
The NIS2 Directive is a major shift in what regulators expect from critical infrastructure operators across the European Union (EU). While many teams see it as a cybersecurity regulation, physical controls are just as vital to meet these new standards. Cybersecurity alone won't protect your network if an unauthorized person can walk into a server room or a control center.
Compliance became mandatory across EU member states in October 2024, and the regulators have moved quickly to test it. Gallagher Security design and build the integrated systems that critical infrastructure operators rely on to meet NIS2, bringing access control, perimeter detection, and operational monitoring into a single audit-ready platform that supports your wider risk management program.
This guide explains what NIS2 expects of your physical environment, what good looks like, and where an integrated security solution closes the gap.
Key takeaways:
- Compliance with the NIS2 Directive became mandatory in 2024, requiring critical infrastructure to protect themselves or face fines of up to €10 million.
- Physical access is one of the largest backdoors into cyber-physical systems. ENISA reports show that public terminals and server racks are prime targets for sabotage, making layered defense essential.
- Gallagher Command Centre replaces manual logs with real-time digital audits and competency checks to ensure only qualified staff access high-risk zones.
Understanding NIS2 in simple terms
The NIS2 Directive raises the security baseline for organizations that deliver essential services across the EU. It replaces the original NIS Directive and broadens the scope significantly. Essential sectors now include energy, water, and transport. Important sectors now include food production, postal services, manufacturing, and digital providers.
The shift is from reactive defense to proactive resilience, and the accountability sits at the top. Article 21 explicitly requires an all-hazards approach to risk management, which means physical and cyber risk must be governed together. Senior management can be held personally liable for compliance failures, and penalties for essential entities reach €10 million or 2% of global annual turnover.
That last point matters more than it first appears. NIS2 has turned physical security from an operational expense into a board-level risk.
Why physical security matters under NIS2
Physical access is the largest backdoor for cyber attackers into a regulated environment. ENISA’s threat assessments consistently identify public terminals, server racks, and unattended OT cabinets as vulnerable to USB-based sabotage, credential theft, and physical tampering. When an attacker reaches your hardware, your network defenses are no longer the first line. They are the last.
Physical security supports cyber resilience by preventing external and insider threats. It ensures only authorized staff can reach the hardware that runs your essential services. Plus, it protects your physical assets from power failures or environmental disruptions. You can't have a secure network without a secure site.
Key physical security requirements implied by NIS2
While the directive doesn't list specific locks, the requirements for risk management imply several physical controls. The directive demands proportionate technical and organizational measures to protect your physical environment.
- Identity and access management: You need to know exactly who is on site at any given moment. Mechanical keys cannot deliver this. Digital access with verified identity can.
- Multi-factor authentication (MFA): NIS2 calls out MFA as a baseline measure for essential and important entities. In physical security, that means access decisions cannot rely on a single factor such as a card or PIN alone. Combining something the person has (a credential), something they know (a PIN), and something they are (a biometric) raises the assurance level at the door to match the assurance level you already require at the network edge.
- Controlled access to critical zones: The EN 50600 onion-shell model is widely used as a reference. Public or semi-public areas sit at Class 1, while technical zones and server rooms require Class 4 protection with stricter authorization and monitoring.
- Monitoring and disturbance detection: Unauthorized entry, sabotage, and environmental incidents need to generate alerts in real time, not be discovered the next morning.
- Evidence-based reporting: Auditors will ask you to prove you are following your own security policies. That requires tamper-evident, time-stamped logs covering every relevant access event.
- Legacy and obsolete systems: Many critical sites still run OT or building systems that pre-date modern security features. Where replacement is not realistic, compensating controls such as stricter zoning, supervised access, and additional monitoring keep the residual risk within acceptable limits.
- Supply chain and third-party access: Contractors, integrators, and maintenance vendors often need physical access to sensitive areas. NIS2 expects the same identity, competency, and audit standards to apply to them, and to be tracked throughout the engagement. Integrated visitor management turns third-party access from an administrative blind spot into a tracked, evidenced event from arrival to departure.
How access control supports NIS2 critical infrastructure
Your access control system is where most of your NIS2 physical security obligations are enforced and most of the audit evidence is generated. ENISA and industry analysis show up to 34% of organizations still lack management engagement on compliance processes. Digital access control is one of the most direct ways to close that gap, because it converts policy into enforced behavior.
Role-based access ensures people only reach the areas their role requires. Competency-based access extends that principle into regulated environments. A technician cannot enter a high-voltage zone unless their electrical license and first-aid certification are current in the system. When a certification lapses, the access lapses with it. Verified identity through biometrics and mobile credentials closes the remaining gap, ensuring the person presenting at the door is the person the system authorized. No manual intervention, no human error, no exposure window.
Multi-factor authentication is where NIS2 meets the door. The same principle your IT team applies to network logins applies to physical entry into critical zones, which is that a single credential is no longer sufficient assurance for high-value access. Command Centre supports MFA at the reader by combining card, mobile credential, PIN, and biometric factors in the combinations your risk profile requires. A standard office door might accept a mobile credential on its own. A server room or OT cabinet can require credential plus biometric, or credential plus PIN plus biometric, depending on the zone classification. The control is enforced consistently, the evidence is generated automatically, and the assurance level rises with the risk.
Resilience matters as much as authentication. NIS2 expects critical infrastructure to continue operating to policy through network outages, server failures, and isolated incidents, which means access decisions cannot depend on a constant connection to a central server. Gallagher Controller 7000 enforces access rules at the door, holding the cardholder data and decision logic locally so the site continues to authenticate, authorize, and log every event even when disconnected from Command Centre. When connectivity returns, the local event record synchronizes into the central audit trail. This edge-based architecture is what separates a site that meets NIS2’s continuity expectations from a site that hopes its network stays up during an incident.
Audit-ready access control changes the economics of compliance. When a regulator asks for proof that a control is operating, you can pull a complete history in seconds rather than days. Automated access revocation closes the most common gap of all, where a leaver, contractor, or qualification-lapsed employee retains access they should no longer hold.
The role of perimeter security and intrusion detection
Effective perimeter security is what stops a threat from becoming an incident. For NIS2, it also provides the evidence that you are managing risk proactively rather than reactively.
Monitored pulse fencing is one of the strongest deterrents available. It delivers a safe but sharp shock to intruders while generating real-time alerts the moment someone attempts to cut, climb, or tamper with the fence line. Disturbance detection sensors on gates and boundaries catch attempts earlier, before anyone reaches an asset.
Integrated security NIS2 strategies link these perimeter alarms with video surveillance, so an operator can confirm a threat from a control room rather than sending a guard into an uncertain situation. That integration also produces the timestamped record of detection, verification, and response that regulators expect to see during a review.
Integration and incident response under NIS2
Siloed systems create blind spots, and blind spots are where breaches start. Integrated security platforms like Gallagher Command Centre bring access control, perimeter detection, alarms, and video together into a single operating picture. That unified view is no longer a nice-to-have. NIS2 requires significant incidents to be reported within 24 hours, and you cannot meet that window if your teams are stitching evidence together from four separate systems.
When an alarm triggers, an operator should see the cardholder's recent access history, the live camera feed, and the alarm context on one screen. That is what shortens containment time and produces a clean timeline for the incident report.
A unified platform also demonstrates organizational maturity. Auditors recognize the difference between a site running a coordinated defense and a site running parallel systems that happen to share a building.
Securing the supply chain behind your systems
An organization’s resilience depends on the strength of its supply chain. NIS2 names supply chain security as a core risk-management measure, and it cuts in two directions. The first is the one most operators think of, which is the contractors, integrators, and maintenance vendors who need physical access to your sites, covered earlier in this guide. The second is easier to overlook but just as consequential. The security of the products and suppliers you depend on to deliver your essential services. The systems protecting your critical infrastructure are themselves part of your supply chain, and a vulnerability introduced upstream, before a device ever reaches your site, can undermine every control you build on top of it.
This is where component sourcing, manufacturing provenance, and vendor trust become compliance questions rather than procurement preferences. A platform assembled from components passing through multiple third parties and jurisdictions carries far more points of potential compromise (substitution, tampering, or counterfeit parts) than one whose origin can be demonstrated end to end. NIS2 expects you to understand and manage that exposure in the suppliers you choose.
Gallagher's vertically integrated production model is built for exactly this scrutiny. For 85 years, our solutions have been designed, engineered, manufactured, and distributed from a single head office site in Hamilton, New Zealand, with every element from software through to hardware developed and assembled in one location. Controlling the supply chain from components through to shipping reduces the touchpoints and vulnerabilities faced by manufacturers who outsource to third parties.
That control extends into how the systems are sustained after deployment. Gallagher is an authorized CVE Numbering Authority, meaning vulnerabilities are identified and disclosed through a recognized, transparent process. Command Centre is tested continuously with software and firmware updates on a regular six-month cycle, backed by independent certification including ISO 27001 and SOC 2. For an operator assembling evidence of supply chain due diligence, that provenance and testing regime form part of the audit story.
Preparing your organization for NIS2 today
Critical infrastructure compliance is a multi-quarter program, not a project. The operators ahead of the curve started by treating NIS2 as an opportunity to consolidate the controls and contracts that had accumulated over years. The work starts with four areas:
- Validate scope and governance: Confirm every critical asset is captured in your risk register, and that named owners, including at board level, are accountable for the controls protecting it. NIS2 expects security to be a leadership responsibility, not just an operational one
- Prioritize integration: Choose systems that offer role-based permissions and auditable logs. Link asset visibility with incident response so a single event has a single record.
- Align your teams: Physical and cyber security teams need joint playbooks for incidents that cross the boundary. Bring facilities and operations into those conversations early, because they often own the environmental, access, and contractor controls that sit at the intersection of physical and cyber risk.
- Automate compliance: Move away from manual logs. Your access control system should generate the audit trail automatically and present it in a format your compliance team can use directly.
Building NIS2 compliance with Gallagher
NIS2 is a turning point for how critical infrastructure operators think about physical security. The directive is pushing the industry toward something we have been building for years, which is security that protects people and assets while also generating the operational evidence the business needs.
Gallagher Security aligns your site with Article 21 by bringing the controls covered in this guide into one integrated system. Command Centre enforces role-based, competency-based, and identity-verified access, and generates the real-time audit trail as a by-product of normal operation. Perimeter detection and video integration give your operators verified situational awareness, so incidents can be contained and reported within the 24-hour window NIS2 requires. Visitor management extends the same identity and audit standards to contractors and third parties. And because our products are certified against ISO 27001, NPSA, and FIPS 201-3, the layered defense holds up against the standards your auditors and regulators apply.
Talk to Gallagher Security or your Gallagher Certified Channel Partner about where your NIS2 program sits today, and where it needs to be by your next audit.