The European Union's NIS2 Directive is reshaping strategies across organisations by emphasising both cybersecurity and physical security measures. While traditionally the focus has been on cybersecurity, the directive now highlights the importance of cyber-physical resilience. This shift brings significant consequences for organisations failing to comply, including hefty penalties.
NIS2 builds upon the 2016 NIS Directive on Network and Information Security, tightening IT security requirements, particularly for critical infrastructure, and extending them to additional sectors. The European Commission anticipates that approximately 160,000 organisations will be affected by NIS2 from the outset.
Important change for security
For security and facilities managers, a critical shift introduced by NIS2 is the "all-hazards approach." This broader regulatory strategy mandates enhanced digital security measures paired with processes and devices that protect digital infrastructure physically.
Consequently, cyber-physical resilience becomes vital as the volume and sophistication of hybrid cyber-physical attacks increase. Enhancing collaboration between cyber and physical security teams is essential to address these evolving threats.
NIS2 and physical security: Scope, compliance, financial penalties
NIS2's scope now reaches above formal infrastructure sectors, including energy, utilities, transport, telecoms
NIS2's scope now reaches beyond traditional infrastructure sectors, including energy, utilities, transport, telecoms, and data centres. It also encompasses sectors such as healthcare, digital services, and various manufacturing industries, including food, chemicals, and automotive. Organisations within these categories should review the directive to determine their compliance obligations.
The directive mandates taking appropriate technical, operational, and organisational measures to manage risks to network and information security and minimising the impact on service recipients. Protecting areas where malicious actors could access digital infrastructure, such as IoT devices or servers, is essential, necessitating robust access control protocols.
Non-compliance with NIS2 may result in substantial penalties, potentially reaching up to €10 million or 2% of global annual turnover. Older security systems could thus pose significant liability risks.
NIS2 impact on access control workflows
NIS2's impact on security management involves implementing the "all-hazards" approach. This includes refining risk analysis of digital devices, ensuring supply-chain security, optimising physical access management for personnel, enhancing cyber hygiene training, and planning for business continuity in breach scenarios. Security teams must promptly assess their current cyber-physical resilience to identify necessary improvements.
NIS2 compliance efforts
Access management plays a crucial role in achieving NIS2 compliance. Advanced access solutions can enhance cyber-physical resilience through improved identity management, auditability, and remote building control. Systems requiring regular credential renewal reduce the risk of unauthorised key circulation, a potential vulnerability for digital infrastructure.
Solutions from ASSA ABLOY offer robust digital access systems to enhance compliance with the NIS2 Directive. They ensure comprehensive access control, supporting both online and offline scenarios, enabling instant cancellation of lost credentials, and providing scalable control over formerly inaccessible access points. Wireless solutions offer easy installation without structural modifications.
In an era of hybrid attacks, physical access often remains a critical vulnerability. Mitigating this with digital enhancements aligns with NIS2 obligations, alleviating compliance concerns for security decision-makers. ASSA ABLOY's experts offer guidance to align features with directive requirements, bolstering organisational cyber-physical security frameworks.
In the ongoing implementation of the EU’s NIS2 Directive, much attention has been paid to its implications for cybersecurity. Yet, arguably, the impact on organisations’ physical security and access strategy is just as important. In fact, NIS2 ushers in a new degree of focus on cyber–physical resilience – with significant potential penalties for organisations which do not comply with the framework’s demands.
NIS2 replaces 2016’s original NIS Directive on Network and Information Security. It represents a major legislative tightening of the minimum requirements for IT security in critical infrastructure and expands them to include several new sectors. The European Commission estimates that around 160,000 organisations will be impacted by NIS2 right away.
Important change for security
The most important change for security and facilities managers to digest is the switch to an “all-hazards approach” to regulation. In practice, this approach compels impacted organisations to reinforce their digital security measures with additional processes and devices which physically protect the security of their digital infrastructure.
Thus, cyber–physical resilience – and increased convergence between the operations and goals of cyber and physical security teams – becomes a key element in the response to a increase in both the volume and the sophistication of hybrid cyber–physical attacks.
NIS2 and physical security: scope, compliance, financial penalties
The potential scope of NIS2 regulations encompasses a much-expanded range of organisations and sectors. Alongside the typical infrastructure sub-sectors such as energy and utilities, transport, telecoms, waste management, data centres and the like, is added a broader understanding of what constitutes “critical” national infrastructure: healthcare (including research), digital services and a range of manufacturing businesses including food, chemicals, automotive and more.
Organisations which operate in any of these sectors should consult the directive to ascertain whether they, too, face NIS2 obligations.
A significant element of the new obligations is the extended all-hazards approach, referenced above. According to Article 21 of the directive, entities must “take appropriate and proportionate technical, operational, and organisational measures to manage the risks to the security of network and information systems [...] and to prevent or minimise the impact of security incidents on the recipients of their services and on other services.”
Physical access to digital infrastructure
In other words, any areas of a site where malicious actors may gain physical access to digital infrastructure, whether IoT devices, access management terminals, servers or anything else, must now have appropriate protection against digital, physical and hybrid attack. Access control devices and protocols must be up to this task.
Potential punishments for non-compliance with NIS2 can be severe. According to the directive’s text, organisations may face fines of up to €10 million, or 2% of their global annual turnover. Older locking systems therefore represent a major liability risk for many organisations.
NIS2 impact on access control workflows
Thus, NIS2’s implications for security and facilities management – and potential financial penalties for organisations – are significant. The all-hazards approach is especially important here.
Measures to implement and monitor “all-hazards” compliant processes include the fine-tuning of risk analysis for on-site digital devices; supply-chain security measures including safer procurement and data handling; physical access for personnel, including employees and visitors; cyber-hygiene training; planning for business continuity in the event of a breach; and more.
Security teams should urgently evaluate their existing cyber–physical resilience to quickly identify areas where additional measures or upgrades are needed.
NIS2 compliance efforts
Access management is a key element in any impacted organisation’s NIS2 compliance efforts. Intelligent access solutions can contribute to improving cyber–physical resilience with, for example, enhanced identity management, auditability, and round-the-clock remote building control. Credentials which require regular revalidation and/or expire automatically drastically reduce the risk of unauthorised keys in circulation – another potential vulnerability for digital infrastructure.
Digital access solutions from ASSA ABLOY empower them to secure every layer and can contribute significantly to achieving compliance with the NIS2 Directive.
They help protect organisations and data by enabling control over who goes where and when for each user, with the ability to cancel lost credentials instantly. They support both online and offline access control, improving workflows through flexible management—whether remotely or on-site.
ASSA ABLOY specific features and benefits
The offering includes digital access systems or access hardware to upgrade existing setups, providing scalable control over access points that were previously unreachable and securing protection classes 1 to 4. Wireless solutions are simple to install and require no wiring or structural modifications.
Physical access is often considered one of the biggest backdoors for cyber criminals in an era of growing hybrid attacks. Closing it with digital access enhancements will ensure NIS2 obligations are met – and free security decision-makers from compliance worries.
ASSA ABLOY experts are available to guide them through the specific features and benefits that align with the directive’s requirements and enhance the organisation’s cyber–physical security framework.
