Physical access control should not be overlooked

Physical access control should not be overlooked

Recommendations for NIS 2 and the EU proposal on critical entities

During the past few years, the EU discussion on critical entities has been focused on cybersecurity. There are good reasons for this: critical entities increasingly rely on digitalisation and cyber-threats are constantly on the rise.

However, in this paper, Eurosmart demonstrates that the possibility of a physical attack against an IT system should not be overlooked. The trend nowadays is towards hybrid attacks, whereby a malicious actor uses a flaw in a physical system to carry out a cyber-attack. For instance, an intruder might steal an employee’s badge to enter the building of a company, and subsequently break into the server room.

Therefore, it remains essential to carefully control who can access the premises of critical entities, including digital infrastructures. National cybersecurity agencies themselves, such as ANSSI, already give particular importance to this matter.

In this paper, Eurosmart argues that physical access control should be better addressed both in NIS 2 and the proposal on the resilience of critical entities. NIS 2, in particular, covers the physical security aspects of digital infrastructures but does not mention access control at any point in the legislation.

Eurosmart also gives concrete recommendations on security certification of access control devices (e.g., badges, terminal equipment).

Please see below Eurosmart’s full position paper.