“You don’t get breached through your firewall. You get breached through your CEO.”
In a quiet boardroom somewhere in Europe, a CFO hesitates. A message has just come in via WhatsApp. It’s from the CEO—at least, it appears to be. The tone is familiar, the timing makes sense, and the context is precise. “Can you urgently approve this transfer? I’m in a meeting.” Nothing about it feels out of place. In fact, everything about it feels right. And that is exactly the problem.
What happened in that moment is becoming increasingly common across organisations subject to NIS2. The attacker did not exploit a vulnerability, deploy malware, or bypass a firewall. Instead, they studied. They observed LinkedIn profiles—often verified ones—mapped relationships, analysed communication styles, and reconstructed trust. By the time the message was sent, the attack was already complete. All that remained was a decision.
For years, organisations have invested in technology: SIEM platforms, endpoint detection, multi-factor authentication. These controls remain necessary, but they are no longer sufficient. Because attackers have stopped trying to break systems. They are learning to become identities. As one incident responder put it bluntly: “We didn’t break in. We logged in.” And increasingly, they don’t even need to log in—they simply convince someone else to act on their behalf.
This is where NIS2 fundamentally changes the conversation. It no longer asks whether systems are protected. It asks whether organisations can demonstrate control—real, measurable control—over identity, access, and decision-making under pressure. The difference is subtle, but critical. Traditional IAM frameworks answer who has access to what. NIS2 demands that organisations answer who someone really is, whether they should have access now, and under which conditions that access remains valid. That is not access management. That is governance.
To understand this shift, it helps to step back into architecture. The nine-plane model of Rik Maes reminds us that identity does not belong to IT alone. It sits across business, information, and technology layers, linking executive responsibility with operational enforcement. When identity is treated purely as a technical function, it becomes fragmented. When it is governed, it becomes control. And control is exactly what is missing in most breach scenarios.
Zero Trust attempts to operationalise this by removing implicit trust entirely. Every request becomes a calculation: who is asking, from which device, in what context, and with what behavioural signals. Trust is no longer granted—it is evaluated continuously. But even Zero Trust, when implemented without addressing identity exposure, leaves a critical gap. If an attacker can convincingly impersonate a trusted individual, the system is already compromised at the human layer.
This is where a more radical idea begins to emerge—one that is gaining traction in organisations facing high exposure under NIS2 and DORA. Instead of exposing real identities across every platform, organisations introduce a layer of abstraction. Real identities are kept internally, controlled and protected. External systems operate on pseudonymous identities—controlled representations that can be governed, monitored, and revoked without exposing the individual behind them. The goal is simple: if attackers cannot see your identity, they cannot become your identity.
Because that is the uncomfortable reality organisations are starting to confront. Executives today are not just leaders; they are highly visible, highly trusted digital entities. Their presence on platforms, their communication patterns, even their writing style—all of it becomes material for attackers. In that sense, the executive team is no longer just responsible for risk. They are part of the attack surface.
And that is why NIS2 ultimately lands not in IT, but in the boardroom. It forces a shift from thinking about cybersecurity as a set of tools to understanding it as a function of governance. When something goes wrong—and increasingly, it will—the question will not be whether the organisation had the right technologies. It will be whether it had control. Control over identity. Control over access. Control over trust itself.
Because the next breach will not begin with a vulnerability scan or a piece of malware. It will begin, quietly, with a message. A believable one. A message that feels right.
“Can you approve this transfer?”
And in that moment, the only thing that will matter is whether the organisation built its security around systems—or around identity.
The tech talk:
Why identity—not infrastructure—is the new frontline under NIS2
In a boardroom somewhere in Europe, a CFO hesitates.
A WhatsApp message just came in from the CEO:
“Urgent. Can you approve this transfer? I’m in a meeting.”
Everything checks out.
Tone. Timing. Context.
It almost gets approved.
The uncomfortable truth NIS2 is forcing into the open
For years, organisations invested heavily in:
- firewalls
- SIEM
- endpoint protection
And yet, attackers didn’t adapt by breaking systems.
They adapted by becoming the system.
“We didn’t break in. We logged in.”
— (Common APT post-incident reality)
The new attack chain is brutally simple
- Scrape LinkedIn (preferably verified profiles)
- Map internal hierarchy
- Profile behaviour and communication
- Launch impersonation via WhatsApp / SMS / Teams
No malware.
No exploit.
Just trust abuse at scale.
“If I can sound like your CEO, I don’t need your password.”
NIS2 changes the question entirely
NIS2 is not asking:
❌ “Do you have security tools?”
❌ “Are your systems protected?”
It is asking:
✅ “Can you prove control over identity, access, and decision-making under attack?”
And that’s where most organisations are still exposed.
IAM is not enough anymore
Traditional IAM answers:
- Who has access?
- To what system?
But NIS2 requires more:
“Who is this really? Should they have access now? Under these conditions?”
That’s not access management.
That’s identity governance + risk decisioning in real time.
From access to control: the architectural shift
Forward-looking organisations are moving toward three converging models:
1. Rik Maes 9-plane thinking
Identity is no longer IT. It spans:
- business accountability
- information context
- technical enforcement
“If identity is not governed at board level, it is not governed at all.”
2. Zero Trust (ZT9 logic)
Every access request becomes a decision:
- who
- from where
- on what device
- with what behaviour
Continuously evaluated.
“Trust is no longer granted. It is calculated.”
3. Identity abstraction (UCID model)
A radical but necessary shift:
- real identity → internal vault
- external systems → pseudonymous identity
Why?
Because:
“If attackers can see your identity, they can become your identity.”
The real risk NIS2 is targeting
This is not theoretical.
Executives today are:
- publicly visible
- digitally verified
- socially mapped
They are no longer just decision-makers.
They are attack surfaces.
“Your executive team is your most privileged system—and your least protected one.”
From breach to resilience
Organisations that adapt will shift from:
| Old Model | New Model |
|---|---|
| Identity exposed | Identity abstracted |
| Trust assumed | Trust verified |
| Static access | Risk-based access |
| Tool-driven security | Identity-driven control |
The board-level implication
This is where NIS2 becomes uncomfortable.
Because it places responsibility where it belongs:
👉 at the executive level
“Cybersecurity is no longer an IT problem. It is a governance failure when it goes wrong.”
Final thought
The next generation of breaches will not start with:
- a vulnerability
- a zero-day
- a misconfigured firewall
They will start with a message.
A believable one.
“Approve this payment.”
And the only question that will matter is:
👉 Did you control identity—or did identity control you?
