30.06.2026

CyberSec Update #26: Digital Identity in Cybersecurity

Digital Identity Is the New Frontier of Cybersecurity

Christopher Nolan’s “The Odyssey” is set to hit cinemas soon, which makes it worth recalling how, after ten years of siege, the Greeks finally captured Troy: the Trojans themselves let them into the city. In cybersecurity, a similar pattern is increasingly visible: deception and social engineering techniques are often the most effective ways to bypass security controls.

Until recently, cybersecurity was primarily associated with protecting infrastructure: networks, servers, workstations, firewalls, and endpoints. Today, it is becoming increasingly clear that the real critical point is no longer just infrastructure, but digital identity.

Identity Instead of Systems – A Shift in Perspective

In practice, the target of an attack is increasingly not the “system” itself, but a user account, a session, an access token, a privileged account, or an authentication mechanism. In other words, attackers do not always need to break technical safeguards. More and more often, they simply try to log in as an authorised user.

This shift has not only technological but also legal and organisational implications. If an organisation does not control who has access to data and systems, on what basis, to what extent, and for how long, it effectively does not control one of its key areas of risk.

Identity as a Risk Area

Modern security incidents very often begin with identity compromise. This may involve phishing, credential theft, session hijacking, misuse of an OAuth token, bypassing MFA, or exploiting excessive privileges.

As a result, the traditional model based mainly on login and password is gradually losing its relevance. The problem is no longer just the password itself, but the entire identity lifecycle: account creation, assignment of permissions, their periodic review, changes in access scope, revocation of permissions after cooperation ends, and monitoring of unusual behaviour.

From a security perspective, digital identity is becoming one of the most critical organisational assets. If access is poorly managed, even the most robust infrastructure security measures may prove insufficient.

Legal Perspective: NIS2, KSC and GDPR

From a legal standpoint, identity management is no longer solely an IT responsibility. It is part of due diligence, information security management, and access control to data and systems.

Under NIS2 and the amended Act on the National Cybersecurity System (KSC), technical and organisational measures related to risk management are gaining particular importance. Access control, asset security, MFA, training, incident response procedures, and the oversight of privileged accounts are not an addition to cybersecurity – they are its core.

A similar approach applies under the GDPR. Article 32 requires the implementation of technical and organisational measures appropriate to the level of risk. In practice, this means that a controller or processor should be able to demonstrate that access to personal data is limited, justified, controlled, and adequate to the nature of the processing.

This is where cybersecurity and compliance meet. An organisation should not only implement safeguards but also be able to document that they are proportionate to the risk and effectively operate.

What Does This Mean in Practice?

Mature identity management should include at least:

  • identification of key and privileged accounts,
  • application of the principle of least privilege,
  • regular access reviews,
  • implementation of MFA or passwordless solutions where justified by risk,
  • centralised identity and access management,
  • monitoring of unusual logins and anomalies,
  • onboarding and offboarding procedures,
  • employee training on phishing, account takeover, and secure authentication.

The biggest mistake is to treat these activities as a technical formality. In reality, they are part of the risk management system and, in the event of an incident, may have evidentiary significance.

An organisation will need to demonstrate not only that it had authentication mechanisms in place, but also that they were adequate, up to date, properly supervised, and that personnel were trained in their use.

Conclusion – It Is Worth Listening to Cassandra

Digital identity has become the new frontier of cybersecurity, as it determines who can access a system, what data they can reach, and, once access is granted, what actions they are authorised to perform.

That is why modern cybersecurity no longer ends with infrastructure protection. It begins with proper management of identity, access, and permissions.

In the context of NIS2, KSC, and GDPR, it is no longer sufficient to ask: “Are our systems secured?”. The more important question is: “Do we really know who has access to them, and can we prove it?”. Also, so that no modern-day Cassandra can later say: “I told you so.”

1 2 3 4 5 60

Newsletter

Want to stay up to date?
Subscribe to our newsletter.

By entering your e-mail address above and clicking ‘Subscribe!’ you declare that you have read and accept the Terms of Service and subscribe to the newsletter, i.e. information on legal topics, including information on important legal events, legislative changes and the Law Firm's activities, services and products, via e-mail communication.

The controller of your personal data is KWKR Konieczny Wierzbicki i Partnerzy S.K.A. with its registered office in Kraków, Kącik 4 Street, 30-549 Kraków. Your data will be processed in order to provide the newsletter service and thus send commercial and marketing information to the e-mail address provided, in accordance with the Privacy Policy and the Terms of Service. For more information on the principles of personal data processing, including your rights, please see the Privacy Policy.

Please wait...

Thank you for sign up!