NIS2 makes physical security a cyber problem

That moment is not an incident. It is a symptom of an assumption that still lives inside many organisations: that physical security is a separate discipline, with separate vendors, separate budgets and separate accountability. That assumption no longer holds. NIS2 makes it explicit. Zero trust forces the issue. And the market is running behind the facts.

Three movements have erased the divide.

The attack surface has converged. A modern IP camera runs a Linux stack on your internal network. A cloud access control system links into your identity provider. A door sensor sends telemetry to a SaaS platform in another jurisdiction. Every physical security component is now an endpoint — with firmware, credentials, supply chain and update discipline. The American and European restrictions on Hikvision and Dahua were not introduced out of caution; they were introduced because the devices had demonstrably become part of the cyber threat.

Identity has converged. Whoever gains access to a building is the same person who gains access to an application. That sounds obvious, but operationally it is rarely arranged that way. Cloud-native access control platforms such as Avigilon Alta and Verkada integrate natively with Microsoft Entra ID. A departing employee is removed from the building and from Microsoft 365 in a single action. That is not a feature; it is a foundation for zero trust. Organisations still running two separate processes are carrying unnecessary risk and operational drag.

NIS2 codifies the merger. The directive does not prescribe which camera you should buy. But it requires risk-based management of physical and logical access security as one whole. Access control, security cameras and related IoT equipment fall under the same risk assessment obligation as your SIEM and your endpoint protection. The regulator looks at the system, not at two silos.

What this means for the mid-market.

In the Benelux mid-market companies between 50 and 500 employees physical security was often installed years ago by an integrator operating outside the IT function. Cameras sit on a dedicated VLAN that is rarely patched. The access badges are legacy proximity cards with known vulnerabilities. The cybersecurity vendor does not look at any of it; the physical vendor cannot explain how the system relates to Entra ID. This is not a competence gap. It is a missing layer above both a layer that brings the two worlds together.

Three concrete consequences for boards follow.

The selection criteria for new physical security have changed. Stop deciding on image quality, price per channel or installation cost alone. Assess firmware security, supply chain integrity, identity provider integration and the cloud architecture of the vendor. Those are cybersecurity questions, not security questions.

Vendor-independent advice is more valuable than it has ever been. An installer sells the system they carry. A cybersecurity MSP does not understand the physical side. The organisation that understands both worlds and is tied to neither can make the right call without conflict of interest. On a ten-year investment, that independence is the difference between lock-in and option value.

Accountability needs a single owner. As long as physical security sits under Facilities and cybersecurity sits under IT, NIS2 reporting will remain a political problem rather than an operational one. The CISO, or an equivalent role, has to own both or there must be an explicit escalation path to someone who can.

In closing.

Physical security is no longer something you buy and forget. Like your email, your endpoint protection and your identity stack, it is a living part of your digital defence. The organisations that accept this last will pay the highest tuition.

The penetration test in January was used internally by the board as a cautionary tale. What they did not expect was that the remediation plan was mostly about Entra ID, firmware policy and SIEM integration. Not about fences and locks.

NIS2 does not change what is right for the organisation. It only makes it impossible to keep avoiding it.