Compliance officers are familiar with the scenario: you invest millions in network security, implement sophisticated endpoint protection and set up a zero-trust architecture – but all of that is useless if someone can walk through an unlocked door into the server room. The NIS 2 directive addresses precisely this reality. According to Article 21, physical access control is no longer a building services task, but a cybersecurity task with the same regulatory weight as firewall policies. Companies must implement physical security measures that prevent unauthorised access to critical infrastructure, data centres and operational technology environments.

For CISOs and facility managers in essential and important facilities in the EU, this is not just a guideline update. It is a complete redefinition of security strategy, budgetary powers and management responsibilities.

Why NIS-2 treats physical access control as essential cybersecurity

For decades, the rule was: IT secures the network, facility management secures the building. This clear separation is now becoming a regulatory liability.

The end of the physical-digital security divide

Article 21 of the NIS 2 Directive removes the distinction between physical and digital security measures. The directive explicitly requires ‘security measures for the physical security of the buildings and facilities of the companies’ as part of comprehensive cybersecurity risk management. This is not a recommendation, but a legal obligation, backed by mandatory audits, cross-border cooperation between regulatory authorities and significant financial penalties.

The logic is simple: unauthorised physical access to a data centre, server room or industrial control system renders all investments in digital security worthless. Those with physical access do not need to crack encryption or overcome multi-factor authentication – they simply walk through the unguarded door.

What is NIS-2 Article 21?

Article 21 mandates physical security measures as part of cybersecurity risk management.

Companies must prevent unauthorised access to critical areas with the same care they take to implement digital security measures.

The hidden compliance gaps for CISOs and facility managers

Many companies believe they are adequately protected physically. They have ID card readers, locked doors and security personnel. Nevertheless, audits regularly reveal three critical vulnerabilities:

1. Standalone systems without traceability: Many access control systems are still isolated and cannot forward data to central critical event management (CEM) platforms. Logs exist, but are stored in proprietary formats or local databases – not centralised or analysable.
2. This poses a problem for auditors: NIS-2 requires logged and verifiable access events. Companies with standalone systems are often unable to meet these requirements efficiently, even though physical controls are technically in place.
3. Fragmented responsibilities between IT and facility management: CISOs are responsible for IT security, while facility managers are responsible for physical security. However, NIS-2 requires the integration of physical and digital security measures. Without clear responsibilities, risks arise in terms of budget, incident response and training:

• Budget requests fall between departments
• Contingency plans do not take physical security breaches into account
• Security awareness focuses only on digital threats, tailgating or credential sharing are neglected

1. Monitoring and documentation gaps
2. NIS-2 requires logging, real-time monitoring and reporting within 24 hours of security breaches. Digital systems often fulfil this requirement via SIEM or SOCs. Older access controls, on the other hand, store data in isolation, and failed attempts and access outside office hours are not actively monitored.

The risk: Even with existing controls, compliance cannot be proven. Documentation gaps are considered violations.

Zero-trust framework for physical access control

The principle of ‘never trust, always verify’ should be applied to all physical access control. Every access is checked in real time and every access point is continuously monitored.

Check every access request

In the zero trust model, possession of a valid ID card is no longer sufficient. Modern access controls combine MFA, biometrics or mobile authentication.

Advantages:

• Stolen or cloned ID cards are useless
• Credential sharing is prevented
• Lost ID cards no longer pose a risk

Least privilege access

Access is restricted according to job function and time slots. Temporary workers or contractors are only granted temporary access. Even executives are subject to the same strict verification and monitoring protocols.

Continuous monitoring and logging

All access attempts – successful or failed – are centrally logged and integrated into SIEM or CEM platforms. Real-time alerts detect:

• Multiple use of a card in different locations
• Access at unusual times
• Repeated failed attempts
• Unauthorised access to restricted areas
• Tailgating

This allows incidents to be proactively prevented and audit requirements to be met immediately.

Physical security is cybersecurity under NIS-2

The premise is clear: digital security measures alone are not enough. An unguarded door can override any firewall and encryption.

CISOs must include physical security risks in risk assessments, adapt emergency plans and integrate physical access logs into digital security monitoring. Facility managers must monitor, document and audit physical access controls to the same standards as IT systems. Companies that successfully implement this convergence create more resilient security structures, reduce risks and meet regulatory requirements.

Conclusion

Your server room door is now a cybersecurity asset. The key question is: are you managing it accordingly? [www.primion.io]