Skip to main content
Blog
  • Compliance
  • NIS2
  • DORA
  • PCI DSS
  • NIST 800-63
  • eIDAS
  • OWASP NHI
  • Trends 2026

2026 Identity Regulation Map: NIS2, DORA, PCI DSS, NIST 800-63

Seven 2024-2026 identity regulations — NIS2, DORA, PCI DSS v4.0.1, NIST 800-63-4, EUDI Wallet, EU AI Act, OWASP NHI Top 10 — and when each applies.

Andrey Promyslov (IdM expert) — Identigy updated

Short answer: eight identity-touching regulations changed between 2024 and 2026. The ones most teams must act on: NIS2 (EU, since 18.10.2024) and DORA (EU finance, since 17.01.2025) in Europe; PCI DSS v4.0.1 ( on all cardholder-data access, since 31.03.2025) for card handlers; and NIST SP 800-63-4 (finalized 31.07.2025) as the de-facto reference everywhere else. eIDAS 2.0 / EUDI Wallet lands by December 2026.

If you’re a CISO in 2026, your annual compliance slide deck has more rows than your org chart. Eight identity-touching regulations changed in the 24 months between January 2024 and May 2026 — and most of them changed in ways that put your architecture on the line, not just your audit checklist.

This is the practitioner map of who has to follow what. It is not legal advice. It is what we tell CISOs who ask “which of these do I actually need to act on this quarter.”

The summary up top, then a per-region drill-down, then a what-actually-changes-in-your-IGA section.

TL;DR — seven regulations that hit identity in 2024–2026

#RegulationEffectiveApplies toIdentity bite
1NIS2 Directive (EU 2022/2555)18.10.2024EU essential + important entities (18 sectors)Mandatory MFA, least privilege, , centralised secrets
2DORA (EU 2022/2554)17.01.2025EU financial sector + their ICT third partiesRole-based access; tracking external identities; from 18.11.2025 — 19 critical ICT providers (AWS, Microsoft, Google Cloud) under direct EU supervision
3PCI DSS v4.0.131.03.2025 fully enforcedAnyone handling cardholder dataMFA on ALL CDE access (not just remote/admin); FIDO2/passkeys preferred for non-admin
4NIST SP 800-63-4 finalized31.07.2025US federal + de-facto private sector referenceDIRM (Digital Identity Risk Management) — dynamic IAL/AAL/FAL; mDL/EUDI Wallet accepted at passport-equivalent level; phishing-resistant MFA
5eIDAS 2.0 + EUDI Walletby 12.2026All 27 EU member states + VLOP/gatekeepers (acceptance by 12.2027)Every EU citizen gets a digital identity wallet; major platforms must accept it
6EU AI Acthigh-risk from 02.08.2026 (transitional 02.08.2027)Providers/deployers of high-risk AI in EUCrosses with eIDAS 2.0 when AI agents must identify themselves
7OWASP Top 10June 2025 official releaseAnyone with service accounts, API keys, AI agents (so: everyone)First public standard for non-human identity risk — checklist for IGA programmes

If you only read one row: NIS2 + DORA in EU, PCI DSS v4.0.1 in US/global retail, NIST SP 800-63-4 as the de-facto reference everywhere else. Everything else is sector-specific.

EU enterprise: NIS2 is the baseline, DORA is the financial layer on top

NIS2 entered into force in October 2024. National transpositions were uneven — Germany, France, Italy hit the deadline; some member states are still catching up in 2026. The point is the substantive obligations are now live for 18 essential and important sectors: energy, transport, banking, financial market infrastructures, healthcare, drinking water, digital infrastructure, ICT-service-management B2B, public administration, space, postal/courier, waste, chemicals, food, manufacturing, digital providers, research, and managed-service providers.

For identity, NIS2 demands four things explicitly:

  1. Multi-factor authentication for all administrative access and remote access
  2. Least privilege — documented role assignments, periodic recertification
  3. Segregation of duties — your finance admin shouldn’t be your DBA
  4. Centralised secrets management — passwords and tokens out of config files, into Vault-class systems

Penalties are real: up to €10M or 2% of annual turnover for essential entities, €7M or 1.4% for important. Boards started taking this seriously in late 2024 because management is personally liable for compliance failure.

If you’re in financial services, DORA stacks on top. In application since January 17, 2025. Articles 9 and 10 demand role-based access tied to a clear access matrix and protection from unauthorized access; Article 28 demands that you track external identities — meaning every contractor, every SaaS integration, every cloud- role assigned to a third party. As of November 18, 2025, 19 critical ICT providers (AWS, Microsoft, Google Cloud, and 16 others) are under direct EU supervision via the European Supervisory Authorities. If your business runs on any of them, you inherit a compliance layer you didn’t sign up for.

The combined effect on EU CISOs: the days of “we’ll do MFA later” are over. If you don’t have MFA on all admin access by your next audit, you’re not just out of compliance — you’re personally exposed.

US enterprise: PCI DSS got teeth, NIST became the assumed baseline

The biggest change for US enterprises was PCI DSS v4.0.1, fully enforced March 31, 2025. The headline shift is in Requirement 8.4.2: MFA is no longer just for administrative or remote access. It’s for all access into the cardholder data environment (CDE). Every workstation, every system, every account that touches CDE.

For most retailers and payment processors this meant a 12-month scramble. The teams that finished early built around phishing-resistant MFA — FIDO2 hardware keys, passkeys, hardware-bound credentials — because PCI v4 explicitly treats those as preferred over OTP and SMS.

In parallel, NIST SP 800-63-4 was finalized on July 31, 2025. This is the first full revision since 2017. The shift is from a checklist mindset (pick IAL/AAL/FAL, implement) to DIRM — Digital Identity Risk Management. You are expected to dynamically choose assurance levels based on risk, the threat model, the environment. mobile driver’s licenses (mDL) and EUDI Wallets are now accepted at PIV-equivalent levels for in-person identity proofing. Remote identity proofing is allowed for IAL2 (it wasn’t in 2017). And the document is explicit about defending against deepfake-based identity attacks and injection attacks during onboarding flows.

NIST 800-63-4 is technically a federal guideline. In practice it’s the reference document used by every US enterprise lawyer, insurance underwriter, and Big 4 audit team. If your identity programme doesn’t reference it, you’ll be writing reference letters for a long time.

For healthcare specifically, HIPAA Security Rule is being rewritten by HHS — the NPRM published in late 2024 will likely make MFA mandatory for all PHI access by 2026 or 2027. The smart healthcare CISOs are getting ahead of it.

For US public companies, SOX ITGCs continue to be the day-to-day driver: segregation of duties, access reviews, privileged access controls. None of this is new in 2026 — but auditors are now looking at NHI as part of the same review, which is new.

Global / cross-jurisdictional: the OWASP NHI Top 10 is the document everyone should read

OWASP released the Non-Human Identities Top 10 (2025) in June 2025. This isn’t a regulation — but it’s the first public standard for the risk class that every modern enterprise has and almost no enterprise governs well.

The ten risks, in OWASP’s order:

  1. NHI1 — Improper Offboarding (NHIs left active after their use ends)
  2. NHI2 — Secret Leakage
  3. NHI3 — Vulnerable Third-Party NHI (supply chain)
  4. NHI4 — Insecure Authentication (weak protocols)
  5. NHI5 — Overprivileged NHI
  6. NHI6 — Insecure Cloud Deployment Configurations (CI/CD)
  7. NHI7 — Long-Lived Secrets
  8. NHI8 — Environment Isolation (same NHI in test/prod)
  9. NHI9 — NHI Reuse (one NHI across multiple workloads)
  10. NHI10 — Human Use of NHI

We covered the operational implications in our Non-Human Identity 2026 post. For this regulatory map, the relevant point is that OWASP NHI Top 10 is now the reference document for any NHI-related audit conversation, regardless of jurisdiction. Auditors love checklists. This is now the checklist.

eIDAS 2.0 and EU AI Act: the 2026 wildcards

Two regulations are about to land that most CISOs are not yet planning for.

eIDAS 2.0 (Regulation EU 2024/1183) requires all 27 EU member states to issue EUDI Wallets to citizens by December 2026. By December 2027, large online platforms (VLOPs) and gatekeepers must accept these wallets for authentication. For B2C-facing services with EU customers, this means re-engineering your stack to accept wallet-based identity assertions — and likely re-engineering your KYC flow if you’re in financial services.

EU AI Act (Regulation EU 2024/1689) entered force August 2024; its core high-risk obligations apply August 2, 2026 (prohibitions from February 2025, GPAI rules from August 2025), with some transitional obligations running to August 2027. The Act doesn’t directly regulate identity, but it does require human oversight, accuracy, robustness, and cybersecurity for high-risk AI systems. The intersection with identity is sharper than it looks: when AI agents act on behalf of users, who’s accountable? eIDAS 2.0 is starting to answer that with cryptographically attested wallet credentials. Expect the gap to be filled by a sub-regulation in 2027.

If your roadmap doesn’t have eIDAS 2.0 by Q3 2026, you’ll be playing catch-up.

What this actually means for your IGA architecture

We get asked the same question every quarter: “Of all this, what do I actually have to do?”

The honest answer is that the compliance story has converged on six engineering capabilities. Your IGA architecture either has them or it doesn’t:

  1. MFA on every administrative path, ideally phishing-resistant. PCI v4.0.1 + NIS2 + 800-63-4 all converge here. FIDO2/passkeys are the right answer; SMS OTP isn’t.

  2. Centralised access reviews tied to roles + recertification at least quarterly. SOX, NIS2, DORA all want this. Your IGA platform should run the campaigns; manual spreadsheet reviews don’t survive an audit anymore.

  3. Centralised secrets management for non-human identities. Vault-class systems (HashiCorp Vault, AWS Secrets Manager, GCP Secret Manager). NHI2 / NHI7 from OWASP, plus NIS2’s “centralised secrets” requirement.

  4. Session-level audit logs with geolocation for sensitive identity actions. DORA’s third-party tracking implies it; NIST 800-63-4 mentions it for fraud defence; PCI v4.0.1 logging requirements assume it. Your SIEM should ingest identity events with the same priority as endpoint events.

  5. External identity tracking — every contractor, every API integration, every cloud-IAM role. DORA Article 28, NIS2 supply-chain provisions, OWASP NHI3. If you can’t list every external identity in your enterprise within 30 minutes, you have a gap.

  6. Acceptance path for digital identity wallets. eIDAS 2.0 by December 2026 in EU, mDL/PIV in US per 800-63-4. CIAM and B2B federation roadmaps should already include this.

If your IGA platform — SailPoint Identity Security Cloud, SailPoint IdentityIQ, Saviynt, OneIdentity, Evolveum midPoint, or anything else — is missing any of these six, that’s where to spend the 2026 budget. Not on the next AI-powered analytics dashboard.

Per-organization-type compliance summary

For the scan-and-go reader:

Organization typeMandatoryStrong best practice
EU bank / financial institution, NIS2, DORA, eIDAS 2.0 (by 12.2026)ISO 27001:2022, NIST SP 800-63-4, SWIFT CSCF v2025
EU enterprise (essential/important entity)GDPR, NIS2, EU AI Act (where applicable), eIDAS 2.0ISO 27001:2022, ISO 24760-1/2/3:2025, NIST CSF 2.0
US enterpriseSOX (if public), HIPAA (if healthcare), PCI DSS v4.0.1 (if cards), CMMC/NIST 800-171 (if DoD)NIST CSF 2.0, NIST SP 800-53 Rev 5, NIST SP 800-63-4, NIST SP 800-207 (Zero Trust), ISO 27001:2022
Cloud / SaaS multi-tenantGDPR (if EU customers), ISO 27017/27018NIST SP 800-207 + 207A (Zero Trust), CSA CCM v4 IAM domain, OWASP NHI Top 10
Multinational (multi-region presence)All applicable regional regimes where you operateA unified IGA architecture with regional control plane separation; jurisdiction-aware data residency

What Identigy does about this

We have been running production IGA across this regulatory landscape since 2007 — banking, telecom, energy, marine insurance, pharmaceuticals, public sector. Three patterns we use repeatedly:

  1. Compliance map first, IGA roadmap second. Before recommending a SailPoint vs midPoint vs Saviynt direction, we map your applicable regulations to your IGA capability matrix. The output is a one-page heat map: where you’re compliant, where you’re at risk, where you’re over-engineering. For most enterprises this exposes a 30–40% gap between what they think they have and what their auditor will find. Where the gap is in technical controls rather than process, a security audit and penetration test puts numbers on the exposure before any budget conversation starts.

  2. Six-capability discovery. We run a discovery sprint focused on the six capabilities above (MFA, recertification, NHI secrets, session logging, external identity, wallet acceptance). One week, named architect, fixed price. The output drives the budget conversation, not the other way around.

  3. Migration to a regulation-friendly platform stack. Most compliance gaps are platform gaps — Oracle OIM doesn’t have native NHI governance, Microsoft Identity Manager (MIM) isn’t being updated, legacy on-prem stacks struggle with FIDO2. Modernisation to SailPoint Identity Security Cloud or Evolveum midPoint isn’t just platform debt repayment — it’s compliance preparation.

If your 2026 audit calendar has any of these regulations on it, talk to an architect. One call, no slide deck — we’ll tell you what’s actually compliant and what’s at risk.

Comments, disagreements, audit war stories — info@identigy.com.


Sources (all primary documents linked):

FAQ

Frequently asked questions

Which 2026 identity regulations apply to my organization?

It depends on region and sector. EU essential and important entities follow NIS2; EU financial firms add DORA; anyone handling card data follows PCI DSS v4.0.1; US and most others reference NIST SP 800-63-4. eIDAS 2.0 (EUDI Wallet) and the EU AI Act land through 2026–2027.

NIS2 vs DORA — what is the difference?

NIS2 is the EU baseline for 18 essential and important sectors — MFA, least privilege, segregation of duties, centralised secrets. DORA stacks on top for the financial sector, adding role-based access tied to an access matrix and tracking of every external identity (Article 28). EU banks meet both.

What does PCI DSS v4.0.1 change for MFA?

Requirement 8.4.2 extends MFA from administrative and remote access to all access into the cardholder data environment — every account, every system. Phishing-resistant methods (FIDO2, passkeys) are preferred over OTP and SMS. Fully enforced since 31 March 2025.

When is the EUDI Wallet (eIDAS 2.0) mandatory?

All 27 EU member states must issue EUDI Wallets to citizens by December 2026; large online platforms and gatekeepers must accept them by December 2027. B2C services with EU customers will need their CIAM stack to accept wallet-based identity assertions.

Does the EU AI Act affect identity?

Not directly, but its high-risk obligations (from 2 August 2026) require human oversight and security for high-risk AI systems. The identity intersection is accountability when AI agents act on behalf of a user — eIDAS 2.0 starts to answer it with attested wallet credentials.