Energy. Transport. Health. Digital infrastructure. You are in scope.
160,000+
organizations across the EU now subject to NIS2
21 of 27
EU member states have transposed NIS2 into national law
The EU password manager for NIS2 compliance
NIS2 requires more than security — it requires proof. If your organization handles critical infrastructure or essential services, compliance is mandatory. Passwork is self-hosted, zero-knowledge, and built with full audit trails. Compliant on day one.
Trusted by top teams:
Why leading companies choose Passwork
-
Made in
Europe Made in EuropeDeveloped in Europe, ensuring full GDPR compliance and data sovereignty
-
ISO 27001
certified ISO 27001 certifiedAll development and infrastructure practices meet the highest security standards
-
Trusted by public sector Trusted by public sector
Chosen by government agencies and highly regulated organizations across Europe
-
Enterprise‑grade protection Enterprise‑grade protection
Zero-knowledge architecture with client-side encryption ensures your passwords remain unreadable
-
30% lower long term cost 30% lower long term cost
Independent research shows 30% savings compared to competitors
Why compliance leaders are acting now
Executive liability is real
Leaders are personally liable under NIS2. Insurance may not cover it. Documented access control is your first line of defense.
€10 million
Maximum fine under NIS2
Stolen credentials
88% of web app attacks start with stolen credentials. NIS2 Art. 21 requires organizations to control and monitor access to credentials
22%
breaches involve stolen credentials
-
Supply chain liability is new
NIS2 extends accountability to suppliers and service providers. If a breach traces back to shared credentials, your company is liable.
-
Cryptographic proof required
NIS2 requires documented access control, MFA, and encryption. Manual logs and consumer tools won't satisfy auditors.
-
Legacy password tools fail NIS2
No audit trail, no custom roles, no LDAP or API. Spreadsheets and shared drives won't pass an audit.
-
Regulators expect documented proof
NIS2 requires full access visibility: who, when, and why. Access logs aren't optional under NIS2. They're evidence.
Passwork closes the compliance gap
Deploy in 30 minutes
30 minutes from download to live deployment
Download, configure, import, go live. Passwork runs on PHP and MongoDB with installation via Docker, Windows Server, or Linux. No third-party dependencies. No vendor access required. Your team controls every server from day one.
Art. 21 access control built in
100% of credentials stay on your servers
Custom user roles, TOTP, hardware-key MFA, and granular permission matrices — built to meet NIS2 Art. 21. Passwork integrates with Active Directory, Azure AD, LDAP, and SAML SSO, mapping your existing identity structure to credential access automatically. Every action is recorded. Auditors see exactly who did what.
Built for both NIS2 and GDPR.
Same architecture, dual compliance.
NIS2 Article 21 requires access control. GDPR requires data protection and audit logs. Passwork covers both in one deployment with full REST API for automation via Python, CLI, and Docker.
- Custom roles and LDAP mapping — permissions scale with your team
- AES-256 encryption at rest and client-side
- Timestamped audit logs with CSV/JSON export
- Secrets management via REST API, Python, and CLI
Designed for every NIS2 stakeholder
I can't afford to fail an audit because of missing logs
Passwork logs are forensically sound and exported in formats regulators expect. Your audit preparation time drops from weeks to days.
- Audit logs exportable as CSV and JSON
- Custom "auditor" role with read-only access
- Art. 21 coverage out of the box
I need to deploy fast without disrupting production
Install via Docker, Windows Server, or Linux. LDAP group mapping auto-syncs your Active Directory structure. No vendor engagement needed — your team controls the rollout.
- Docker, Windows, Linux (Kubernetes-ready)
- AD, Azure AD, LDAP, and SAML SSO
- 100% REST API for automation
I need to remove personal liability from my shoulders now
Documented, auditable password controls shift risk from you to proven technical infrastructure. Regulators see compliance. Lawyers see evidence.
- Documented controls that reduce personal liability
- Compliance evidence for auditors and lawyers
- Meets the March 2025 deadline
I need confidence that passwords never leave our servers
Data is encrypted client-side with AES-256 before it ever leaves your environment. Zero-knowledge architecture guarantees no external access to your credentials. Self-hosted, EU-compliant, and ISO 27001:2022 certified.
- GDPR and NIS2 in one platform
- On-premise data sovereignty
- No US Cloud Act exposure
I need one tool I can confidently recommend across all my NIS2 clients
Passwork works for companies of all sizes in your portfolio. One solution. Consistent training. Lower support burden.
- Verified security: EU vendor, ISO 27001, HackerOne bug bounty
- Source code available for client security review
- Python connector and CLI for DevOps clients
Features for every role in your team
For administrators
- User management
- Active Directory / LDAP
- SSO integration
- API access
User management For security teams
- Audit logs
- Compliance reports
- Advanced 2FA
- Security policies
For end users
- Password storage & generation
- Browser extensions
- Mobile apps
- Secure sharing
Secret management, not just passwords.
DevOps automation API without HashiCorp pricing.
Secure deployment to CI/CD
Get secrets for deployment without storing them in CI/CD system environment variables. The CLI passwork automatically substitutes the actual secrets at runtime.
All DevOps features →Python application integration
Get secrets programmatically in your Python apps. Library handles auth, encryption and token caching.
All DevOps features →Containerized applications
Use Passwork CLI image to deliver secrets into containers. Secrets are never stored in images or logs.
All DevOps features →Kubernetes automation
Create Kubernetes secrets from Passwork automatically and integrate with GitOps workflows.
All DevOps features → pipelines: default: - step: name: Deploy with Passwork credentials image: passwork/passwork-cli:latest script: - passwork-cli exec --password-id 'deploy_credentials' -- ./deploy.sh environment: - PASSWORK_HOST=https://your-passwork.domain - PASSWORK_TOKEN=$PASSWORK_TOKEN - PASSWORK_MASTER_KEY=$PASSWORK_MASTER_KEY from passwork_client import PassworkClient # Client initialization passwork = PassworkClient("https://your-passwork.domain") passwork.set_tokens("your_access_token", "your_refresh_token") passwork.set_master_key("your_master_key") # Getting secrets database_item = passwork.get_item(item_id=PASSWORD_ID) database_password = database_item['password'] # Using in application db_connection = connect_to_database( host="prod-db.company.com", password=database_password ) # Running container with access to secrets docker run --rm \ -e PASSWORK_HOST=https://your-passwork.domain \ -e PASSWORK_TOKEN=your_access_token \ -e PASSWORK_MASTER_KEY=your_master_key \ passwork/passwork-cli:latest \ exec --folder-id FOLDER_ID --tags "production" -- python app.py # Or in docker-compose services: app: image: passwork/passwork-cli:latest command: exec --folder-id ${FOLDER_ID} --tags "production" -- ./start-app.sh environment: - PASSWORK_HOST=https://your-passwork.domain - PASSWORK_TOKEN=${PASSWORK_TOKEN} - PASSWORK_MASTER_KEY=${PASSWORK_MASTER_KEY} # Via YAML manifest passwork-cli exec --folder-id FOLDER_ID --tags "production" -- sh -c " cat <<EOF | kubectl apply -f - apiVersion: v1 kind: Secret metadata: name: app-production-config namespace: production type: Opaque stringData: database-url: \"postgresql://\$DB_USERNAME:\$DB_PASSWORD@\$DB_HOST:5432/app\" redis-url: \"redis://:\$REDIS_PASSWORD@redis:6379\" api-key: \"\$API_KEY\" webhook-secret: \"\$WEBHOOK_SECRET\" EOF" Enterprise-grade security you can verify.
Every encryption operation happens on your device. Passwork never sees your data in plaintext.
Zero-knowledge architecture
All encryption runs client-side. Passwork servers store only encrypted data and cannot access your credentials.
AES-256 encryption
Credentials encrypted with AES-256 before leaving your browser. Industry-standard key derivation protects the master key.
Multi-factor authentication
TOTP authenticator apps, dedicated Passwork 2FA, and hardware security keys. Enforce MFA organization-wide.
On-premise, on your terms
Run Passwork on your own EU-based servers for total data sovereignty. No data ever leaves your infrastructure.
Code open for audit
Source code available for independent review. External researchers regularly evaluate the platform.
Full audit trail
Every action logged: who accessed which credential, when, and from where. Export for compliance audits.
ISO 27001 
Made in EU 
Pentest byHackerOne
GDPRcompliant
HIPAA ready 
PCI DSS Designed for simplicity. Trusted for security.
Chosen for true partnership.
Simplicity
Passwork offers intuitive security: teams scale from 100 to 600 users — no training or onboarding required. Thoughtful UX makes security seamless, so your team can focus on work, not passwords.
- Best ease of use awarded by Capterra
- No formal training required
- Seamless user experience
Flexibility
Passwork grew from an internal tool to a trusted solution for thousands — from 10 to 30 000+ users. Flexible, scalable, and easy to adapt to any workflow or security needs.
- Seamless scalability: 10 to 30 000+ users
- Granular permission controls
- Flexible deployment options
Reliability
Passwork is ISO 27001 certified, rigorously tested by experts, and meets the highest security standards. It’s trusted by major organizations across Europe and is available as a fully isolated on‑premise solution.
- ISO 27001 certified
- Tested by HackerOne
- Government & enterprise trusted
Efficiency
Passwork delivers up to 30% cost savings compared to competitors, offering industry‑leading TCO with zero compromise on security. Multi‑year plans unlock even greater value — without vendor lock‑in.
- Up to 30% cost savings
- Competitive total cost of ownership
- Multi‑year subscription discounts
A partnership‑first approach: no pressure, no hassle — just genuine support, and a team that treats you like a true partner, from your first demo to long‑term success.
Featured in Omdia’s On the Radar
Passwork recognized for its unified password and secrets management, business-first design, and focus on data sovereignty.
We develop securely.
Security is built into every stage of development — from the first idea to the final release.
-
Security champions
OWASP training and threat modeling in every development team
-
DevSecOps approach
Static & dynamic analysis, SCA, IaC scanners integrated into every build
-
Multi‑stage review
No direct pushes to main branch, mandatory security code review
-
External audits
Annual penetration testing and security audits by independent experts
What makes Passwork the best choice for businesses
Features |  |
|---|---|
| Auditable source code |  |
| Prompt tech support | |
| Centralized user management | |
| Fine-tuning of access rights | |
| Role-based user rights management | |
| Group-based access control | |
| Auditable source code | |
| Prompt tech support | |
| Centralized user management | |
| Fine-tuning of access rights | |
| Role-based user rights management | |
| Group-based access control | |
| Event logging and user activity tracking | |
| SIEM integration via syslog | |
| Password audit after staff changes | |
| Password complexity analysis | |
| Secrets Manager is included by default | |
| API for integration with third-party systems | |
| Cross-platform apps (Browser extensions, Desktop apps, Mobile apps) | |
| Failsafe solution with data replication | |
 |  |  |
|---|---|---|
| | | |
| |  | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
Trusted by businesses
worldwide
Davide L.
IT Manager
Best software to password management on premise. We chose it after checking various solutions. The possibility of installing it on our systems weighed heavily on the choice. The use is simple and …
Thomas H.
CTO
I was looking for an on premise solution to store and manage our passwords. Multiuser with different roles and rights was a must, LDAP integration a nice add on. Passwork ticked all the boxes. They were …
Christian M.
Team Manager
Very easy and secure Passwork Manager. Easy sharing functionalities. Good LDAP integration, TOTP and Multifactor Authentication Options.
Common use cases
Organizations face different credential management challenges. Explore real-world examples of how teams use Passwork to solve specific security and operational needs — from team collaboration to enterprise-wide access control.
-
How Passwork сentralized password management
The City of Melle deployed Passwork to centralize credential management across municipal departments, eliminating password-related security incidents and improving access control.
-
Simplifying global employee collaboration with Passwork
Kindernothilfe deployed Passwork to enable secure password sharing across distributed teams in multiple countries, reducing access-related delays and improving operational efficiency.
Our applications.
Use Passwork anywhere - in your browser, on mobile, or on desktop.
Browser extension
Search, autofill, and create credentials without leaving the browser. Works with Chrome, Firefox, Edge, and Safari.
- One-click autofill on any login page
- Search across all vaults from the extension
- Create and save new credentials instantly
- Generate strong passwords on the fly
Available for 
Mobile app
Quick access to your corporate passwords from your mobile device
Available in 
2FA mobile app
Convenient login verification using the Passwork authenticator app
Available in
Desktop app
Full password management functionality in a native desktop application
Available for 
Choose your plan.
Long-term ownership costs 30% less than the industry average.
-
Standard
Essential features for small and medium businesses to support secure growth
3€per month /
per user
billed annually- Quick start with all core features
- Simple, secure, and low admin overhead
- Shared vaults, easy access, no training
-
Advanced
Advanced capabilities for complex security and management needs in large organizations
4,5€per month /
per user
billed annually- Advanced access management
- Reliable infrastructure for enterprise environments
- Priority support and full regulatory compliance
The BSI deadline is March 2026. Start today.
Book a demo to see your compliance roadmap. Or start a free 14-day trial and deploy Passwork on your own servers today.
30-minute setup
30-minute setup No credit card required
On-premise EU deployment
Our applications.
Use Passwork anywhere - in your browser, on mobile, or on desktop.
Browser extension
Search, autofill, and create credentials without leaving the browser. Works with Chrome, Firefox, Edge, and Safari.
- One-click autofill on any login page
- Search across all vaults from the extension
- Create and save new credentials instantly
- Generate strong passwords on the fly
Available for
Mobile app
Quick access to your corporate passwords from your mobile device
Available in
2FA mobile app
Convenient login verification using the Passwork authenticator app
Available in
Desktop app
Full password management functionality in a native desktop application
Available for
Choose your plan.
Long-term ownership costs 30% less than the industry average.
-
Standard
Essential features for small and medium businesses to support secure growth
3€per month /
per user
billed annually- Quick start with all core features
- Simple, secure, and low admin overhead
- Shared vaults, easy access, no training
-
Advanced
Advanced capabilities for complex security and management needs in large organizations
4,5€per month /
per user
billed annually- Advanced access management
- Reliable infrastructure for enterprise environments
- Priority support and full regulatory compliance
The BSI deadline is March 2026. Start today.
Book a demo to see your compliance roadmap. Or start a free 14-day trial and deploy Passwork on your own servers today.
30-minute setup
No credit card required
On-premise EU deployment
Frequently Asked Questions
Passwork helps organizations implement key security and governance measures expected under NIS2 by centralizing password and access management, reducing credential sprawl, and improving accountability across teams.
Key ways Passwork supports NIS2 readiness:
- • Centralized storage and management of privileged and shared credentials
- • Role-based access control for limiting access to sensitive systems
- • Audit logs for tracking user actions and administrative events
- • Self-hosted deployment for organizations that require full control over data and infrastructure
- • Integration with corporate identity systems for controlled provisioning and deprovisioning
- • Backup and high-availability options to support operational resilience
Passwork is not a substitute for a full compliance program, but it helps implement several technical and organizational controls relevant to NIS2.
Organizations affected by NIS2 need stronger control over access to critical systems, clearer accountability, and more resilient security processes. Passwork is designed to support these needs in environments where security, control, and auditability matter.
Why organizations choose Passwork for NIS2-related initiatives:
- • Self-hosted architecture for full data sovereignty
- • Granular permissions for users, groups, vaults, and folders
- • Secure sharing of credentials without uncontrolled spreadsheets or chat messages
- • Support for enterprise authentication methods such as LDAP, AD, Azure AD, and SAML SSO
- • Logging and monitoring capabilities for investigations and internal audits
- • Scalable deployment options for growing and distributed teams
Yes. Passwork helps organizations enforce structured access control by assigning permissions based on roles, teams, vaults, and folders, instead of relying on informal credential sharing.
Access control capabilities include:
- • Role-based access management
- • Granular permissions at vault and folder level
- • Group-based provisioning through LDAP integration
- • Separation of administrative responsibilities
- • Controlled access to shared credentials
- • Fast revocation of access when employees change roles or leave the organization
This helps reduce excessive access and supports the principle of controlled access to critical assets.
Passwork provides activity logging and administrative visibility that help organizations investigate incidents, review user actions, and demonstrate internal control over credential access.
Audit-related capabilities:
- • Logging of user and administrative actions
- • Visibility into credential access and management events
- • Support for internal reviews and security investigations
- • Historical records that help identify misuse, policy violations, or unusual activity
For NIS2-focused organizations, this is important because accountability and traceability are central to effective security governance.
Passwork integrates with common enterprise identity systems to align password access with existing user lifecycle and authentication processes.
Integration features:
- • LDAP and Active Directory synchronization
- • Azure AD integration
- • SAML SSO support
- • Group mapping for automatic user provisioning
- • Permission inheritance based on directory structure
- • Automated onboarding and offboarding workflows
This reduces manual administration and helps ensure that access reflects the current organizational structure.
Passwork is built to protect credentials through encryption, controlled access, and secure operational practices.
Security features include:
- • AES-256 and RSA encryption
- • Client-side zero-knowledge encryption model
- • Multi-factor authentication
- • Password security analysis for weak, outdated, or compromised passwords
- • Secure development practices
- • Self-hosted deployment for organizations that require internal infrastructure control
These measures help reduce the risk of credential compromise and unauthorized access to critical systems.
Yes. Passwork helps security and IT teams respond more effectively to credential-related incidents by giving them a centralized system for access review, password rotation workflows, and event analysis.
Incident response support includes:
- • Centralized view of shared and critical credentials
- • Audit logs for reviewing who did what and when
- • Faster password replacement or rotation after suspected compromise
- • Reduced dependency on scattered credential storage methods
- • Better coordination between IT, security, and administrators
This is especially relevant for organizations that need more mature incident handling processes under NIS2.
NIS2 places strong emphasis on resilience and continuity. Passwork supports these goals with deployment and backup options suitable for enterprise environments.
Resilience features:
- • Self-hosted deployment in your own infrastructure
- • MongoDB replica set support
- • Clustered deployment for high availability
- • Automated backup strategies
- • Multi-server architecture for failover scenarios
- • Flexible hosting models for different infrastructure requirements
This helps organizations design a credential management environment that remains available and recoverable during disruptions.
Yes. Passwork is suitable for organizations that need strict control over infrastructure, storage location, and internal access boundaries.
Deployment options include:
- • On-premises installation
- • Docker-based deployment
- • Manual installation for complex enterprise environments
- • Clustered environments for scale and resilience
- • Architecture adaptable to segmented or tightly controlled infrastructure
This makes Passwork relevant for organizations where cloud-only password storage is not acceptable from a risk or policy perspective.
A major security weakness in many organizations is uncontrolled password sharing through documents, spreadsheets, email, or chat. Passwork replaces these practices with structured, permission-based access.
Risk reduction benefits:
- • Centralized credential storage
- • Controlled sharing with defined permissions
- • Reduced credential duplication across teams
- • Better visibility into who can access which secrets
- • Easier removal of access when roles change
- • Stronger internal discipline around password handling
This helps organizations move from informal password practices to a governed access model aligned with NIS2 expectations.
No. Passwork can support compliance efforts, but NIS2 compliance depends on a broader set of technical, organizational, legal, and operational measures.
Passwork can support:
- • Access control
- • Credential governance
- • Auditability
- • Resilience planning
- • Secure administration
- • Identity integration
But organizations still need:
- • Risk management processes
- • Incident reporting procedures
- • Security policies and governance
- • Supplier risk management
- • Business continuity planning
- • Staff training and internal accountability structures
A correct positioning statement is: Passwork helps organizations implement credential security controls that support NIS2 compliance efforts.
