Four regulations, one principle
NIS2, ISO/IEC 27001:2022, the amended UK Security Control Act (UKSC2) and DORA – each of these regulations says the same thing: you need to know who has access to what, when and why – and be able to prove it. NIS2 explicitly lists access control and MFA as mandatory measures. ISO 27001 requires an evidence-based approach to every change in access rights. DORA enforces 24-hour, 72-hour and one-month deadlines for incident reporting. UKSC2 will cover approximately 38,000 entities – the deadline for self-identification as a key entity is 3 October 2026.
Key features of eAuditor IAM
The system covers the entire access lifecycle (Joiner–Mover–Leaver) in a single auditable workflow:
- Integration with AD/LDAP – periodic import with UUID matching. An account disabled in AD automatically loses its rights in IAM.
- Requests with multi-level approval – approval templates designate the approver based on parameters (position, department, system); the applicant cannot change this – this fulfils the SoD requirement.
- “Per-position” profiles or individual roles – the same set of permissions can be grouped into a profile or requested separately for extended roles.
- Formal and substantive verification – two-stage recertification: the line manager confirms the business justification, the system administrator – the technical aspects.
- Temporary access instead of PIM/PAM – “from/to” expiry dates, expiry notifications, a hard limit until the end of the contract for contract staff.
- Employee Dashboard – the employee can see their own permissions, the manager can see their subordinates’ permissions.
Three real-world implementations – key takeaways from the implementations
Case 1: Small office – “two systems in one” eAuditor IAM + Helpdesk
Real-life example: during our first meeting, we were told that the “permissions register” was an Excel spreadsheet kept by a colleague in the secretariat. That colleague had left for the provincial office a week earlier. Along with the password to the file.
The small office does not have a separate budget for eAuditor IAM and a separate one for ITSM. The key factor was that the IAM system is natively integrated with the eHelpDesk module – once a request is approved, the system automatically generates a ticket for the relevant support team. The client purchased a single product and received a complete workflow: from request to resolution, with a full audit trail. The result: one supplier, one training session, one SLA, lower costs. Permission verification began immediately after implementation – a ready-to-use tool compliant with NIS2 and ISO 27001 requirements.
Case 2: Large organisation – inactive accounts and integration with Active Directory
Real-life example: during the first review, employee X’s account was flagged – active, with access to three departmental systems. X retired in 2024. The account had more privileges than the current head of department – “because it had been trusted for years”. Someone knew the password. No one knew who.
In a large organisation (several hundred users), the problem was a classic one: former employees’ accounts remaining active for months, ‘role creep’ among long-serving staff, and ownerless service accounts. We began the implementation with integration with AD using UUID matching. From the very first import cycle, the RBAC mechanism deactivates users disabled in Active Directory within IAM – the “leaver” vulnerability is closed within hours.
The Opening Balance (BO module) allowed us to import historical permissions, have them verified by system owners, and only then transfer them to the current list – for the first time, the agency saw the actual state of access rights. The first formal verification campaign identified over ten per cent of accounts with permissions not justified by business needs. For the auditor, this is ready-made evidence: who verified what and when, how many were confirmed, and how many were revoked.
Case 3: A client expands their eAuditor environment with an IAM solution
Real-life example: at a client who has been using eAuditor for five years, the IT director proudly showed us the inventory, helpdesk, monitoring and patches – everything under control. We asked: “And who has access to the EZD today, and on what basis?”. Silence. “Exactly. That’s the only thing we’re missing here.”
The organisation has been using eAuditor for years (inventory, monitoring, DLP, patch management), and now there is a need to comply with NIS2/KSC2. Adding the IAM module is a natural extension:
- A single source of truth – AD, HR and the Employee Portal are the same across the entire BTC ecosystem. Synchronisation between databases from different providers is no longer needed.
- Joiner onboarding as a single workflow – HR → AD → IAM creates requests → eAuditor configures the workstation (software, DLP policies, BitLocker, 2FA). The employee receives a ready-to-use environment on their first day.
- Reduced incident response time – eAuditor (SOC, DLP) detects suspicious activity, IAM provides context on “who approved this access and when” – effectively helping to meet regulatory reporting deadlines.
Customers migrating from a competing IAM solution most frequently cited three pain points: a lack of native integration with ITSM, poor support for ‘per-role’ profiles, and the absence of a cover module – requests would get stuck when approvers were on leave. In eAuditor IAM, this is standard.
Identification of non-compliance prior to an audit
Every action in eAuditor IAM leaves a complete record: date, author, column, and values before and after the change. An NIS2/ISO auditor comes looking for six things: access control policy, account inventory, recertification results, MFA configuration, 12 months’ worth of logs, and a register of privileged accounts. The system provides all this in a single report – that is the difference between “we have a procedure” and “we have documented compliance”.
Three questions worth asking yourself before someone else asks them: how many inactive accounts are lurking in your Active Directory? How long does it take to revoke access after an employee leaves – an hour, a day, a month? Can you show within five minutes who approved access to a critical system and why?
If the answer to any of these questions is “I don’t know” – it’s worth looking into. The first step is a one-hour session dedicated to eAuditor IAM.
It’s 60 minutes that could transform the way your organisation manages identities and access.
See how it works in practice – book a presentation:
https://www.eauditor.eu/identity-access-management
