Identity-First Security: Why Keycloak is the Heart of Your NIS-2 Strategy

In 2026, the threat landscape for European SMEs is more precarious than ever. Identity theft has become the number one attack vector, as traditional perimeter security models have failed in decentralized Cloud-Native structures. At the same time, regulators are increasing the pressure: The NIS-2 directive and DORA demand not only abstract security concepts from companies but also proof of strict access controls and the integrity of digital identities.

The solution lies in an Identity-First approach. It’s no longer about protecting the network but verifying every single identity and every API call. Within a sovereign IT infrastructure, Keycloak plays a central role. As an open-source standard, it allows companies to maintain full control over their user data while implementing modern security standards that go far beyond simple passwords.

1. Zero Trust through Identity Federation and OIDC

Keycloak acts as a central Identity Provider (IdP) and uses protocols like OpenID Connect (OIDC) and SAML 2.0 to lay a standardized authentication layer across the entire application landscape. By decoupling authentication from the actual business logic, companies massively reduce their attack surface.

Technically, Keycloak enables the implementation of Fine-Grained Authorization. Through Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC), permissions can be controlled down to the API level. For CTOs, this means: A consistent security model that works for both legacy on-premise applications and modern microservices in Kubernetes clusters, without proprietary solutions from hyperscalers driving vendor lock-in.

2. Passwordless Authentication with WebAuthn

Passwords are a calculable risk for attackers in 2026. Keycloak addresses this with native support for WebAuthn. This allows the use of biometric features or hardware tokens (like YubiKeys) for passwordless login.

The technical advantage lies in the public-key cryptography method: Private keys never leave the user’s device. In combination with adaptive Multi-Factor Authentication policies (MFA), Keycloak can dynamically adjust the level of protection. For example, if an administrator logs in from an unknown IP address or outside usual working hours, Keycloak automatically enforces a second factor. This directly meets the NIS-2 requirements for “strong user authentication.”

3. Compliance through Centralized Auditing and Session Management

A critical aspect of NIS-2 is traceability. Keycloak offers comprehensive event logging functions that integrate seamlessly into central monitoring stacks (like Grafana Loki or Elasticsearch). Every login attempt, password change, and rights assignment is logged in a revision-proof manner.

Additionally, centralized session management allows for the immediate termination (revocation) of user sessions across all connected applications. If a device is compromised, the IT department can globally block access with a single click. This responsiveness is an essential component for incident management under modern compliance regulations.

4. Sovereignty and Operation as a Managed App

Operating Keycloak as a Managed App within a Cloud-Native infrastructure ensures that sensitive identity data remains under one’s own control. Unlike SaaS solutions like Okta or Auth0, data retention in a self-hosted Keycloak instance is fully controlled by the company. This eliminates legal gray areas in data transfer to third countries and strengthens digital sovereignty. Through containerization, Keycloak is also highly available and scalable and can be managed declaratively using GitOps workflows (e.g., via ArgoCD).

Conclusion

Identity-First Security is no longer an option but the necessary response to the regulatory and technical challenges of 2026. Keycloak offers the necessary flexibility and depth to technically implement complex compliance requirements like NIS-2 without hindering software development agility. As experts in Cloud-Native infrastructures, ayedo supports companies in not only operating Keycloak but establishing it as an integral, highly secure part of their platform strategy. Those who invest in a solid identity infrastructure today lay the foundation for a more resilient and legally secure digital future.

FAQ Identity-First Security

How does Keycloak specifically help in meeting the NIS-2 directive? Keycloak addresses NIS-2 requirements for supply chain security and access control through strong authentication (MFA/WebAuthn), centralized identity management, and seamless auditing of all access operations.

Does Keycloak support integration with existing user directories like Active Directory? Yes, Keycloak offers specialized federation providers for LDAP and Active Directory. User data can be synchronized or queried via pass-through authentication, enabling a gradual migration to Cloud-Native structures.

Is Keycloak designed for high availability in Kubernetes? Absolutely. Keycloak is Cloud-Native by design and uses technologies like Infinispan for caching and session replication between pods to ensure uninterrupted authentication even during peak loads or node failures.

What is the advantage of WebAuthn over SMS-based MFA? SMS-MFA is vulnerable to SIM swapping and phishing. WebAuthn is based on cryptographic signatures and local biometrics, making the extraction of access data through fake login pages technically impossible.

Why should one prefer Keycloak over a SaaS solution? Using Keycloak as a Managed App secures digital sovereignty. Companies retain full control over their identity database, avoid vendor lock-ins, and meet stricter data protection requirements (GDPR), as no data flows to external third parties.