The EU NIS2 Directive is massively changing how companies think about security, identities, and access rights. From2024/2025, more and more organizations — including industry, critical infrastructures, energy, transport, healthcare, SaaSproviders, and suppliers — must adhere to stricter security standards.
By 2026, it is clear: Secure Identity & Access Management is no longer a “nice to have”, but a must.2026
Keycloak is one of the strongest open-source solutions. However, many companies underestimate how much relevantresponsibility for NIS2 is contained in the IAM. This blog post explains what NIS2 requires — and how Keycloak(properly configured) meets these requirements.
What does NIS2 specifically require in the area of identity assurance?
The directive requires, among other things:
✔ Strong authentication
→ MFA, Passkeys, Smartcards, FIDO2
✔ Clear separation of roles & permissions
→ No admin “collective roles”, cleaner RBAC, least privilege
✔ Replicability & Logging
→ Who accessed which systems when?
✔ Risk management and continuous updates
→ Patch Management, CVE Monitoring, timely upgrades
✔ Protection of critical admin access points
→ IP restrictions, audit logging, MFA for admins
And: Those responsible (management!) can be held liable if systems are operated insecurely.
How Keycloak meets NIS2 requirements
Keycloak brings many NIS2 relevant functions “out of the box” — they just need to be implemented cleanly:
1) Starke authenttication (MFA, Passkeys, Smartcard)
Keycloak offers modern MFA mechanisms such as:
- WebAuthn / Passkeys
- TOTP Apps
- FIDO2 Security Keys
- Smartcard Integrations
Thereby, Keycloak directly fulfills the NIS2 requirements for “Strong Customer Authentication”.
2) Roles & permissions according to the least privilege principle
NIS2 requires a comprehensible role model.
With Keycloak, this is achieved through:
- RBAC over Realm & Client Roles
- Organizations for clients
- Delegated Administration
- Automatic role assignment
A major advantage: rights can be consistently assigned across clients – especially suitable for B2B SaaS models.
3) Logging and auditing for all security-relevant events
Keycloak logs, among other things:
- Login / Logout
- Failed logins
- Administration Actions
- Token Events
- IdP error
Through Open Telemetry support (since 26.x), logs and traces can be evaluated centrally in tools such as Grafana, Datadog or SIEM systems.
4) Regular updates & CV management
Current Keycloak versions regularly include security-relevant patches — e.g. fixes in SAMLFlows, API parsing, tokenhandling or DoS defense mechanisms.
Companies must ensure that:
- Updates are implemented in a timely manner
- CVEs are regularly checked
- Deployments Staging exist
- Backups; rollbacks work
Without these processes, NIS2 requirements cannot be met.
5) Securing critical admin access points
Administrative access is the most common attack vector — NIS2 makes this safeguard mandatory:
Recommendations:
- Force MFA
- Limit to IP Ranges
- Activate Brute Force Protection
- Clearly separate admin roles
- Admin Console behind VPN / Zero Trust
Common errors that violate NIS2
From our project experience, we see again and again:
- Admin accounts without MFA
- Outdated Keycloak versions (6–18 months old)
- No central logs
- No lived role model
- Too many global admins
- No clearly defined update processes
- Custom Extensions without Security Review
- Uncertain configuration in Kubernetes/Cloud
These issues are no longer tolerable under NIS2.
How companies can operate Keycloak in compliance with NIS2
✔ 1. Security Audit / Config Review
→ Analysis of flows, realms, roles, logs, infrastructure
✔ 2. Development of a standardized role model
→ Reducing risks & permissions overgrowth
✔ 3. Strengthening Admin Security
→ MFA, Restriction, Audit Logging
✔ 4. Monitoring, Open Telemetry & SIEM Connection
→ Mandatory for traceability
✔ 5. Establish patch management
→ Regelmäßige Reviews & Updates
✔ 6. Hardening the environment
→ Reverse Proxy, TLS, Cluster Security, DB hardening
Conclusion: NIS2 is not just “Security” – it’s Identity First Security
With NIS2, Identity & Access Management moves to the center of IT security.
Keycloak is perfect for this — but only if it is operated correctly.
An unsecured or unattended Keycloak is a direct NIS2 violation.
A professionally configured Keycloak, on the other hand, is a strong security asset.
You want to make sure that your Keycloak NIS2 is ready?
We support you with:
🔒 Keycloak Security Check
→ incl. config review, flow analysis, logs & infrastructure
🚀 Keycloak as a Service (with SLA & automatic security updates)
→ no update worries, no outages, maximum compliance
✨ easyCloak
→ secure, delegated administration for customers, partners and organizations
→ ideal for NIS2 compliant roles and user management
We make your Keycloak secure, compliant, and future-proof.
