In the ongoing implementation of the EU’s NIS2 Directive, much attention has been paid to its implications for cybersecurity. Yet, arguably, the impact on organisations’ physical security and access strategy is just as important. In fact, NIS2 ushers in a new degree of focus on cyber–physical resilience – with significant potential penalties for organisations which do not comply with the framework’s demands.
NIS2 replaces 2016’s original NIS Directive on Network and Information Security. It represents a major legislative tightening of the minimum requirements for IT security in critical infrastructure and expands them to include several new sectors. The European Commission estimates that around 160,000 organisations will be impacted by NIS2 right away.
Important change for security
The most important change for security and facilities managers to digest is the switch to an “all-hazards approach” to regulation. In practice, this approach compels impacted organisations to reinforce their digital security measures with additional processes and devices which physically protect the security of their digital infrastructure.
Thus, cyber–physical resilience – and increased convergence between the operations and goals of cyber and physical security teams – becomes a key element in the response to a increase in both the volume and the sophistication of hybrid cyber–physical attacks.
NIS2 and physical security: scope, compliance, financial penalties
The potential scope of NIS2 regulations encompasses a much-expanded range of organisations and sectors. Alongside the typical infrastructure sub-sectors such as energy and utilities, transport, telecoms, waste management, data centres and the like, is added a broader understanding of what constitutes “critical” national infrastructure: healthcare (including research), digital services and a range of manufacturing businesses including food, chemicals, automotive and more.
Organisations which operate in any of these sectors should consult the directive to ascertain whether they, too, face NIS2 obligations.
A significant element of the new obligations is the extended all-hazards approach, referenced above. According to Article 21 of the directive, entities must “take appropriate and proportionate technical, operational, and organisational measures to manage the risks to the security of network and information systems [...] and to prevent or minimise the impact of security incidents on the recipients of their services and on other services.”
Physical access to digital infrastructure
In other words, any areas of a site where malicious actors may gain physical access to digital infrastructure, whether IoT devices, access management terminals, servers or anything else, must now have appropriate protection against digital, physical and hybrid attack. Access control devices and protocols must be up to this task.
Potential punishments for non-compliance with NIS2 can be severe. According to the directive’s text, organisations may face fines of up to €10 million, or 2% of their global annual turnover. Older locking systems therefore represent a major liability risk for many organisations.
NIS2 impact on access control workflows
Thus, NIS2’s implications for security and facilities management – and potential financial penalties for organisations – are significant. The all-hazards approach is especially important here.
Measures to implement and monitor “all-hazards” compliant processes include the fine-tuning of risk analysis for on-site digital devices; supply-chain security measures including safer procurement and data handling; physical access for personnel, including employees and visitors; cyber-hygiene training; planning for business continuity in the event of a breach; and more.
Security teams should urgently evaluate their existing cyber–physical resilience to quickly identify areas where additional measures or upgrades are needed.
NIS2 compliance efforts
Access management is a key element in any impacted organisation’s NIS2 compliance efforts. Intelligent access solutions can contribute to improving cyber–physical resilience with, for example, enhanced identity management, auditability, and round-the-clock remote building control. Credentials which require regular revalidation and/or expire automatically drastically reduce the risk of unauthorised keys in circulation – another potential vulnerability for digital infrastructure.
Digital access solutions from ASSA ABLOY empower them to secure every layer and can contribute significantly to achieving compliance with the NIS2 Directive.
They help protect organisations and data by enabling control over who goes where and when for each user, with the ability to cancel lost credentials instantly. They support both online and offline access control, improving workflows through flexible management—whether remotely or on-site.
ASSA ABLOY specific features and benefits
The offering includes digital access systems or access hardware to upgrade existing setups, providing scalable control over access points that were previously unreachable and securing protection classes 1 to 4. Wireless solutions are simple to install and require no wiring or structural modifications.
Physical access is often considered one of the biggest backdoors for cyber criminals in an era of growing hybrid attacks. Closing it with digital access enhancements will ensure NIS2 obligations are met – and free security decision-makers from compliance worries.
ASSA ABLOY experts are available to guide them through the specific features and benefits that align with the directive’s requirements and enhance the organisation’s cyber–physical security framework.