Check Port Open
Disk Calculator
Camera Calculator
CCTV Quiz
Facebook Profile Search
Super Password
NIS2: The Directive’s Unexpected Impact on Physical Security
While the EU’s NIS2 Directive has sparked considerable discussion around cybersecurity, its implications for physical security and access strategies are equally profound. In fact, NIS2 marks a pivotal shift towards cyber-physical resilience, potentially levying significant penalties on organizations failing to meet its stringent requirements.
NIS2, the successor to the 2016 NIS Directive on Network and Information Security, significantly tightens the minimum IT security standards for critical infrastructure while expanding its scope to encompass new sectors. The European Commission anticipates that approximately 160,000 organizations will be immediately affected by NIS2.
The most critical takeaway for security and facilities managers is the adoption of an “all-hazards approach” to regulation. This approach mandates that organizations bolster their digital security measures with additional safeguards that physically protect their digital infrastructure. Consequently, cyber-physical resilience and enhanced collaboration between cyber and physical security teams become crucial in combating the rising tide of sophisticated hybrid cyber-physical attacks.
NIS2 and physical security: scope, compliance, financial penalties
The reach of NIS2 regulations extends to a broader range of organizations and sectors. Beyond traditional infrastructure sectors like energy, utilities, transport, telecoms, waste management, and data centers, the directive now encompasses a wider definition of “critical” national infrastructure, including healthcare (and research), digital services, and manufacturing industries such as food, chemicals, and automotive. Organizations operating in these sectors should consult the directive to determine their NIS2 obligations.
A key element of these new obligations is the all-hazards approach. Article 21 of the directive states that entities must “take appropriate and proportionate technical, operational, and organizational measures to manage the risks to the security of network and information systems […] and to prevent or minimize the impact of security incidents on the recipients of their services and on other services.” This means that any area where malicious actors could gain physical access to digital infrastructure, whether IoT devices, access management terminals, or servers, must be adequately protected against digital, physical, and hybrid attacks. Access control devices and protocols must be capable of meeting this challenge.
Non-compliance with NIS2 can result in severe penalties. The directive allows for fines of up to €10 million or 2% of an organization’s global annual turnover. Consequently, outdated locking systems pose a significant liability risk for many organizations.
NIS2 impact on access control workflows
The implications of NIS2 for security and facilities management, along with the potential financial repercussions, are considerable. The all-hazards approach is particularly important.
Measures for implementing and monitoring all-hazards-compliant processes include refining risk analysis for on-site digital devices; implementing supply chain security measures for safer procurement and data handling; managing physical access for personnel, including employees and visitors; providing cyber-hygiene training; and developing business continuity plans for breaches. Security teams should immediately assess their existing cyber-physical resilience to identify areas needing additional measures or upgrades.
Access management is a cornerstone of NIS2 compliance. Intelligent access solutions can enhance cyber-physical resilience through improved identity management, auditability, and 24/7 remote building control. Credentials that require regular revalidation or automatically expire significantly reduce the risk of unauthorized keys, a potential vulnerability for digital infrastructure.
Digital access solutions from ASSA ABLOY empower you to secure every layer and can contribute significantly to achieving compliance with the NIS2 Directive. They help protect organizations and data by enabling control over who goes where and when for each user, with the ability to cancel lost credentials instantly. They support both online and offline access control, improving workflows through flexible management—whether remotely or on-site. The offering includes digital access systems or access hardware to upgrade existing setups, providing scalable control over access points that were previously unreachable and securing protection classes 1 to 4. Wireless solutions are simple to install and require no wiring or structural modifications.
Physical access is often considered a major vulnerability for cybercriminals in an era of increasingly sophisticated hybrid attacks. By enhancing digital access, organizations can meet NIS2 obligations and alleviate compliance concerns for security decision-makers.
ASSA ABLOY experts are available to guide you through the specific features and benefits that align with the directive’s requirements and enhance your organization’s cyber–physical security framework.
David Moser is SVP and Head of Digital & Access Solutions at ASSA ABLOY Opening Solutions EMEIA.
