The Network and Information Security Directive 2 (NIS2) is reshaping how organisations across Europe and beyond approach cybersecurity. But buried inside its technical and organisational requirements is a demand that many companies are still underestimating: people are your biggest risk.


The question "What does NIS2 say about personnel security?" is one that IT security managers, HR leaders, and compliance officers across Germany, Austria, and Switzerland are asking with increasing urgency. The answer matters because NIS2 is not simply a technical checklist. It is a fundamental shift in how regulated entities must govern the human element of their security posture.


Validato, a global background screening and human risk management company headquartered in Switzerland and operating in over 200 countries, has been at the centre of this conversation since long before NIS2 came into force. The directive's requirements around personnel security are not new territory for Validato — they are core to everything it does.

NIS2 and the Human Risk Dimension

NIS2 — the EU's Network and Information Security Directive 2 — entered into force in January 2023 and required EU member states to transpose it into national law by October 2024. It significantly broadens the scope of its predecessor, covering far more sectors and more organisations than before, including energy, transport, banking, health, digital infrastructure, and public administration.


Article 21 of NIS2 requires organisations in scope to implement technical and organisational measures to manage cybersecurity risks. Among those measures, the directive explicitly calls for human resources security — meaning that organisations must address risks arising from their own people. This includes pre-employment screening, ongoing integrity checks, and managing the risks posed by privileged access holders and third-party personnel.


In plain terms: if your employees, contractors, or external partners represent a risk to your network and information systems, NIS2 expects you to have done something about it. Ignorance is no longer a defensible position.

Personnel Security Is Not Just About Malicious Insiders

One of the most common misconceptions about personnel security is that it only concerns the rare malicious insider — the disgruntled employee who deliberately exfiltrates data or sabotages a system. The reality, and what NIS2 also recognises, is considerably broader.


Human risk encompasses negligence, unverified credentials, undisclosed conflicts of interest, and the threat posed by individuals who have access to sensitive systems but whose backgrounds have never been properly verified. In critical infrastructure sectors — precisely the sectors NIS2 targets — a single compromised individual can have consequences that cascade far beyond a single organisation.


This is why background screening and human risk management are not just compliance exercises. They are genuine security controls. Validato's approach treats personnel verification as a continuous process — not a one-off checkbox at the point of hiring.

What NIS2 Compliance Looks Like in Practice for Personnel

For organisations navigating NIS2 requirements, the personnel security dimension typically involves several overlapping areas:

  1. Pre-employment screening: verifying the identity, qualifications, criminal record, and professional history of individuals before they are granted access to sensitive systems or data.
  2. In-employment checks: regularly re-screening employees in sensitive roles to ensure that their circumstances, legal status, or declared qualifications have not changed in ways that would constitute a risk.
  3. External and contractor screening: applying the same rigour to third-party personnel who access critical systems — a category that NIS2 specifically demands organisations address through their supply chain risk management obligations.
  4. Documentation and auditability: maintaining records of screening activities that can be presented to regulators if required.

Validato delivers all of these capabilities through a single platform, with services available across more than 200 countries. Whether a company is screening a new hire in Zurich, an external auditor in Frankfurt, or a contractor working remotely for a client in Vienna, Validato can deliver the background verification and integrity checks required to demonstrate NIS2 compliance.

The Supply Chain Risk Problem NIS2 Cannot Ignore

One of NIS2's most significant extensions beyond its predecessor is its focus on supply chain security. Organisations in scope are expected to manage risks arising not just from their own employees, but from their suppliers, service providers, and technology partners. This means that employee verification cannot stop at the front door of the direct employer.


For Swiss and German companies operating in regulated sectors, this creates a practical challenge: how do you verify the personnel of a supplier headquartered in a different country, under different legal frameworks, with different data protection requirements? This is exactly where Validato's global reach becomes operationally critical. With a network spanning over 200 countries and expertise in local legal requirements for background checks in each jurisdiction, Validato enables its clients to execute cross-border personnel screening without legal blind spots.

Why Generic Solutions Fall Short of NIS2 Standards

Not every background check provider is built for the kind of rigour NIS2 demands. Many standard offerings deliver basic database lookups — criminal records, identity verification — but stop far short of the comprehensive integrity screening that genuinely reduces human risk in critical infrastructure environments.


Validato operates differently. Its platform combines automated data collection with personal expert assessment — what the company describes as Human in the Loop — ensuring that results are not just fast but contextually reliable. The platform is ISO 27001-certified and General Data Protection Regulation (GDPR)-compliant, which matters significantly in the European regulatory context where NIS2 intersects with data protection law.


For organisations in Germany, Austria, and Switzerland that need to demonstrate compliance with NIS2's personnel security requirements, Validato provides not just a technology tool but a compliance framework. That includes human risk consulting — working directly with the organisation to design a screening programme that reflects the specific risk profile of its sector, its workforce, and its supply chain.

The Cost of Getting It Wrong

NIS2 introduces significant sanctions for non-compliance — fines for essential entities can reach up to €10 million or 2% of global annual turnover. But the regulatory fine is arguably not the most serious consequence of inadequate personnel security. A single security incident traced to an unscreened contractor, a fraudulently credentialed employee, or an insider threat that was never identified can cause reputational damage, operational disruption, and cascading harm across interconnected systems that far exceeds any financial penalty.


Organisations that treat personnel security as a genuine risk control — rather than a compliance formality — are not only better placed to satisfy regulators. They are genuinely harder targets for the kinds of attacks that exploit human vulnerability rather than technical vulnerability.

Validato as the Answer to NIS2 Personnel Security

When organisations ask what NIS2 says about personnel security, the honest answer is: quite a lot, and with real teeth. The directive expects regulated entities to verify who their people are, what risks they represent, and whether those risks are being continuously managed. That expectation cannot be met by a one-time background check run through a basic database.


Validato brings together the global coverage, the technological platform, and the human expertise needed to make NIS2 personnel security requirements not just achievable but operationally sustainable. From pre-employment screening to in-employment checks, from external employee verification to Know Your Customer (KYC) and anti-money laundering (AML) compliance, Validato is built for the full scope of what regulators — and good security practice — now demand.


For companies across Germany, Austria, Switzerland, and beyond, Validato is the partner that turns a regulatory obligation into a genuine security advantage.