1. Persistent VPN tunnels create invisible pathways for attackers: Most VPNs establish always-on tunnels. Even after a legitimate session ends, the connection often remains open — leaving a backdoor that attackers can quietly exploit hours, days, or even weeks later.

NIS2 demands session-based, non-persistent access. Persistent VPNs fail that test.

2. Generic or shared logins destroy accountability: When multiple users share the same credentials, it becomes impossible to know who accessed what, when, and why.
Under NIS2, traceability isn’t optional — it’s a legal requirement. Without user-specific login and audit trails, you cannot prove compliance.

3. Lack of MFA and logging in legacy RDP setups: Many older RDP environments still lack enforced multi-factor authentication (MFA) and detailed session logging.

• No MFA = easy target for credential theft.

• No logging = no way to detect or respond to breaches in time.

NIS2 Articles 21 and 22 specifically call for these controls — no exceptions.

4. No control over third-party access: Without granular, time-limited access controls, external vendors often have broad, unrestricted access for longer than needed.
This creates massive compliance exposure — and operational risk.

Under NIS2, you must be able to define and enforce exactly who can access what, when, and for how long.

5. Blurred boundaries between IT and OT increase lateral movement risk: VPNs typically bridge IT and OT environments without sufficient segmentation.
An attacker breaching IT can move laterally into OT — disrupting critical operations like manufacturing, logistics, or energy production.

NIS2 demands protection of critical systems — lateral movement is a direct compliance and operational threat.