Your cart is currently empty!
How an Amsterdam Company Reduced Compliance Risk Under NIS2 by Automating Access Review
In today’s regulated environment, compliance with directives like the European Union’s NIS2 is non-negotiable for companies handling critical information systems. 🔐 A company based in Amsterdam from the compliance sector faced significant challenges managing the manual processes required for access reviews under NIS2. These reviews are vital for cyber risk management, governance, incident reporting, and supply chain security. In this case study, we explore how automating access review processes using RestFlow’s Automation-as-a-Service drastically reduced compliance risks and operational friction.
This article will cover the client’s background and pain points, the risks of manual compliance processes, and how RestFlow designed and implemented an automated access review workflow using tools like n8n and Google Sheets. Learn practical, step-by-step details on the architecture, integration, error handling, and security strategies that made compliance seamless and scalable for the client.
Case Context & Problem: Compliance Challenges in Amsterdam
The client is a mid-sized compliance-focused company headquartered in Amsterdam, Netherlands. With a team concentrated in its operations and IT departments, the company is responsible for ensuring continual adherence to the new NIS2 Directive requirements. NIS2 regulates cyber risk management, incident reporting, supply chain security, and governance practices within critical entities across the EU.
Prior to automation, the client conducted periodic access reviews manually — auditing user privileges, collating approvals via emails, and maintaining audit trails through spreadsheets. This manual process consumed approximately 30–40 hours per month of their security and compliance teams. Challenges included frequent delays, human errors, incomplete records, and no centralized visibility into review statuses. With multiple teams and third-party vendors involved, managing these reviews manually also introduced risks related to inconsistent supply chain security controls.
The consequences went beyond operational inefficiency. Delayed or insufficient access reviews risked compliance violations under the NIS2 Directive. This risk exposed the firm to regulatory penalties and hindered its cybersecurity posture, with increased vulnerability to internal misuse or external attacks.
Our Approach: How RestFlow Streamlined Compliance Automation
RestFlow began by conducting a comprehensive discovery phase, collaborating closely with the client’s compliance, IT, and operations teams. The main goals were to map their existing access review workflows, identify key systems involved (e.g., Google Workspace, Slack, internal compliance databases), and pain points causing delays or errors.
We concluded that an automation workflow driven by RestFlow’s Automation-as-a-Service platform would provide the optimal solution. Leveraging n8n as an orchestration engine, the platform would integrate with Google Sheets for data storage and approval tracking, Gmail for email communications, and Slack for real-time notifications. This combination was chosen for flexibility, cost-efficiency, and ease of integration within the client’s existing tech stack.
The high-level architecture centered on automating periodic access reviews by triggering scheduled workflows that collected access data, routed approval requests, consolidated responses, generated audit-ready logs, and escalated exceptions. This end-to-end automated process replaced the antiquated manual methods, improving accuracy, visibility, and compliance readiness.
The Solution: Architecture & Workflow
Global Architecture Overview
- Trigger: Scheduled time-based webhook initiated the monthly access review process.
- Orchestration Tool: n8n automated and sequenced workflow nodes, managing data transformations and conditional routing.
- External Services Integrated: Google Sheets (central data repository), Gmail (email communication and approval collection), Slack (team notifications), and internal compliance databases via secure API endpoints.
- Outputs: Consolidated review reports in Google Sheets, email summaries to compliance officers, Slack alerts for overdue approvals, and audit logs for NIS2 governance.
End-to-End Workflow Walkthrough
Each month, a scheduled Cron node in n8n triggers the workflow at a configured time. The workflow pulls the latest user access data from Google Sheets and internal APIs, formats approval requests, and sends emails with approval links to designated approvers.
Responses are automatically collected and logged. If approvals are delayed beyond defined SLA thresholds, Slack notifications are sent to escalate. Once all access reviews are completed, the workflow compiles and updates an audit-ready report stored in Google Sheets. This report is available for instant retrieval by compliance and governance teams.
Step-by-Step Node Breakdown 🚦
1. Scheduler Trigger Node (Cron)
Role: Initiates the workflow at a predetermined monthly schedule.
Key Fields: Cron expression for monthly trigger (e.g., “0 9 1 * *” to run at 9 AM on the 1st day).
Input/Output: No inputs, outputs an empty data object to start the workflow.
2. Fetch Access Data Node (HTTP Request & Google Sheets)
Role: Retrieves current access permission data from client systems.
Configuration: HTTP Request node queries internal access management API with OAuth2 authentication; Google Sheets node reads user and access matrix data.
Key Logic: Filters active users and access levels relevant to NIS2 scope.
3. Format Approval Requests Node (Function)
Role: Transforms raw data into personalized approval emails.
Logic: Iterates over access entitlements, grouping by approver email; prepares approval links tied to unique tokens stored in Google Sheets for tracking.
4. Send Approval Email Node (Gmail)
Role: Dispatches approval request emails with embedded review links.
Key Fields: Recipient address, subject, body with dynamic placeholders for user names and links.
Security: Utilizes OAuth credentials stored in n8n securely for Gmail API access.
5. Monitor and Collect Responses Node (Webhook)
Role: Receives approval/rejection responses when approvers click links.
Logic: Validates tokens, updates review status in Google Sheets, triggers Slack notifications if needed.
6. Send Slack Notifications Node 💬
Role: Notifies teams about pending, overdue, or escalated reviews.
Config: Uses Slack API with the incoming webhook URL; messages include details on user access and pending approvals.
7. Compile Final Report Node (Google Sheets & Email)
Role: Aggregates all review data into audit-ready reports.
Output: Updates master compliance sheet and sends consolidated summary emails to compliance leadership.
Error Handling, Robustness & Security
Error Handling & Retries
Each API call and email dispatch includes retry logic with exponential backoff. Failure alerts trigger Slack messages to RestFlow’s support team for rapid intervention.
Logging & Observability
All workflow executions are logged with timestamps, inputs, outputs, and error details available via the n8n web interface. Key metrics feed into dashboards for SLA monitoring.
Idempotency & Deduplication
Unique tokens and timestamps prevent duplicate approvals or email sends. Webhook endpoints verify tokens to ensure one response per approval link.
Security Considerations
- API credentials and tokens are stored encrypted within n8n’s credential vault.
- Least-privilege access principles govern all API permissions.
- Access review data is handled securely, with PII access restricted to compliance officers only.
- Audit trails comply with NIS2 governance standards.
Performance, Scaling & Extensibility
Scaling: The modular workflow design accommodates increased user volume by asynchronously triggering parallel approval batches. Use of webhooks avoids inefficient polling.
Extensibility: New departments or third-party suppliers can be added by updating Google Sheets and API configurations without altering core workflow logic.
Polling vs Webhook: Webhook-based responses ensure real-time status updates, reducing latency compared to periodic polling.
Automation Tool Comparison for Access Review Workflow
| Option | Cost | Pros | Cons |
|---|---|---|---|
| n8n | Free tier + Affordable self-hosting | Open-source, highly customizable, strong data control | Requires more setup, steeper learning curve |
| Make (Integromat) | Paid plans with usage tiers | User-friendly UI, rich connector library | Costs increase with scale, less flexible custom logic |
| Zapier | Subscription-based, higher cost | Easy to use, robust app integrations | Limited complex logic, expensive at scale |
Webhook vs Polling: Best Practices for Access Review
| Method | Latency | Resource Efficiency | Reliability |
|---|---|---|---|
| Webhook | Low (real-time) | High (on-demand) | Depends on endpoint availability |
| Polling | Higher (time between intervals) | Lower (constant queries) | More stable but inefficient |
Google Sheets vs Database for Access Data Storage
| Storage Option | Setup Complexity | Scalability | Access Control | Cost |
|---|---|---|---|---|
| Google Sheets | Low (no-code) | Medium (limit rows) | Basic sharing permissions | Included in Google Workspace |
| Database (e.g., PostgreSQL) | Higher (requires DB admin) | High (large data volumes) | Advanced role-based control | Hosting & maintenance cost |
Explore how these tools integrate seamlessly by exploring the Automation Template Marketplace.
Results & Business Impact
After implementing the automated access review workflow, the client observed significant quantitative and qualitative improvements:
- Time Savings: Reduced manual review effort by 75%, saving approximately 30 hours monthly for compliance teams.
- Error Reduction: Elimination of approval tracking errors and missing audit entries.
- Faster SLAs: Average review completion time decreased from 15 days to under 5 days.
- Improved Visibility: Real-time dashboards and Slack alerts provided instant status updates and escalations.
- Audit Readiness: Automated, tamper-proof logs align perfectly with NIS2 governance and cyber risk management requirements.
The automation has transformed stressful monthly compliance cycles into predictable, calm operations with clear accountability and traceability. Compliance officers can now focus on strategic tasks rather than low-value administrative work.
Pilot Phase & Maintenance Disclaimer
The project included a defined pilot phase during which the workflow was launched with live but controlled data. Minor edge case bugs and integration gaps were identified and resolved collaboratively between RestFlow and the client’s teams. This phase ensured robustness before full production deployment.
Post-pilot, RestFlow continues to provide Automation-as-a-Service, including managed hosting, proactive monitoring, workflow updates, and compliance audit support. Clients benefit from ongoing partnership and a hassle-free user experience.
Frequently Asked Questions
What is the primary benefit of automating access review under NIS2 compliance?
Automating access review streamlines compliance workflows by reducing manual errors, accelerating approvals, providing real-time visibility, and ensuring audit-ready documentation—all critical for meeting NIS2 cyber risk management and governance requirements.
How does RestFlow integrate automation tools for compliance purposes?
RestFlow leverages tools like n8n for orchestration, Google Sheets for data storage, Gmail for communication, and Slack for notifications. These are seamlessly integrated via APIs and webhooks to automate compliance processes end-to-end.
What risks does manual compliance pose under NIS2?
Manual processes lead to delays, human errors, inconsistent reviews, and incomplete audit trails, which increase the likelihood of non-compliance penalties and cyber risk exposure under NIS2 regulations.
Can the access review automation workflow be customized for different industries?
Yes. RestFlow’s modular automation design allows tailoring workflows for specific industry compliance needs, integrating additional systems, and adjusting approval processes accordingly.
How sustainable is Automation-as-a-Service for ongoing NIS2 compliance?
Automation-as-a-Service ensures workflows remain current with evolving regulations, provides continuous monitoring, rapid issue resolution, and adapts processes as organizational needs grow, delivering long-term compliance sustainability.
Conclusion: Transforming NIS2 Compliance with Automated Access Reviews
Automating access review processes under the NIS2 Directive transformed this Amsterdam compliance company’s approach to cyber risk management, governance, and supply chain security. RestFlow’s Automation-as-a-Service combined powerful workflow orchestration, seamless system integrations, and robust security to reduce risk and operational friction dramatically.
The client now enjoys audit-ready reports, rapid approvals, and scalable compliance processes, enabling their teams to focus on strategic priorities rather than manual tasks. This successful automation case demonstrates how compliance-first automation partners like RestFlow can lead the way in meeting new regulatory challenges efficiently.
If your organization faces similar compliance automation challenges, consider getting started today by creating your free RestFlow account or exploring automation templates tailored for compliance workflows.