With the EU's NIS2 Directive coming into effect, focus largely remains on cybersecurity, but its impact on physical security and access strategies is equally critical. NIS2 enhances the emphasis on cyber-physical resilience and introduces significant penalties for non-compliance with its standards.
Replacing the 2016 NIS Directive, NIS2 significantly tightens IT security requirements within critical infrastructure and introduces new sectors under its jurisdiction. The European Commission estimates that approximately 160,000 organizations will be immediately affected by the NIS2 Directive.
Critical Changes for Security Management
Security and facilities managers must adapt to an “all-hazards approach” in regulatory compliance. This concept mandates organizations to bolster digital security measures with additional processes and equipment aimed at safeguarding digital infrastructure physically.
Consequently, a key part of responding to an increase in sophisticated hybrid cyber-physical attacks is fostering better integration between cyber and physical security teams.
NIS2 Scope and Compliance Guidelines
Companies in these categories should review the directive to determine their compliance obligations
The scope of NIS2 has widened to include a greater range of organizations and sectors deemed "critical" national infrastructure. Beyond traditional sub-sectors like energy, utilities, and telecommunications, the directive now covers health care, digital services, and various manufacturing sectors like food, chemicals, and automotive industries. Companies in these categories should review the directive to determine their compliance obligations.
Article 21 of the directive specifies that entities must implement “appropriate and proportionate” measures to address risks to network and information system security. This requirement extends to securing physical spaces against potential IoT, access management, and server vulnerabilities.
Physical Access to Critical Infrastructure
Locations where potential threats might gain physical access to digital infrastructure must be secured against digital, physical, and hybrid attacks.
Effective access control systems are imperative to fulfilling this mandate. Failing to comply with NIS2 could result in fines reaching €10 million, or 2% of a company’s global turnover.
Access Control in the Face of NIS2
Security teams must promptly assess and improve their current cyber-physical resilience to spot areas
NIS2 poses substantial implications for security management, particularly regarding the “all-hazards” compliance approach. Improved security measures to implement these processes include enhanced risk assessments for digital devices, secure supply-chain procurement, structured cyber-hygiene training, and detailed business continuity plans for potential breaches.
Security teams must promptly evaluate and enhance their current cyber-physical resilience to spot areas that require further security measures or technological upgrades.
Advancing NIS2 Compliance
Access management is central in any organization’s strategy for NIS2 compliance. Advanced access solutions can boost cyber-physical resilience through improved identity management and ongoing site monitoring.
Automated credential management lowers the risk of unauthorized access—thus offering enhanced protection for digital infrastructure.
ASSA ABLOY's Role in NIS2 Compliance
ASSA ABLOY offers digital access solutions designed to support compliance with the NIS2 Directive. These solutions enable precise control over access rights, allowing for immediate cancelation of lost credentials and supporting both online and offline environments for flexible management. Their offerings include easy-to-install wireless systems that eliminate the need for wiring or structural changes.
In an age where physical access can be an exploited vulnerability in hybrid attacks, digital access advancements are crucial in meeting NIS2 standards. ASSA ABLOY's experts assist organizations in customizing their cyber-physical security solutions to ensure compliance and mitigate security concerns.
In the ongoing implementation of the EU’s NIS2 Directive, much attention has been paid to its implications for cybersecurity. Yet, arguably, the impact on organizations’ physical security and access strategy is just as important. In fact, NIS2 ushers in a new degree of focus on cyber–physical resilience – with significant potential penalties for organizations which do not comply with the framework’s demands.
NIS2 replaces 2016’s original NIS Directive on Network and Information Security. It represents a major legislative tightening of the minimum requirements for IT security in critical infrastructure and expands them to include several new sectors. The European Commission estimates that around 160,000 organizations will be impacted by NIS2 right away.
Important change for security
The most important change for security and facilities managers to digest is the switch to an “all-hazards approach” to regulation. In practice, this approach compels impacted organizations to reinforce their digital security measures with additional processes and devices which physically protect the security of their digital infrastructure.
Thus, cyber–physical resilience – and increased convergence between the operations and goals of cyber and physical security teams – becomes a key element in the response to a increase in both the volume and the sophistication of hybrid cyber–physical attacks.
NIS2 and physical security: scope, compliance, financial penalties
The potential scope of NIS2 regulations encompasses a much-expanded range of organizations and sectors. Alongside the typical infrastructure sub-sectors such as energy and utilities, transport, telecoms, waste management, data centers and the like, is added a broader understanding of what constitutes “critical” national infrastructure: healthcare (including research), digital services and a range of manufacturing businesses including food, chemicals, automotive and more.
Organizations which operate in any of these sectors should consult the directive to ascertain whether they, too, face NIS2 obligations.
A significant element of the new obligations is the extended all-hazards approach, referenced above. According to Article 21 of the directive, entities must “take appropriate and proportionate technical, operational, and organizational measures to manage the risks to the security of network and information systems [...] and to prevent or minimize the impact of security incidents on the recipients of their services and on other services.”
Physical access to digital infrastructure
In other words, any areas of a site where malicious actors may gain physical access to digital infrastructure, whether IoT devices, access management terminals, servers or anything else, must now have appropriate protection against digital, physical and hybrid attack. Access control devices and protocols must be up to this task.
Potential punishments for non-compliance with NIS2 can be severe. According to the directive’s text, organizations may face fines of up to €10 million, or 2% of their global annual turnover. Older locking systems therefore represent a major liability risk for many organizations.
NIS2 impact on access control workflows
Thus, NIS2’s implications for security and facilities management – and potential financial penalties for organizations – are significant. The all-hazards approach is especially important here.
Measures to implement and monitor “all-hazards” compliant processes include the fine-tuning of risk analysis for on-site digital devices; supply-chain security measures including safer procurement and data handling; physical access for personnel, including employees and visitors; cyber-hygiene training; planning for business continuity in the event of a breach; and more.
Security teams should urgently evaluate their existing cyber–physical resilience to quickly identify areas where additional measures or upgrades are needed.
NIS2 compliance efforts
Access management is a key element in any impacted organization’s NIS2 compliance efforts. Intelligent access solutions can contribute to improving cyber–physical resilience with, for example, enhanced identity management, auditability, and round-the-clock remote building control. Credentials which require regular revalidation and/or expire automatically drastically reduce the risk of unauthorized keys in circulation – another potential vulnerability for digital infrastructure.
Digital access solutions from ASSA ABLOY empower them to secure every layer and can contribute significantly to achieving compliance with the NIS2 Directive.
They help protect organizations and data by enabling control over who goes where and when for each user, with the ability to cancel lost credentials instantly. They support both online and offline access control, improving workflows through flexible management—whether remotely or on-site.
ASSA ABLOY specific features and benefits
The offering includes digital access systems or access hardware to upgrade existing setups, providing scalable control over access points that were previously unreachable and securing protection classes 1 to 4. Wireless solutions are simple to install and require no wiring or structural modifications.
Physical access is often considered one of the biggest backdoors for cyber criminals in an era of growing hybrid attacks. Closing it with digital access enhancements will ensure NIS2 obligations are met – and free security decision-makers from compliance worries.
ASSA ABLOY experts are available to guide them through the specific features and benefits that align with the directive’s requirements and enhance the organization’s cyber–physical security framework.
