Securing Critical Infrastructure: Meeting the Demands of NIS2 and CER

In recent years, the threat landscape has become increasingly complex. Attacks are no longer limited to physical intrusions – they are just as likely to be digital, and often a combination of both. This development places entirely new demands on how organisations protect their facilities, employees, information and processes.

Against this backdrop, the European Union has introduced new regulatory frameworks that significantly impact organisations operating within critical infrastructure.

Increased focus on security through new EU directives

After the introduction of the General Data Protection Regulation (GDPR), two new EU directives are now setting the direction for security and resilience across Europe: NIS2 and CER.

NIS2 – Network and Information Security
NIS2 (Network and Information Security Directive, version 2) aims to establish a consistently high level of cybersecurity and information security across all EU member states. The directive applies to organisations operating within sectors of particular critical importance, as well as other critical sectors delivering services within the EU.

CER – Critical Entities Resilience
The CER directive focuses on strengthening the resilience of critical entities. It applies to organisations and public authorities that operate critical infrastructure and provide services essential for societal functions, economic activities, public safety, public health and environmental protection.

Together, NIS2 and CER underscore the need for both digital and physical security measures – and for a more holistic approach to risk management.

The future of security: individual assessments and flexible solutions

One of the key principles introduced by the new directives is the requirement for individual risk assessments. There is no single, universal solution that fits all organisations. Each entity must assess its own security posture and implement the necessary measures based on its specific risks, operations and environment.

This places high demands on security systems. They must be adaptable to current requirements while remaining scalable and flexible enough to meet future regulatory and operational needs. Continuous development, regular updates and long-term support are no longer optional – they are essential.

Security systems as a core part of NIS2 and CER compliance

Electronic security systems play a central role in achieving compliance with both NIS2 and CER. When evaluating an existing or future security solution, several key areas should be considered as part of the organisation’s individual assessment.

Access control and detection – where, when and how?

Access control is a fundamental component of physical security. Organisations should identify which areas require controlled access and which could benefit from access control even if not explicitly mandated.

Modern access solutions offer clear advantages over traditional keys. Access cards or digital credentials can be revoked immediately if lost, and permissions can be adjusted as needs change. In fully integrated systems, access control and intrusion alarms can be managed through the same user profile, reducing administration and improving traceability.

Organisations should also consider:

• Which credential technologies provide the right balance between usability and security
• Whether two-factor authentication is required for sensitive or externally accessible areas
• How detection and alarm levels should vary depending on the risk profile of different zones

Configuration, management and automation

A flexible security system should support both individual and group-based management of permissions, ensuring that only the right people have access to the right areas at the right time.

Clear system overviews and intuitive user interfaces are essential for fast response and effective incident management. Integration with other systems – such as HR platforms – can further enhance security by automating tasks like user provisioning and deactivation when employees join or leave the organisation.

Documentation and compliance

Documentation is a critical element in regulated environments. Security systems must provide detailed logs, covering both the scope and retention period required by regulations or internal policies.

Comprehensive documentation supports investigations, audits and troubleshooting – and in some systems, configuration and access documentation can be generated automatically, offering a clear overview of who has access to what, and when.

Testing and verification records are also increasingly important. Built-in tools for testing devices and system functions can provide valuable insights into system status and help organisations maintain full operational readiness.

IT security and continuous updates

Cybersecurity is inseparable from physical security. Choosing a security system that is continuously developed and regularly updated is crucial. Frequent software and firmware updates help ensure access to the latest security features and technologies – and that potential vulnerabilities are addressed as quickly as possible.

Equally important is selecting reliable partners for installation and service, ensuring secure and stable operation over time.

A long-term investment in resilience

By making access control and detection, system configuration, documentation and IT security part of an individual security assessment, organisations can identify solutions that meet today’s requirements while remaining adaptable to future demands.

Integrated security systems such as Integra, developed and manufactured in the EU, are designed to support organisations operating in critical infrastructure environments. With EU-based development, EN/F&P Grade 3 approvals and a web-based management interface, such solutions demonstrate how modern security systems can support both compliance and long-term resilience.

As regulatory requirements continue to evolve, investing in flexible, integrated and future-proof security solutions is not only a matter of compliance – it is a strategic decision to protect people, operations and society at large.