Blog

NIS2 Article 21.2 i:

The key card: personnel, access and assets without constant suspicion.

I often use a simple image when discussing article 21.2 i. Think of a key card. It's not there because we distrust everyone. It's there because the organisation must function, even when someone makes a mistake, leaves abruptly, or an unauthorised person attempts to enter.

NIS2 point i concerns three interconnected areas: personnel security, access control and asset management. It's easy to turn this into a checklist of tools and procedures. But the point is actually simpler: the right person should have the right access to the right things, and only for as long as necessary.

Robert Willborg

Co-founder and Chief Security Officer at OneMore Secure.

What point i actually says

Article 21.2 lists ten areas (a to j). Point i deals with personnel security, policies for access control and asset management. It's important to read point i alongside article 21.1 on proportionality: measures must be appropriate and proportionate and reduce the impact of incidents. The directive does not specify exactly how background checks should be conducted or which system to purchase. It states that you must have policies and procedures that work and can be demonstrated (European Union, 2022).

Swedish implementation: from EU text to supervision

In Sweden, NIS2 is implemented through the Cybersecurity Act (2025:1506) and the Cybersecurity Ordinance (2025:1507), which came into force on 15 January 2026. This makes personnel security and access issues part of the actual requirements for the organisations covered (Swedish Parliament, 2025a; Swedish Parliament, 2025b; Government, 2026).

Personnel security: factual without paranoia

I want to be careful here. Personnel security does not mean treating everyone as a suspect. It means that roles with high trust also require considered controls. It's about reducing the risk of insider incidents, both intentional and unintentional.

This may involve background checks for certain roles, but these must be done legally, proportionately and with respect for privacy. Sweden also has other regulations that may be relevant depending on the sector, such as security protection legislation for security-sensitive activities. NIS2 does not give a free pass to collect 'everything'. It requires that you can demonstrate mature management of personal risk.

Access control: least privilege is not just a slogan

Access control means only authorised individuals can access what they need. The principle of least privilege is simple: grant the minimum access necessary for the job. But it easily becomes just a slogan if there are no routines for onboarding, role changes and offboarding.

This is where I often see risk becoming unnecessarily costly. People receive 'temporary' permissions that become permanent. Old accounts remain active. Administrative rights spread like confetti. And when something happens, no one really knows who had the key card.

Asset management: you can't protect what you don't know

Asset management sounds bureaucratic, but it's essentially about oversight. What systems, devices, software and data do we have, where are they, and what is critical.

If you lack an inventory, everything else becomes difficult: patching, logging, segmentation, backups and incident response. That's why asset management is linked to the rest of article 21.2. It's the map before you start navigating.

The common pitfall: turning point i into a purchase

It's tempting to treat point i as a product issue: buy an Identity and Access Management system and 'tick the box'. But NIS2 doesn't require a specific tool. It requires effective routines and the ability to demonstrate their impact.

An expensive system without discipline is a costly illusion. A simpler system with clear routines can provide better control. This is proportionality in practice.

Three things that make the key card real

I stick to three things that are easy to understand and usually have great effect.

· Roles before permissions.

· Offboarding is a process.

· Inventory and classification.

Roles before permissions means defining what a role requires and linking access to the role, not the person. This reduces special cases.

Offboarding is a process means you have a checklist that is actually followed when someone changes role, leaves, or takes on new responsibilities. That's where the biggest gaps often are.

Inventory and classification means having an up-to-date overview of assets and what is critical. Then you can prioritise protection where the consequences are greatest.

Final thoughts

Article 21.2 i is not meant to make organisations cold and suspicious. It is intended to make them resilient. When the key card works, you don't have to rely on luck. You can rely on the process.

And when someone asks if you have control, the answer won't be a policy in a folder. The answer will be everyday reality: the right person, the right access, the right assets, at the right time.