NIS2, CER and access control: why physical security is becoming part of cyber resilience

Cybersecurity does not only start with firewalls, passwords or software updates.

It also starts with a very practical question:

Who has access to your buildings, technical rooms, server rooms, network cabinets and critical zones?

Because anyone who can physically enter a sensitive area may also get close to systems, data, networks or processes that are essential to your organisation.

That is why access management is becoming more important in the context of NIS2 and CER.

These European directives do not make access control a standalone compliance solution. But they do show that cyber resilience, physical protection and operational continuity are increasingly connected.

In other words: physical security and cybersecurity can no longer be managed as completely separate worlds.

What are NIS2 and CER?

NIS2 is the European directive that aims to strengthen cybersecurity across the EU.

It applies to essential and important entities in defined sectors. In many cases, this concerns medium-sized and large organisations, although the exact scope always needs to be assessed case by case.

NIS2 requires organisations in scope to take appropriate and proportionate measures to manage cybersecurity risks. These measures include, among others:

  • risk management;
  • incident handling;
  • business continuity;
  • supply chain security;
  • secure authentication;
  • access control policies;
  • asset management;
  • cybersecurity awareness and training;
  • encryption where appropriate.

NIS2 adopts a risk-based approach and requires organisations to consider both cyber and relevant physical threats affecting network and information systems. This means that organisations should protect their network and information systems, as well as the physical environment of those systems, against incidents.

CER stands for Critical Entities Resilience.

This directive focuses on the resilience of critical entities that provide services essential to society and the economy. It addresses wider threats such as natural hazards, sabotage, insider threats, terrorism, public health emergencies and other disruptive incidents.

In short: NIS2 focuses on cybersecurity risks for network and information systems.  CER applies to organisations that have been designated as Critical Entities by the competent national authority.  

For organisations with sensitive sites, technical rooms, critical infrastructure or essential services, both perspectives are becoming increasingly relevant.

Why physical access matters

Many security risks start with something simple.

A lost badge.
A visitor entering the wrong zone.
A supplier whose access rights were not removed on time.
A technical room that is not sufficiently protected.
A server room where it is unclear who entered and when.

These are physical security risks. But depending on the environment, they can also become cybersecurity and continuity risks.

Today, access control systems are no longer isolated door systems.

They include readers, controllers, badges, mobile credentials, software, integrations, firmware, administrators, installers and maintenance partners. In some environments, they are connected to visitor management, parking, ANPR, building management or other operational systems.

If one part of that chain is not properly managed, it can create risk for the organisation.

That is why access control is no longer just about opening and closing doors.

It is about control.
Insight.
Traceability.
Resilience.

The challenge: can you prove who had access?

For many organisations, the challenge is not only to secure access.

The challenge is to demonstrate that access is managed correctly: not once, but continuously.

You need to know:

  • who has access;
  • why access was granted;
  • which zones a person can enter;
  • when access is allowed;
  • who approved the access rights;
  • when those rights were last reviewed;
  • which visitors, contractors or suppliers were present;
  • what happened before, during and after an incident;
  • which administrators or service providers can manage the access control environment.

This is becoming increasingly important for daily security management, audits, incident investigation, supplier management and continuity planning.

Within NIS2, access management is relevant to cybersecurity risk management, access control policies, incident handling, supply chain security and the protection of the physical environment of network and information systems.

Within CER, it can support prevention, response, recovery, physical protection and employee security management for critical sites and essential services, where the organisation has been identified as a critical entity.

Access control as part of a stronger security strategy

Good access management helps organisations reduce risk in a practical way.

It helps identify who should have access.
It helps protect sensitive areas.
It helps detect unusual or unauthorised activity.
It helps respond faster when something goes wrong.
And it helps recover by providing insight into what happened.

It gives security, facility and IT teams a clearer view of what is happening across one or multiple sites. It supports incident investigation. And it helps organisations move from assumptions to evidence.

Depending on the risk level, stronger authentication may also be appropriate. This can include combinations such as badge and PIN, mobile credentials or other authentication methods.

Biometric authentication can be useful in specific cases, but requires additional attention. When biometric data is used to uniquely identify a person, it is considered special category personal data under GDPR. This means it should only be used where legally permitted, necessary, proportionate and supported by appropriate safeguards.

Reliable logging and reporting are also important.

When an incident occurs, organisations may need to understand who accessed which zone and when. Access logs can provide valuable insight for investigation, reporting, audits and corrective actions, provided they are managed in line with applicable data protection rules.

More than compliance

NIS2 and CER are not only about regulation.

They are about making organisations stronger.

A mature access management approach helps organisations:

  • reduce unauthorised access;
  • protect sensitive rooms and critical zones;
  • manage employees, visitors, contractors and suppliers more securely;
  • improve visibility across one or multiple sites;
  • support audit and reporting processes;
  • investigate incidents more effectively;
  • strengthen operational continuity;
  • make security part of daily operations instead of a one-time project.

Access control does not make an organisation compliant with NIS2 or CER by itself.

Compliance also depends on governance, risk assessments, policies, supplier management, incident procedures, business continuity, training, documentation and management oversight.

But access control can be an important building block within a broader security and resilience programme.

Compliance may be the trigger.

Resilience is the real objective.

How Synguard helps

With Synguard, organisations can manage physical access in a clear, structured and scalable way.

Our integrated access management platform helps bring different access flows together. Employees, visitors, contractors, vehicles, buildings and zones can all be managed from one clear security logic.

Depending on the configuration and implementation, Synguard can support organisations with:

  • centralised access management;
  • detailed access profiles based on users, roles, zones and sites;
  • management of employees, visitors and contractors;
  • integration with access control components and related systems;
  • logging and reporting of access events;
  • real-time insight into access activity;
  • scalable deployment across single-site and multi-site environments;
  • operational support for access governance and security processes.

These capabilities can support relevant technical and organisational measures within a broader NIS2 and CER readiness programme.

Not as a standalone compliance solution, but as a practical foundation for better control, stronger security and improved resilience.

One platform, one security logic

Modern organisations need access management that is secure, manageable and ready to grow.

With Synguard, different access flows can be brought together in one platform. This helps organisations improve control, visibility and efficiency across their physical security environment.

Because the question is no longer only:

“Are our doors secured?”

The better question is:

“Do we know who has access, why they have access, and can we demonstrate this when it matters?”

With Synguard, access management becomes more than a security system.

It becomes a practical building block for cyber resilience, operational continuity and future-ready security management.

Want to see how this could work in your organisation?  

Get in touch with our team at sales@synguard.be