NIS2 compliance for EU businesses requires a documented, technically enforced password policy under Article 21 of Directive (EU) 2022/2555. Compromised credentials remain the leading initial access vector across European organizations, and national competent authorities are actively scrutinizing identity and access management controls. A written policy alone is not enough — it must be enforced, monitored, and auditable.

The enforcement phase is underway. Fines for essential entities reach up to €10 million or 2% of global annual turnover. According to the ENISA NIS Investments 2025 report, 70% of EU organizations cite regulatory compliance as their primary cybersecurity investment driver — yet 76% report difficulties recruiting qualified professionals to implement those controls. The gap between intent and execution is where audits are failed.

This checklist translates Article 21's legal requirements into specific, operational steps for IT teams, and maps each step to the technical controls that make compliance provable — not just plausible.

Understanding NIS2 Article 21 password requirements

NIS2 Article 21 does not specify a minimum character count. Instead, it mandates "appropriate and proportionate technical and organisational measures" based on the state of the art, requiring essential and important entities to implement access control policies, multi-factor authentication, and credential hygiene as part of a broader cybersecurity risk management framework.

The phrase "state of the art" is deliberate. Auditors from national competent authorities interpret it by referencing established technical frameworks — primarily NIST SP 800-63B (2025 revision, formally SP 800-63-4) and ENISA's own technical guidance. What those frameworks define as acceptable today sets the bar for what Article 21 requires in practice.

This creates an important operational reality: a password policy documented in a PDF and stored on a SharePoint drive is not compliance. Article 21 requires that measures be technically enforced and continuously operative. The ENISA Threat Landscape 2025 report confirms that compromised credentials remain a primary initial access vector, with 68.6% of recorded intrusions leading to data breaches — many of them preventable with basic credential security controls.

The shift NIS2 demands is from reactive security to proactive, documented risk management. Every control must be enforceable, every enforcement action must be logged, and every log must be producible on demand.

The NIS2 password policy checklist

The following five controls represent the operational core of an Article 21-compliant password policy. Each item includes the regulatory rationale, the technical requirement, and how a self-hosted password manager enforces it in practice.

✅ 1. Enforce length over complexity

The requirement

NIST SP 800-63B (2025 revision) sets a minimum of 15 characters for passwords used as sole authenticators — a significant increase from the previous 8-character baseline. The same standard explicitly discourages mandatory character-mixing rules (uppercase + number + symbol combinations), because they produce predictable patterns. "Password123!" satisfies most legacy complexity rules. It is not a strong password.

NIS2 auditors referencing "state of the art" will expect your policy to reflect current NIST guidance. That means prioritizing length and entropy over arbitrary complexity theater. Passphrases — four or more unrelated words — satisfy the 15-character threshold while being genuinely memorable and resistant to brute-force attacks.

The Passwork solution

Passwork's customizable password generator allows administrators to define minimum length, character sets, and entropy requirements centrally. Users cannot generate or save credentials that fall below the configured threshold. Policy enforcement happens at the point of creation — not as a post-hoc audit finding.

✅ 2. Eliminate mandatory periodic rotation

The requirement

Mandatory 90-day password rotation is not just ineffective — it actively undermines security. Users forced to rotate on a calendar schedule predictably increment their passwords: "Summer2024!" becomes "Autumn2024!" The credential is technically new. The security value is negligible.

Both NIST SP 800-63B and ENISA guidance now advocate for compromise-triggered rotation. Passwords should be changed when there is evidence of a breach, when a credential appears in a known leaked dataset, or when an employee with access departs. Not because the calendar says so.

The Passwork solution

Passwork's password security dashboard continuously monitors the vault, surfacing weak, outdated, and potentially compromised credentials. When an employee leaves, Passwork automatically flags every credential they had access to as potentially compromised and prompts targeted resets. IT teams act on actual risk signals — not arbitrary dates.

✅ 3. Prevent password reuse

The requirement

Credential stuffing attacks depend on one thing: users reusing the same password across multiple systems. When one service is breached, attackers test those credentials against corporate VPNs, admin panels, and cloud consoles. The attack is automated, scalable, and devastatingly effective against organizations that rely on users to self-manage unique passwords.

NIS2's access control requirements implicitly address this by demanding that organizations implement measures proportionate to the risk. Credential reuse across corporate systems represents a quantifiable, preventable risk — and one that auditors will probe.

The Passwork solution

A centralized password vault removes the memorization burden that drives reuse. Passwork's built-in generator creates unique, high-entropy credentials for every service. When users no longer need to remember passwords — only access them through a secured vault — the behavioral incentive to reuse disappears entirely.

✅ 4. Implement phishing-resistant MFA

The requirement

Article 21(2)(j) of the NIS2 Directive explicitly mandates the use of multi-factor authentication "where appropriate." For privileged accounts, remote access, and any system handling sensitive data, "where appropriate" means always. SMS-based one-time codes are no longer considered sufficient for high-risk access scenarios — SIM-swapping and real-time phishing kits can intercept them in seconds.

The current standard for phishing-resistant MFA is authenticator applications (TOTP-based) or hardware security keys (FIDO2/WebAuthn). These methods cannot be intercepted by a phishing page because they are either time-bound or cryptographically bound to the legitimate domain.

The Passwork solution

Passwork supports two-factor authentication including biometric authentication and passkeys via WebAuthn — the same FIDO2 standard that underpins hardware security keys. Access to the centralized credential vault — which holds the organization's most sensitive assets — is protected by a second verification layer that phishing cannot bypass.

👉 Managing credentials across teams without a structured vault creates exactly the kind of audit gap NIS2 auditors look for. See how Passwork enforces access controls and generates the evidence you need — explore Passwork's features.

✅ 5. Secure service accounts and shared credentials

The requirement

Unmanaged service accounts and shared credentials are among the most common audit failure points under NIS2. A generic "[email protected]" social media login shared over Slack, a database service account with a password known to three former contractors, a Wi-Fi password stored in a notes app — each represents an uncontrolled access vector with no attribution, no rotation history, and no audit trail.

Article 21 requires that access control measures cover all systems and credentials within scope. That includes non-human accounts and shared access scenarios, not just individual user logins.

The Passwork solution

Passwork provides shared vaults with granular, role-based access control (RBAC). Teams access shared credentials through the vault — no plaintext passwords transmitted over chat, email, or messaging apps. Access can be granted and revoked instantly, and every interaction is logged with a timestamp and user identity.

Generating audit evidence for NIS2 compliance

Passing a NIS2 audit requires more than having controls in place — it requires proving those controls operated continuously. Many organizations fail not because their security is inadequate, but because they cannot produce the documentation to demonstrate it.

National competent authorities expect to see immutable activity logs: records of who accessed which credential, when, and from where. They expect access reviews showing that permissions are current and that departed employees no longer have access. They expect evidence that your password policy is technically enforced — not just written down.

The evidence gap is real. An organization that manually manages passwords through spreadsheets or shared documents cannot produce this evidence. The records either don't exist or cannot be trusted as immutable.

Passwork addresses this directly through two mechanisms:

• LDAP/Active Directory integration. Passwork synchronizes with your existing directory structure to automatically provision and de-provision access. When an account is disabled in Active Directory, access to Passwork is revoked immediately. Dormant accounts — a frequent audit finding — are eliminated by design rather than by periodic manual review.
• Comprehensive audit trails. Every action within Passwork — credential creation, modification, access, sharing, deletion — is recorded with a timestamp and the identity of the acting user. These logs are detailed, exportable, and structured for exactly the kind of documentation regulators demand. There is no ambiguity about who did what and when.

This is the difference between a password policy and a compliant password policy. The technical control exists. The evidence that it works also exists.

👉 Passwork's audit logs and AD/LDAP integration are built for compliance scenarios. Request a demo to see how the evidence trail maps to NIS2 audit requirements.

Why self-hosted password management matters for EU businesses

For essential and important entities under NIS2, data sovereignty is a compliance consideration — not just a preference. Storing credential data with a third-party cloud provider introduces supply chain risk: a breach of that provider becomes your breach, and their infrastructure decisions affect your compliance posture.

Passwork is deployed on-premises, within your own infrastructure. Credential data never leaves your environment. All data is encrypted using AES-256 on both the server and client sides, with a zero-knowledge architecture ensuring that even Passwork's own team cannot access your vault contents. For organizations operating under strict data residency requirements or managing credentials for critical infrastructure, this is the only deployment model that provides absolute control.

The ISO/IEC 27001 certification Passwork holds further validates that its internal security management processes meet international standards — a meaningful signal for organizations conducting vendor due diligence as part of their own NIS2 supply chain risk assessments.

Frequently asked questions

Does NIS2 require a specific minimum password length?

NIS2 Article 21 does not specify a character count. It requires "appropriate and proportionate" technical measures based on the state of the art. Auditors use NIST SP 800-63B (2025 revision) as the reference standard, which sets a 15-character minimum for passwords used as sole authenticators. Organizations should align their policies with NIST guidance to satisfy the "state of the art" requirement.

Is MFA mandatory under NIS2?

Article 21(2)(j) of Directive (EU) 2022/2555 explicitly mandates multi-factor authentication "where appropriate." For privileged accounts, remote access, and systems handling sensitive data, regulators and ENISA guidance treat MFA as effectively mandatory. SMS-based codes are no longer considered sufficient for high-risk access scenarios; authenticator apps or hardware security keys are the current standard.

Do we still need to enforce 90-day password rotation for NIS2 compliance?

No. Mandatory periodic rotation is not required and is actively discouraged by both NIST SP 800-63B (2025) and ENISA guidance. Rotation should be triggered by evidence of compromise — a breach, a leaked credential, or an employee departure — not by calendar intervals. Forced rotation without cause produces predictable password patterns and weakens overall security.

What audit evidence do NIS2 auditors expect for password management?

Auditors expect immutable activity logs showing who accessed which credentials and when, access control records demonstrating that permissions are current and appropriately scoped, evidence of de-provisioning for departed employees, and documentation that the password policy is technically enforced rather than advisory. A manually maintained spreadsheet cannot satisfy these requirements.

Can a cloud-based password manager satisfy NIS2 requirements?

It can, in principle, but essential entities should carefully assess supply chain risk. NIS2 Article 21 includes supply chain security as a mandatory measure. Storing credentials with a third-party cloud provider means that provider's security posture directly affects your compliance. A self-hosted solution deployed within your own infrastructure eliminates this dependency and gives administrators full control over encrypted data.

What happens to shared credentials and service accounts under NIS2?

Shared credentials and service accounts fall within the scope of Article 21's access control requirements. They must be inventoried, secured, and subject to the same access logging and permission controls as individual user accounts. Unmanaged shared credentials — passwords distributed over chat or email — represent an uncontrolled access vector and a direct audit failure point.

When did NIS2 enforcement begin?

The NIS2 Directive required EU member states to transpose it into national law by 17 October 2024. Enforcement by national competent authorities is actively underway across the EU, with the 2025–2026 period seeing increased scrutiny of essential and important entities' cybersecurity risk management measures, including identity and access management controls.

Conclusion

NIS2 compliance treats identity management as a documented, auditable security control — not an IT housekeeping task. The five checklist items above — length-based password policy, compromise-triggered rotation, reuse prevention, phishing-resistant MFA, and secured shared credentials — represent the operational minimum for Article 21 alignment.

The organizations that pass NIS2 audits are not necessarily those with the most sophisticated security stacks. They are the ones who can demonstrate, with evidence, that their controls work continuously. A self-hosted password manager with centralized enforcement, AD/LDAP integration, and immutable audit logs is the most direct path from policy to proof.

👉 Passwork is available as a self-hosted solution with full control over your credential data, built-in audit trails, and LDAP integration designed for enterprise compliance requirements. Explore deployment options or try Passwork in your own infrastructure.

Meta Title: NIS2 Password Policy Checklist for EU Businesses | Passwork
Meta Description: A practical NIS2 password policy checklist for IT managers and compliance officers. Covers Article 21 requirements, NIST 2025 standards, MFA, audit evidence, and enforcement with Passwork.