The True Cost of a Missed Access Review

And How to Automate Them

By Eckhart Mehler for CISOsCISO — a perspective on cybersecurity leadership, governance and the decisions that determine whether organizations retain control.

Europe’s regulatory landscape has turned missed access reviews from a mere audit ding into a seven‑figure liability. IBM’s 2024 report pegs the average breach cost in Benelux at ≈ €5.4 million and in Germany at ≈ €4.9 million, well above many global peers.   Add record GDPR penalties such as Meta’s €1.2 billion fine, and the business case for access‑governance automation is self‑evident.   Yet organisations that extensively deploy security automation save ~€2 million per incident—funds better spent on innovation than incident response.   This article quantifies the European risk of “access creep,” maps it to GDPR, ISO/IEC 27001:2022, NIS2 and DORA, and outlines pragmatic automation (and manual) paths you can implement long before the next surveillance audit or works‑council meeting.

🔍 Access Creep: The EU Variant

“Least privilege” often dies on the altar of rapid hiring, mergers, and sprawling SaaS estates. Across EEA enterprises, dormant identities sit untouched for quarters—especially where works‑council approval slows de‑provisioning. Attackers cherish these orphans because they lack owners; auditors dislike them because they violate ISO 27001 control 5.18 and GDPR’s data‑minimisation principle. In a post‑Schrems II world, every extraneous privilege that enables a trans‑Atlantic data transfer is a latent compliance land mine.

💶 The Real European Price Tag of a Missed Access Review

1. Direct Breach Losses: €4.9‑5.4 million on average, depending on member state.
2. GDPR & NIS2 Fines: Up to 4 % of global turnover (GDPR) or 2 % for essential entities under NIS2.
3. Operational Waste: Scandinavian HR‑tech vendor Personio reports that 30 % of SaaS licences in mid‑market EU firms are inactive, burning OPEX even in a budget freeze (internal benchmark data, 2024).
4. Audit Remediation & Lost Deals: A single major non‑conformity under ISO 27001 or TISAX can stall EU automotive supply‑chain contracts for quarters.
5. Insider & Post‑Exit Fraud: Works‑council‑mandated notice periods mean leavers often retain ERP and payroll access for weeks—ample time to stage unauthorised payouts.

📏 Quantifying Risk in Euros

A CFO‑friendly formula:

Expected loss (€) = Probability of exploit × Financial impact

Probability. ENISA’s 2024 guidance notes that access control failures rank among the top three root causes of major incidents across EU critical sectors.   Conservatively assume a 5 % yearly likelihood that at least one dormant account is abused.

Impact. Using the German average breach cost (€4.9 M) and the 30 % risk‑reduction achieved when regular reviews are automated, the calculation is:

0.05 × €4.9 M × 0.30 ≈ €735 000

That is the risk‑adjusted annual benefit per business unit before factoring in licence waste or audit consulting.

🏛 European Statutes That Turn “Nice to Have” Into “Must Do”

• ISO/IEC 27001:2022 – Control 5.18

Requires documented, periodic access reviews; auditors now demand evidence “aligned to risk.”

• GDPR – Articles 24, 25 & 32

Mandate appropriate technical measures; regulators have interpreted out‑of‑date privileges as a failure of both security and data‑minimisation.

• NIS2 – Article 21 (effective October 2024)

Obliges essential and important entities to maintain “identity and access management, including policies for access rights.”

• DORA – Article 9 (live 17 Jan 2025)

Requires financial entities to ensure that privileged‑access mechanisms are automatically reviewed and revoked post‑employment.

Non‑compliance is more than a penalty; it can void cyber‑insurance payouts and invalidate TISAX or BSI C5 attestationscritical in EU supply chains.

⚙️ Automating Reviews Without Violating Data Residency

1. Native EU Data Centres

• Microsoft Entra ID Governance now stores audit artefacts in EU geo‑replicated storage—no Schrems II angst.
• Okta Identity Governance (EU Cell) keeps review evidence in Frankfurt.

2. SCIM + HRIS

• Workday, SAP SuccessFactors and Personio all push leaver events to identity platforms, triggering instant de‑provisioning.

3. European‑born Micro‑IGAs

• Omada (DK) and Tenfold (AT) offer per‑application attestations from €19 k annual, with CSV/PDF exports tailored for TÜV or BSI auditors.

4. Risk‑Adaptive Certification

• Machine‑learning modules in SailPoint or One Identity auto‑skip read‑only entitlements, cutting reviewer fatigue by up to 60 %.

5. Immutable Evidence Vaults

• Store signed‑off decisions in EU‑based object storage with WORM retention—ready for both ISO audits and GDPR discovery requests.

🛠 Manual Stop‑Gaps When Budget—or Works Council—Says “Nein”

Quarterly Excel Attestations

• Export access matrices, slice by data owner, and obtain electronic sign‑off. Store signed sheets in your ISMS.

Event‑Driven Off‑Boarding

• Tie HR termination tickets to a four‑eyes checklist: HR confirms last payroll, IT revokes, line manager attests.

High‑Risk Spot Checks

• Payroll, CRM and Git repos contain PII or IP; review those monthly even if everything else is quarterly.

ENISA explicitly recognises “periodic access rights review records” as acceptable evidence.   Manual proof is better than none—at least until funding or cultural buy‑in matures.

🚀 Ninety Days to Compliance (and Board Plaudits)

Days 0‑15 – Frame the Exposure

• Brief ELT on €735 k risk‑adjusted annual exposure.
• Map critical apps carrying PII or trade secrets.

Days 16‑45 – Pilot & Document

• Launch a review in one EU‑hosted SaaS platform.
• Draft policy annex aligning frequencies to risk (e.g., monthly for payroll approvers).

Days 46‑75 – Scale

• Onboard additional systems; integrate HRIS via SCIM; start immutable evidence vaulting.

Days 76‑90 – Audit‑Ready

• Run an internal ISO 27001/NIS2 gap‑assessment.
• Close findings; generate DORA‑aligned board report before 17 Jan 2025.

🌟 Closing Thoughts: Make Access Hygiene European by Design

A missed access review is no longer a benign oversight—it is a quantifiable liability that can trigger multi‑million‑euro breaches, derail certifications, or invite GDPR scrutiny. CHROs who champion automated, evidence‑grade reviews not only mitigate €735 k of annualised risk but also shield the organisation from a patchwork of EU directives that now govern digital trust. Treat access governance as integral to the employee lifecycle—from job offer to alumni status—and you will prevent expensive access creep while turning compliance into a competitive differentiator across the Single Market.

Publication Note & Disclaimer
This article was originally published on LinkedIn on May 15, 2025 and may have been edited or updated for publication on this site.

It reflects my personal professional perspective and does not represent the official policy or position of my employer. Drafting and editorial refinement may have been supported by commercially available AI-assisted tools. The analysis, conclusions and final curation are entirely my own.

For information regarding image credits, copyrights, trademarks and other intellectual property rights, please refer to the Imprint.