- Compliance
- NIS2
- DORA
- PCI DSS
- NIST 800-63
- eIDAS
- OWASP NHI
- Trends 2026
2026 Identity Regulation Map: NIS2, DORA, PCI DSS, NIST 800-63
Seven 2024-2026 identity regulations — NIS2, DORA, PCI DSS v4.0.1, NIST 800-63-4, EUDI Wallet, EU AI Act, OWASP NHI Top 10 — and when each applies.
Short answer: eight identity-touching regulations changed between 2024 and 2026. The ones most teams must act on: NIS2 (EU, since 18.10.2024) and DORA (EU finance, since 17.01.2025) in Europe; PCI DSS v4.0.1 (MFA on all cardholder-data access, since 31.03.2025) for card handlers; and NIST SP 800-63-4 (finalized 31.07.2025) as the de-facto reference everywhere else. eIDAS 2.0 / EUDI Wallet lands by December 2026.
If you’re a CISO in 2026, your annual compliance slide deck has more rows than your org chart. Eight identity-touching regulations changed in the 24 months between January 2024 and May 2026 — and most of them changed in ways that put your IGA architecture on the line, not just your audit checklist.
This is the practitioner map of who has to follow what. It is not legal advice. It is what we tell CISOs who ask “which of these do I actually need to act on this quarter.”
The summary up top, then a per-region drill-down, then a what-actually-changes-in-your-IGA section.
TL;DR — seven regulations that hit identity in 2024–2026
| # | Regulation | Effective | Applies to | Identity bite |
|---|---|---|---|---|
| 1 | NIS2 Directive (EU 2022/2555) | 18.10.2024 | EU essential + important entities (18 sectors) | Mandatory MFA, least privilege, SoD, centralised secrets |
| 2 | DORA (EU 2022/2554) | 17.01.2025 | EU financial sector + their ICT third parties | Role-based access; tracking external identities; from 18.11.2025 — 19 critical ICT providers (AWS, Microsoft, Google Cloud) under direct EU supervision |
| 3 | PCI DSS v4.0.1 | 31.03.2025 fully enforced | Anyone handling cardholder data | MFA on ALL CDE access (not just remote/admin); FIDO2/passkeys preferred for non-admin |
| 4 | NIST SP 800-63-4 finalized | 31.07.2025 | US federal + de-facto private sector reference | DIRM (Digital Identity Risk Management) — dynamic IAL/AAL/FAL; mDL/EUDI Wallet accepted at passport-equivalent level; phishing-resistant MFA |
| 5 | eIDAS 2.0 + EUDI Wallet | by 12.2026 | All 27 EU member states + VLOP/gatekeepers (acceptance by 12.2027) | Every EU citizen gets a digital identity wallet; major platforms must accept it |
| 6 | EU AI Act | high-risk from 02.08.2026 (transitional 02.08.2027) | Providers/deployers of high-risk AI in EU | Crosses with eIDAS 2.0 when AI agents must identify themselves |
| 7 | OWASP NHI Top 10 | June 2025 official release | Anyone with service accounts, API keys, AI agents (so: everyone) | First public standard for non-human identity risk — checklist for IGA programmes |
If you only read one row: NIS2 + DORA in EU, PCI DSS v4.0.1 in US/global retail, NIST SP 800-63-4 as the de-facto reference everywhere else. Everything else is sector-specific.
EU enterprise: NIS2 is the baseline, DORA is the financial layer on top
NIS2 entered into force in October 2024. National transpositions were uneven — Germany, France, Italy hit the deadline; some member states are still catching up in 2026. The point is the substantive obligations are now live for 18 essential and important sectors: energy, transport, banking, financial market infrastructures, healthcare, drinking water, digital infrastructure, ICT-service-management B2B, public administration, space, postal/courier, waste, chemicals, food, manufacturing, digital providers, research, and managed-service providers.
For identity, NIS2 demands four things explicitly:
- Multi-factor authentication for all administrative access and remote access
- Least privilege — documented role assignments, periodic recertification
- Segregation of duties — your finance admin shouldn’t be your DBA
- Centralised secrets management — passwords and tokens out of config files, into Vault-class systems
Penalties are real: up to €10M or 2% of annual turnover for essential entities, €7M or 1.4% for important. Boards started taking this seriously in late 2024 because management is personally liable for compliance failure.
If you’re in financial services, DORA stacks on top. In application since January 17, 2025. Articles 9 and 10 demand role-based access tied to a clear access matrix and protection from unauthorized access; Article 28 demands that you track external identities — meaning every contractor, every SaaS integration, every cloud-IAM role assigned to a third party. As of November 18, 2025, 19 critical ICT providers (AWS, Microsoft, Google Cloud, and 16 others) are under direct EU supervision via the European Supervisory Authorities. If your business runs on any of them, you inherit a compliance layer you didn’t sign up for.
The combined effect on EU CISOs: the days of “we’ll do MFA later” are over. If you don’t have MFA on all admin access by your next audit, you’re not just out of compliance — you’re personally exposed.
US enterprise: PCI DSS got teeth, NIST became the assumed baseline
The biggest change for US enterprises was PCI DSS v4.0.1, fully enforced March 31, 2025. The headline shift is in Requirement 8.4.2: MFA is no longer just for administrative or remote access. It’s for all access into the cardholder data environment (CDE). Every workstation, every system, every account that touches CDE.
For most retailers and payment processors this meant a 12-month scramble. The teams that finished early built around phishing-resistant MFA — FIDO2 hardware keys, passkeys, hardware-bound credentials — because PCI v4 explicitly treats those as preferred over OTP and SMS.
In parallel, NIST SP 800-63-4 was finalized on July 31, 2025. This is the first full revision since 2017. The shift is from a checklist mindset (pick IAL/AAL/FAL, implement) to DIRM — Digital Identity Risk Management. You are expected to dynamically choose assurance levels based on risk, the threat model, the environment. mobile driver’s licenses (mDL) and EUDI Wallets are now accepted at PIV-equivalent levels for in-person identity proofing. Remote identity proofing is allowed for IAL2 (it wasn’t in 2017). And the document is explicit about defending against deepfake-based identity attacks and injection attacks during onboarding flows.
NIST 800-63-4 is technically a federal guideline. In practice it’s the reference document used by every US enterprise lawyer, insurance underwriter, and Big 4 audit team. If your identity programme doesn’t reference it, you’ll be writing reference letters for a long time.
For healthcare specifically, HIPAA Security Rule is being rewritten by HHS — the NPRM published in late 2024 will likely make MFA mandatory for all PHI access by 2026 or 2027. The smart healthcare CISOs are getting ahead of it.
For US public companies, SOX ITGCs continue to be the day-to-day driver: segregation of duties, access reviews, privileged access controls. None of this is new in 2026 — but auditors are now looking at NHI as part of the same review, which is new.
Global / cross-jurisdictional: the OWASP NHI Top 10 is the document everyone should read
OWASP released the Non-Human Identities Top 10 (2025) in June 2025. This isn’t a regulation — but it’s the first public standard for the risk class that every modern enterprise has and almost no enterprise governs well.
The ten risks, in OWASP’s order:
- NHI1 — Improper Offboarding (NHIs left active after their use ends)
- NHI2 — Secret Leakage
- NHI3 — Vulnerable Third-Party NHI (supply chain)
- NHI4 — Insecure Authentication (weak protocols)
- NHI5 — Overprivileged NHI
- NHI6 — Insecure Cloud Deployment Configurations (CI/CD)
- NHI7 — Long-Lived Secrets
- NHI8 — Environment Isolation (same NHI in test/prod)
- NHI9 — NHI Reuse (one NHI across multiple workloads)
- NHI10 — Human Use of NHI
We covered the operational implications in our Non-Human Identity 2026 post. For this regulatory map, the relevant point is that OWASP NHI Top 10 is now the reference document for any NHI-related audit conversation, regardless of jurisdiction. Auditors love checklists. This is now the checklist.
eIDAS 2.0 and EU AI Act: the 2026 wildcards
Two regulations are about to land that most CISOs are not yet planning for.
eIDAS 2.0 (Regulation EU 2024/1183) requires all 27 EU member states to issue EUDI Wallets to citizens by December 2026. By December 2027, large online platforms (VLOPs) and gatekeepers must accept these wallets for authentication. For B2C-facing services with EU customers, this means re-engineering your CIAM stack to accept wallet-based identity assertions — and likely re-engineering your KYC flow if you’re in financial services.
EU AI Act (Regulation EU 2024/1689) entered force August 2024; its core high-risk obligations apply August 2, 2026 (prohibitions from February 2025, GPAI rules from August 2025), with some transitional obligations running to August 2027. The Act doesn’t directly regulate identity, but it does require human oversight, accuracy, robustness, and cybersecurity for high-risk AI systems. The intersection with identity is sharper than it looks: when AI agents act on behalf of users, who’s accountable? eIDAS 2.0 is starting to answer that with cryptographically attested wallet credentials. Expect the gap to be filled by a sub-regulation in 2027.
If your roadmap doesn’t have eIDAS 2.0 by Q3 2026, you’ll be playing catch-up.
What this actually means for your IGA architecture
We get asked the same question every quarter: “Of all this, what do I actually have to do?”
The honest answer is that the compliance story has converged on six engineering capabilities. Your IGA architecture either has them or it doesn’t:
-
MFA on every administrative path, ideally phishing-resistant. PCI v4.0.1 + NIS2 + 800-63-4 all converge here. FIDO2/passkeys are the right answer; SMS OTP isn’t.
-
Centralised access reviews tied to roles + recertification at least quarterly. SOX, NIS2, DORA all want this. Your IGA platform should run the campaigns; manual spreadsheet reviews don’t survive an audit anymore.
-
Centralised secrets management for non-human identities. Vault-class systems (HashiCorp Vault, AWS Secrets Manager, GCP Secret Manager). NHI2 / NHI7 from OWASP, plus NIS2’s “centralised secrets” requirement.
-
Session-level audit logs with geolocation for sensitive identity actions. DORA’s third-party tracking implies it; NIST 800-63-4 mentions it for fraud defence; PCI v4.0.1 logging requirements assume it. Your SIEM should ingest identity events with the same priority as endpoint events.
-
External identity tracking — every contractor, every API integration, every cloud-IAM role. DORA Article 28, NIS2 supply-chain provisions, OWASP NHI3. If you can’t list every external identity in your enterprise within 30 minutes, you have a gap.
-
Acceptance path for digital identity wallets. eIDAS 2.0 by December 2026 in EU, mDL/PIV in US per 800-63-4. CIAM and B2B federation roadmaps should already include this.
If your IGA platform — SailPoint Identity Security Cloud, SailPoint IdentityIQ, Saviynt, OneIdentity, Evolveum midPoint, or anything else — is missing any of these six, that’s where to spend the 2026 budget. Not on the next AI-powered analytics dashboard.
Per-organization-type compliance summary
For the scan-and-go reader:
| Organization type | Mandatory | Strong best practice |
|---|---|---|
| EU bank / financial institution | GDPR, NIS2, DORA, eIDAS 2.0 (by 12.2026) | ISO 27001:2022, NIST SP 800-63-4, SWIFT CSCF v2025 |
| EU enterprise (essential/important entity) | GDPR, NIS2, EU AI Act (where applicable), eIDAS 2.0 | ISO 27001:2022, ISO 24760-1/2/3:2025, NIST CSF 2.0 |
| US enterprise | SOX (if public), HIPAA (if healthcare), PCI DSS v4.0.1 (if cards), CMMC/NIST 800-171 (if DoD) | NIST CSF 2.0, NIST SP 800-53 Rev 5, NIST SP 800-63-4, NIST SP 800-207 (Zero Trust), ISO 27001:2022 |
| Cloud / SaaS multi-tenant | GDPR (if EU customers), ISO 27017/27018 | NIST SP 800-207 + 207A (Zero Trust), CSA CCM v4 IAM domain, OWASP NHI Top 10 |
| Multinational (multi-region presence) | All applicable regional regimes where you operate | A unified IGA architecture with regional control plane separation; jurisdiction-aware data residency |
What Identigy does about this
We have been running production IGA across this regulatory landscape since 2007 — banking, telecom, energy, marine insurance, pharmaceuticals, public sector. Three patterns we use repeatedly:
-
Compliance map first, IGA roadmap second. Before recommending a SailPoint vs midPoint vs Saviynt direction, we map your applicable regulations to your IGA capability matrix. The output is a one-page heat map: where you’re compliant, where you’re at risk, where you’re over-engineering. For most enterprises this exposes a 30–40% gap between what they think they have and what their auditor will find. Where the gap is in technical controls rather than process, a security audit and penetration test puts numbers on the exposure before any budget conversation starts.
-
Six-capability discovery. We run a discovery sprint focused on the six capabilities above (MFA, recertification, NHI secrets, session logging, external identity, wallet acceptance). One week, named architect, fixed price. The output drives the budget conversation, not the other way around.
-
Migration to a regulation-friendly platform stack. Most compliance gaps are platform gaps — Oracle OIM doesn’t have native NHI governance, Microsoft Identity Manager (MIM) isn’t being updated, legacy on-prem stacks struggle with FIDO2. Modernisation to SailPoint Identity Security Cloud or Evolveum midPoint isn’t just platform debt repayment — it’s compliance preparation.
If your 2026 audit calendar has any of these regulations on it, talk to an architect. One call, no slide deck — we’ll tell you what’s actually compliant and what’s at risk.
Related reading
- IDM evolution 2000–2026 — six eras of IGA, Gartner Market Guide IGA 2025, KuppingerCole Identity Fabrics 2025 leaders
- Non-Human Identity 2026 — the practitioner’s view on NHI controls, OWASP NHI Top 10
- Identity Fabric 2026 — what identity fabric, IVIP, and ISPM actually mean once you strip the analyst varnish
Comments, disagreements, audit war stories — info@identigy.com.
Sources (all primary documents linked):
- NIS2 Technical Implementation Guidance — ENISA
- DORA — EIOPA
- eIDAS 2.0 / EUDI Wallet — EU Commission
- EU AI Act — European Commission
- PCI DSS v4.0.1 — PCI Council blog
- NIST SP 800-63-4 final — CSRC
- NIST SP 800-53 Rev 5 — CSRC
- NIST SP 800-207 + 207A Zero Trust — CSRC
- NIST CSF 2.0 release announcement
- ISO 27001:2022 A.5.15 / A.5.16 — ISMS.online
- ISO/IEC 24760-1:2025 — ISO catalog
- SWIFT CSCF v2025 reference — Silverfort PDF
- OWASP NHI Top 10 (2025)
- CSA Cloud Controls Matrix v4
- MITRE ATT&CK T1078 Valid Accounts