David Moser, SVP and Head of Digital & Access Solutions at ASSA ABLOY Opening Solutions EMEIA, addresses a major new feature on security management’s compliance landscape: NIS2.
In the ongoing implementation of the EU’s NIS2 Directive, much attention has been paid to its implications for cyber security. Yet, arguably, the impact on organizations’ physical security and access strategy is just as important. In fact, NIS2 ushers in a new degree of focus on cyber–physical resilience – with significant potential penalties for organizations which do not comply with the framework’s demands.
NIS2 replaces 2016’s original NIS Directive on Network and Information Security. It represents a major legislative tightening of the minimum requirements for IT security in critical infrastructure and expands them to include several new sectors. The European Commission estimates that around 160,000 organizations will be impacted by NIS2 right away*.
The most important change for security and facilities managers to digest is the switch to an “all-hazards approach” to regulation. In practice, this approach compels impacted organizations to reinforce their digital security measures with additional processes and devices which physically protect the security of their digital infrastructure. Thus, cyber–physical resilience – and increased convergence between the operations and goals of cyber and physical security teams – becomes a key element in the response to a increase in both the volume and the sophistication of hybrid cyber–physical attacks.
NIS2 and physical security: scope, compliance, financial penalties
The potential scope of NIS2 regulations encompasses a much-expanded range of organizations and sectors. Alongside the typical infrastructure sub-sectors such as energy and utilities, transport, telecoms, waste management, data centers and the like, is added a broader understanding of what constitutes “critical” national infrastructure: healthcare (including research), digital services and a range of manufacturing businesses including food, chemicals, automotive and more. Organizations which operate in any of these sectors should consult the directive to ascertain whether they, too, face NIS2 obligations.
A significant element of the new obligations is the extended all-hazards approach, referenced above. According to Article 21 of the directive, entities must “take appropriate and proportionate technical, operational, and organizational measures to manage the risks to the security of network and information systems [...] and to prevent or minimize the impact of security incidents on the recipients of their services and on other services.” In other words, any areas of a site where malicious actors may gain physical access to digital infrastructure, whether IoT devices, access management terminals, servers or anything else, must now have appropriate protection against digital, physical and hybrid attack. Access control devices and protocols must be up to this task.
Potential punishments for non-compliance with NIS2 can be severe. According to the directive’s text, organizations may face fines of up to €10 million, or 2% of their global annual turnover. Older locking systems therefore represent a major liability risk for many organizations.
NIS2 impact on access control workflows
Thus, NIS2’s implications for security and facilities management – and potential financial penalties for organizations – are significant. The all-hazards approach is especially important here.
Measures to implement and monitor “all-hazards” compliant processes include the fine-tuning of risk analysis for on-site digital devices; supply-chain security measures including safer procurement and data handling; physical access for personnel, including employees and visitors; cyber-hygiene training; planning for business continuity in the event of a breach; and more. Security teams should urgently evaluate their existing cyber–physical resilience to quickly identify areas where additional measures or upgrades are needed.
Access management is a key element in any impacted organization’s NIS2 compliance efforts. Intelligent access solutions can contribute to improving cyber–physical resilience with, for example, enhanced identity management, auditability, and round-the-clock remote building control. Credentials which require regular revalidation and/or expire automatically drastically reduce the risk of unauthorized keys in circulation – another potential vulnerability for digital infrastructure.
Digital access solutions from ASSA ABLOY empower you to secure every layer and can contribute significantly to achieving compliance with the NIS2 Directive. They help protect organizations and data by enabling control over who goes where and when for each user, with the ability to cancel lost credentials instantly. They support both online and offline access control, improving workflows through flexible management—whether remotely or on-site. The offering includes digital access systems or access hardware to upgrade existing setups, providing scalable control over access points that were previously unreachable and securing protection classes 1 to 4. Wireless solutions are simple to install and require no wiring or structural modifications.
Physical access is often considered one of the biggest backdoors for cyber criminals in an era of growing hybrid attacks. Closing it with digital access enhancements will ensure NIS2 obligations are met – and free security decision-makers from compliance worries.
ASSA ABLOY experts are available to guide you through the specific features and benefits that align with the directive’s requirements and enhance your organization’s cyber–physical security framework.
David Moser is SVP and Head of Digital & Access Solutions at ASSA ABLOY Opening Solutions EMEIA.
Product Adopted:Others