements that exceed the NIS2 baseline for financial entities. DORA Article 9(4)(c) requires strong authentication and access rights management policies. The DORA RTS on ICT risk management mandate periodic access reviews, privileged access management controls, and procedures for managing access upon role changes or termination. DORA also requires that ICT third-party access is governed with the same rigour as internal access. Financial entities must ensure their IGA programme addresses these prescriptive requirements, not just the principles-based NIS2 obligations.
What SoD controls are expected by EU supervisory authorities?
EU supervisory authorities expect a documented SoD matrix identifying conflicting role combinations, preventive controls that block or flag SoD-conflicting access at provisioning time, detective controls that identify existing violations through periodic analysis, and documented compensating controls where strict segregation is not feasible. For financial entities under DORA, the ECB and national supervisory authorities have specifically flagged SoD between IT development and operations, between access provisioning and review, and between security monitoring and system administration as priority areas.
How should we handle identity governance for contractors and external parties?
Contractors and external parties should be governed with the same IGA controls as employees, with additional constraints. Implement time-bounded access that expires at the end of the contract period (requiring active renewal rather than passive continuation), restrict access scope to the specific systems and data required for the contracted work, assign an internal sponsor who is accountable for the contractor's access and must certify it during reviews, and ensure that contract termination triggers immediate de-provisioning. DORA Article 28's ICT third-party requirements extend to contractor access governance, and NIS2's supply chain security obligations include managing the access granted to external service providers.
Ready to Operationalise This?
Turn this guide into working compliance workflows. Create an account or schedule a personalised demo.