Nearly 30,000 German companies are being forced to rethink how they bring new employees on board, caught between the relentless demands of two major EU regulations and a sophisticated new phishing technique that hijacks authentication tokens. According to a new analysis, NIS-2 compliance deadlines, the EU AI Act’s novel literacy obligations, and the rise of token-stealing campaigns like EvilTokens have converged to turn the ordinary first login into a high-stakes security challenge.

For IT administrators running Windows shops, this is more than a regulatory headache — it’s a direct assault on the identity layer they manage daily through Azure AD, Active Directory, and Microsoft 365. The shift demands a fundamental redesign of onboarding workflows, moving away from legacy username-password setups toward phishing-resistant authentication from day one.

NIS-2 rewrites the onboarding rulebook

The EU’s updated Network and Information Security Directive (NIS-2) came into force in January 2023, with member states — including Germany — required to transpose it into national law by October 2024. For the estimated 30,000 German entities now falling under its scope (a massive expansion from the previous ~2,000), the law mandates baseline security measures that directly impact how new users are provisioned.

Among the key requirements: multi-factor authentication must be enforced for all access to sensitive systems, access privileges must follow the least-privilege principle, and organizations must maintain a comprehensive inventory of digital identities. For onboarding, this means IT teams can no longer simply create a user account with a temporary password and hand it over via email or chat. The process must embed strong authentication from the very first moment a new hire logs in.

Germany, already one of the strictest enforcers of data protection under the BSI (Federal Office for Information Security), is expected to interpret NIS-2 with characteristic rigor. Companies that fail to demonstrate compliant onboarding procedures risk fines of up to €10 million or 2% of global annual turnover — whichever is higher.

The AI Act adds a literacy twist

Less obvious but equally disruptive is the EU AI Act, which entered into force in August 2024. While its headline provisions target high-risk AI systems, a seldom-discussed article requires that providers and users of AI systems ensure a “sufficient level of AI literacy” among staff, taking into account their technical knowledge, experience, education, and training.

For German companies integrating AI into HR, IT support, or security tools — think AI-driven user provisioning, chatbots for helpdesk, or ML-based anomaly detection — the Act means they must now prove that every new employee possesses the necessary understanding of the AI systems they’ll interact with. Onboarding programs must include AI literacy modules, and the first login often gates access to those very training platforms.

This literacy push intersects with cybersecurity in a perilous way: employees need to recognize AI-enhanced phishing attempts, understand the dangers of prompt injection in AI tools, and appreciate why their biometric data may be used in Windows Hello for Business. Yet many organizations still treat cybersecurity training as an afterthought, delivered weeks after the account has been compromised.

EvilTokens and the token theft epidemic

While companies wrestle with compliance, attackers have refined a technique that makes the first login a prime target: token theft. The EvilTokens campaign, flagged by multiple threat intelligence sources, illustrates the danger vividly. Attackers combine traditional phishing with adversary-in-the-middle (AiTM) proxies to capture session cookies and access tokens in real time, bypassing MFA entirely.

Here’s how it plays out during onboarding: a new employee receives an email, often disguised as an IT welcome message, asking them to verify their account. The link leads to a convincing, dynamically populated phishing page that mimics the corporate Azure AD login. When the victim enters their credentials and approves an MFA prompt, the proxy intercepts the session token issued by the identity provider. That token is then immediately injected into an attacker-controlled browser, granting seamless access to email, files, and apps — no password needed.

The first login is uniquely vulnerable. New users haven’t yet developed a sense of normal for company communications; they’re eager to get set up, often haven’t completed security awareness training, and may struggle to distinguish a legitimate IT onboarding message from a clever fake. Attackers know this and time their campaigns accordingly, often scraping LinkedIn for new hire announcements.

Microsoft has acknowledged the rise of token replay attacks and is pushing organizations toward phishing-resistant authentication methods, including FIDO2 security keys and Windows Hello for Business. These methods bind the credential to the device, making stolen tokens useless on another machine. But adoption remains slow, especially in mid-sized German firms where legacy on-premises Active Directory still rules.

The German first-login dilemma

Put these three forces together, and the scale of the challenge becomes clear. An HR department sends out a contract, IT creates an account, and the new employee needs to log into a system that holds sensitive customer data on day one. NIS-2 demands that the login be secured with MFA; the AI Act demands that the employee be literate about any AI processing their data; and an attacker is waiting to steal the session token the instant the login succeeds.

Traditional onboarding flows — “set temporary password, force change at next logon” — are not just insufficient; they are actively dangerous. A temporary password sent via unencrypted email can be intercepted. Even a more secure initial password reset portal can be spoofed. And once a session token is stolen, the attacker owns the account until the token expires, which in many Azure AD configurations can be hours or even days.

German companies are particularly exposed because of their heavy use of Microsoft environments and the prevalence of on-premises hybrid setups. Many have resisted a full shift to cloud-native identity because of data residency concerns and the complexity of migrating legacy line-of-business apps. That means the onboarding process often involves a mix of on-prem AD and Azure AD Connect, creating gaps that attackers can exploit — for instance, by targeting the more weakly protected on-prem registration.

Windows-native defenses that close the gap

The good news is that the tools to decouple onboarding from phishable factors already exist in Windows and Microsoft 365. The challenge is that many organizations haven’t turned them on or rearchitected their join process.

Temporary Access Pass (TAP). Instead of a permanent password, IT can issue a time-limited, single-use code that the employee uses during enrollment. TAP flows integrate with the Microsoft Authenticator app to register the device as a strong credential. Because the code is short-lived (configurable from 10 minutes to 8 hours), it drastically reduces the window for interception.

Windows Autopilot plus Hello for Business. With Autopilot, a device shipped directly to the new hire boots up and automatically joins Azure AD, prompting for an email address and then biometric enrollment via Windows Hello. The entire process can be completed without a password ever being created, stored, or transmitted. Hello’s public-private key pair is bound to the TPM on the device, making it resilient to token replay.

Conditional Access for onboarding. Policies can restrict the initial login to trusted networks, compliant devices, or specific locations. For example, a rule can say: “New accounts created within the last 24 hours may only access the onboarding app from the corporate office IP range.” Attackers stealing tokens from outside that range find them useless.

Phishing-resistant MFA mandates. Microsoft now allows organizations to enforce “phishing-resistant” strength for all authentication, eliminating weaker methods like SMS and push notifications for critical roles. For new employees, this can be extended universally until training is complete.

Continuous Access Evaluation (CAE). While not specific to onboarding, CAE shortens the effective lifespan of tokens by enabling real-time revocation based on risk signals such as an IP address change. In a token-theft scenario, CAE can cut off access within minutes, turning a potentially catastrophic breach into a contained incident.

The regulatory compliance linkage

These technical controls don’t just improve security — they help satisfy the specific demands of NIS-2 and the AI Act. Using a strong credential from day one demonstrates that the organization has addressed the “basic cyber hygiene” pillar of NIS-2. Logging and auditing the onboarding flow, including details of which authentication method was used and whether a temporary access pass was issued, generates the evidence required for audits.

For the AI Act, building AI literacy into the login experience itself can serve as a trigger. Imagine a first-run experience that requires the employee to view a short explainer about the company’s AI-supported HR bot before they can access their payslip. Such a flow turns a regulatory obligation into a natural part of onboarding without adding friction. Microsoft Viva Learning and custom company-branded portals in SharePoint or Power Apps can deliver this content seamlessly.

Real-world friction and pushback

Despite the technical path being clear, the ground reality in German midsize enterprises (Mittelstand) is messier. Many IT departments are understaffed, and the security team is often the same person who maintains the ERP system. Rolling out passwordless onboarding requires a tight orchestration between HR, IT, and facilities — a coordination challenge that’s historically been a weak spot.

There’s also cultural resistance. Employees have spent decades associating “account” with “password.” Removing that paradigm, even with biometrics, can feel disorienting. Onboarding a new engineer who is handed a YubiKey on day one instead of a sticky note with a password requires a mindset shift that training materials alone may not solve.

Several community discussions have highlighted that some organizations are falling back to “password first, passwordless later” models to ease the transition. But this hybrid approach leaves the very first login vulnerable, exactly when the EvilTokens actors strike. Security leaders argue that the risk is simply too high: if NIS-2 compliance demands accountability for every access, a stolen session token undermines the entire identity chain.

The cost of doing nothing

The financial argument is stark. A single successful token theft that leads to a data breach in a German company can trigger dual fines — from the national data protection authority under GDPR and from the BSI under the upcoming NIS-2 enforcement framework. Combined with operational disruption, ransomware often follows initial access via stolen tokens; the 2023 Maersk case and numerous midsize manufacturing incidents have proven that.

Moreover, the German cyber insurance market has hardened dramatically. Underwriters now commonly require evidence that phishing-resistant MFA is in place for privileged accounts and that new user provisioning follows secure-by-design principles. Companies that cannot demonstrate such controls may find their premiums soaring — or coverage denied entirely. Onboarding weaknesses are a red flag insurers now actively probe during risk assessments.

A practical five-step flight plan

For Windows-focused IT teams staring down the triple threat of NIS-2, AI Act, and token phishing, a phased approach can make the transition manageable without boiling the ocean:

  1. Audit current onboarding identity flow. Map every step from HR notification to first productive login. Identify where passwords are being transmitted, stored, or typed. Flag any reliance on SMS or email for initial credentials.

  2. Pilot temporary access pass for a department. Choose a non-critical team first, test the TAP + Microsoft Authenticator enrollment, and measure helpdesk tickets. Tweak the TAP lifetime and the Conditional Access policy before expanding.

  3. Make phishing-resistant MFA mandatory for new users. Use Azure AD's Authentication strengths policy to block weaker methods for accounts with a “newUser” group membership or a custom attribute that HR can set via API.

  4. Embed AI literacy into the first-run experience. Leverage Azure AD's “terms of use” or custom UI with Microsoft Graph to present the AI Act training module immediately after a successful passwordless login. Log acceptance for audit trails.

  5. Simulate an EvilTokens attack. Red-team the new onboarding flow with an AiTM proxy like EvilGinx or a penetration testing firm. Validate that a stolen session token cannot be reused from an untrusted location or device.

Looking ahead

The pressure on German companies will only intensify. The EU Cyber Resilience Act, once fully in force, will add hardware and software security requirements that touch the laptops and mobile devices used during onboarding. Meanwhile, AI-powered phishing toolkits are getting better at mimicking corporate branding and HR communication, making it almost impossible for a new employee to spot fakes without a technical safeguard.

For the Windows ecosystem, the path is clear but demanding: the death of the password at first login. Microsoft has been building toward this for years with Hello, FIDO2, and TAP. The regulatory environment is now pushing organizations to finally adopt it. The alternative — sticking with temporary passwords and hoping new hires don’t click the wrong link — is a gamble that could cost millions and land a company in the headlines for all the wrong reasons.