The Network and Information Security Directive 2 (NIS2) goes into full effect on October 17, 2024. Are your access systems compliant with the new directive? Find out what the directive means for both physical and digital access control.
NIS2—known more formally as the "Directive (EU) 2022/2555"—replaces the original 2016 Network and Information Security Directive and sets stricter rules for managing cyber risks and reporting security incidents. NIS2 comes with stronger enforcement and higher penalties for non-compliance, making cybersecurity a priority for more businesses and institutions. It also expands the range of organizations that must comply. The directive impacts a wide range of critical industries and sectors, such as energy, transportation, healthcare, finance/banking, government/public administration, manufacturers of critical products, digital infrastructure (e.g., data centers, content delivery networks and other cloud-based service providers), the space sector, waste management and social media platforms.
How does NIS2 impact digital access control?
Article 21(2) of NIS2 requires organizations to take cybersecurity measures to manage risk and ensure that systems are secure, resilient and capable of protecting sensitive systems and data. Article 18 outlines cybersecurity risk management measures, including policies related to user access controls (such as secure authentication) and other procedures to ensure the availability, integrity and confidentiality of systems, services and data. Strong user authentication and access control are essential for computers, phones and other digital devices, as well as login to networks, applications and cloud-based systems.
NIS2 compliance for user authentication systems includes several important elements.
- Stronger password policies: Organizations still using passwords for device/system login will be required to implement stricter password policies to meet NIS2 compliance. This includes enforcing the use of complex passwords, regular password updates, and prohibiting the use of easily guessable passwords (e.g., "12345" or "password").
- Passwordless authentication: While not required, many organizations are moving beyond the password to more secure and phishing-resistant forms of login, such as RFID badges/tokens or mobile credentials using NFC. NIS2 also encourages the adoption of biometric authentication (e.g., fingerprint scanning, facial recognition) to strengthen the security of login processes. This can be accomplished by combining a mobile credential with the built-in biometric features on the smartphone.
- Mandatory use of MFA: Under NIS2, organizations may need to adopt multifactor authentication (MFA) for user logins, especially for accessing critical systems and sensitive data. MFA adds an additional layer of security by requiring users to provide two or more verification factors (e.g., a password, a biometric identification, a one-time code, or an RFID or mobile user credential). This reduces the risk of unauthorized access, even if passwords are compromised. MFA will be critical for high-risk accounts, such as administrators or employees with access to critical infrastructure systems. For maximum security, consider implementing a phishing-resistant MFA method, such as an RFID badge with a user PIN or a mobile credential with biometrics.
- Access Management: Organizations will need to adopt Identity and Access Management (IAM) systems to centrally manage and enforce user authentication policies across all digital systems. This will ensure that access to systems, applications and files is limited based on user roles and permissions. NIS2 will require stricter control over privileged accounts with higher access levels to manage, monitor and limit access to administrative or sensitive systems.
- Secure Single Sign-On (SSO): Organizations using Single Sign-On (SSO) solutions, which allow users to log in once and gain access to multiple systems, must ensure that these platforms are properly secured. SSO reduces the number of logins users need to remember, which can enhance compliance with password security. However, an SSO system should be paired with MFA and strong session management to prevent unauthorized access to multiple systems through a single compromised login.
- Encryption: Encryption is crucial for securing access credentials (such as passwords, biometric data, or RFID/mobile credentials) during transmission and storage. Without encryption, sensitive information used for authentication could be intercepted, compromised or cloned, leading to unauthorized access. Strong, modern encryption should be used to secure communication between devices, user systems and access management platforms.
What are the implications of NIS2 for physical access control?
NIS2 has several implications for physical access control (PAC) systems, especially in critical infrastructure sectors where both physical and cyber security are vital to protecting essential services. In today's world, physical security and cybersecurity are tightly interconnected. PAC applications must be protected from cyber threats (e.g., a breach into PAC control systems that enables a remote threat actor to unlock doors or manipulate access control levels). At the same time, physical security is critical to prevent unauthorized people from getting direct access to servers, computers and other cyber-infrastructure components.
NIS2 requires organizations to adopt robust security measures to protect not only digital assets but also physical facilities that house critical infrastructure (e.g., energy plants, healthcare facilities, data centers). PAC systems must be equipped with advanced security technologies to prevent unauthorized access. These systems should be fully integrated with cybersecurity measures for a holistic approach to physical and cyber security.
Organizations may need to update their physical access control systems to incorporate these more secure authentication methods, including multifactor authentication (MFA) for physical access applications in secure environments. This is commonly accomplished using an RFID reader with a keyboard for PIN entry, so users must both present their RFID card or mobile credential and enter a secret PIN. Alternatively, biometrics may be used, for example by combining mobile credentials with biometric features on the smartphone. (Download our guide for more PAC tips: 10 Considerations in Physical Access Control Design)
Additional requirements for PAC systems may include:
- Tamper-proofing of PAC system physical components, including RFID readers, to ensure that they cannot be disabled or bypassed.
- Continuous monitoring to track who is coming and going and detect suspicious activities or unauthorized attempts to access restricted areas.
- Incident reporting of any breaches or unauthorized access to physical locations that have the potential to compromise critical infrastructure.
Make sure your access control systems are NIS2 compliant.
NIS2 compliance in access control is not one-size-fits-all. Each organization must use a risk-based approach to determine the best way to protect digital and physical assets, with careful consideration of the potential impact of a security breach for each access point. While these guidelines are a starting point, organizations are expected to make security decisions based on their unique risk profiles and specific operational needs. Tailoring your access control and authentication systems to address these risks will ensure a stronger defense against threats, align with NIS2 requirements, and safeguard your critical infrastructure.
ELATEC can help organizations ensure their physical and digital access control systems are NIS2 compliant. Our secure, flexible and future-proof access hardware and software solutions support high-security access applications. Our cybersecurity solutions use advanced encryption technologies and support phishing-resistant MFA using RFID/NFC+PIN to meet modern cybersecurity standards. We are working with organizations covered by NIS2 to implement robust, scalable and unified access systems that integrate both physical and digital security, safeguarding sensitive data and critical infrastructure.
Contact us for a consultation.
Want to know more? Download our guide: 8 Steps for NIS2 Compliance in Digital and Physical Access