The NIS 2 directive imposes access control measures to the sites and premises of the organizations it targets, combining technological solutions and appropriate security policies.
While the NIS 2 directive is primarily known for the cybersecurity obligations it imposes on essential and important entities, it also has a little-known component: physical security requirements. These must be respected by more than 15,000 small and medium-sized businesses (SMEs) as well as their suppliers, estimates Mickaël Wajnglas, secretary general at Spac Alliance, a club which brings together physical and cyber security players. “These security obligations will be found in contracts with suppliers. The NIS 2 directive requires the assessment of the security level of suppliers. And, more broadly, it is the market which will require companies to respect physical security obligations.”
Problem: companies are often unaware of what these physical security obligations cover, or even the existence of them. “Companies that want to comply with the directive now regularly ask me what they should do in terms of their physical security,” adds Mickaël Wajnglas. And for good reason, the directive is vague on the subject. It only indicates that it is obligatory to protect the “physical environment” of networks and information systems “against incidents”. However, more detailed recommendations already exist to comply with this requirement now, without waiting for the legislative transposition of the directive which is still awaited. Here are the steps to follow to achieve this.
Learn about physical security obligations
Published in March 2026 by the National Information Systems Security Agency (Anssi), the France cyber repository (ReCyF) provides a best practice guide for organizations to help them comply with the NIS 2 directive. This is currently only a working version. The publication of the final version will take place after the transposition of the directive. Among the twenty cybersecurity objectives included in the ReCyF, it is the sixth which deals with physical security obligations.
This objective identifies four “acceptable means of compliance” to “ensure that only authorized persons have access to the organization’s premises:
- “The entity implements security measures to limit access by unauthorized persons to its premises, its server rooms and its technical premises.”
- “The entity ensures the physical protection of premises, server rooms and technical premises. This physical protection makes it possible to prevent, monitor and react to unauthorized access to these premises.”
- “The entity ensures that physical access rights are allocated with regard to the need strictly necessary for the execution of the people’s missions.”
- “The entity ensures that external persons accessing the entity’s technical premises and server rooms are accompanied or duly authorized.”
Even if some of these means are only reserved for essential entities, Mickaël Wajnglas also advises important entities and their suppliers to respect them all. “The ReCyF explains that the second and third means are not obligatory for important entities. But an important entity is surely part of a supply chain of an essential entity, so it must implement all these means. Everyone is concerned.”
Develop a risk analysis
To properly implement these means of compliance, the organization must develop a risk analysis. “It’s a mandatory prerequisite,” insists Dominique Gueguen, cybersecurity engineer at Axis Communications, a company specializing in surveillance technologies. “Indeed, the physical security measures to be implemented will be adapted according to this mapping,” adds Mickaël Wajnglas. This risk map must reference all the elements making it possible to determine the controls to be implemented, including:
- The sites to be protected and controlled, taking into account their particularities: address, function and nature of the site, natural risks that may affect it, number of people who use it, etc.
- Business values and supporting assets to be protected on sites. Business values are the information, activities, services whose compromise would undermine the organization’s missions. This could be the patient care department of a hospital. As for supporting assets, these are resources allowing business values to function, such as a server or a data center. A level of protection must be associated with these business values and support assets present on the sites, depending on their criticality.
- Areas to be secured in identified sites. These are spaces such as an office room, reception room or server room. Their level of criticality depends on the assets they house. The more critical these are, the higher the level of protection must be.
Adapt technological devices
Once the criticality level of each site, zone, and business value has been established, physical security in accordance with ReCyF can be implemented. For this, Mickaël Wajnglas advises referring to the guide of Anssi dedicated to physical access control and video protection systems. This indicates in detail the most appropriate technological devices to adopt, such as access badges, video protection, intercoms, etc. Each of these devices must have certain protective features, the degree of which varies depending on the area to be secured.
Access badges must be unique, non-clonable and must not contain other sensitive information other than that of the identifier. They must also benefit from cryptographic authentication. Badge readers must have a maximum reading distance of five cm, must not store access rights, must be equipped with tear detection, etc. For highly critical areas, they must have a keypad to provide multi-factor authentication through passcode, etc.
As for video protection, the cameras must be physically protected. In a critical zone, they must be in the field of vision of at least one other camera, according to the principle of cross-monitoring. The video management center must be installed in a secure location and not shared with the office information system, etc. “I advise following to the letter the recommendations of this guide which really goes into detail,” insists Mickaël Wajnglas.
Edit security policy
Safety devices are not enough. The ReCyF also requires “measures” to be taken to, for example, grant appropriate “physical access rights”. They must be defined in a security policy, generally by the security manager, indicates Dominique Gueguen. This policy must in particular provide for validity periods for badges adapted to whether their holder is an employee or a service provider. Access rights must also be differentiated depending on the hierarchical level. “The rules for badges can also relate to the color of their collar. If the collar is red, this indicates that its holder is a simple visitor and that he must be accompanied when traveling. If it is green, this may indicate that he is a collaborator who is free to travel,” adds Dominique Gueguen.
