Article 21 of the NIS2 Directive explicitly mandates access control, user management, and audit trails. RAP covers the core requirements out of the box.
NIS2 Article 21 mandates that in-scope organizations implement measures across risk management, access control, and incident response. For IT teams, this translates to three non-negotiable capabilities:
You must be able to demonstrate who has access to which systems — and prove that access is appropriate, approved, and regularly reviewed.
Onboarding and offboarding must be governed. Orphaned accounts and over-provisioned users are audit red flags.
Every access event, approval, and change must be logged and retrievable. Auditors will ask for this documentation.
| NIS2 Requirement | RAP Feature | Status |
|---|---|---|
| Access control policies | Role & permission management | ✓ Covered |
| User provisioning & deprovisioning | Automated PowerShell workflows | ✓ Covered |
| Access request & approval | Self-service portal + approval workflows | ✓ Covered |
| Access certification / reviews | Periodic access certifications | ✓ Covered |
| Audit logs & reporting | Full event log + NIS2 compliance reports | ✓ Covered |
| Segregation of duties | SoD enforcement | ✓ Covered |
NIS2 applies to medium and large organizations in critical and important sectors. In Poland and CEE, this includes manufacturing, logistics, private healthcare, financial services, energy, and research institutions. If you have 50+ employees and operate in one of these sectors, you are likely in scope.
Not sure if you’re in scope? Let’s find out in 30 minutes.Polish and EU national implementations are active. Audits are coming. Access governance is the first gap auditors check — and the easiest to remediate before they arrive.