EU regulations drive rapid cybersecurity transformation in access control industry

The evolving landscape of EU regulations such as NIS2 and the Cyber Resilience Act is prompting the access control industry to embed cybersecurity deeply into product design and supply chain management, amid rising AI-related threats.

In today’s increasingly connected world, the access control industry faces a rapidly evolving threat landscape where digital vulnerabilities often overshadow physical security risks. This shift demands that companies not only adhere to regulatory frameworks but also proactively embed cybersecurity into their core operations. Kelly Gill, Senior Vice President and Chief Technology Officer of ASSA ABLOY Opening Solutions EMEIA, underscores this imperative amid new European Union regulations such as the Network and Information Security Directive 2 (NIS2) and the Cyber Resilience Act (CRA), which collectively aim to elevate cybersecurity standards across the continent.

The NIS2 Directive, which came into effect in January 2023, represents a significant expansion of its predecessor, the original NIS Directive. It broadens the sectors covered, imposing stricter cybersecurity requirements on essential services including energy, transportation, banking, healthcare, and digital infrastructure. According to the European Union Agency for Cybersecurity (ENISA), NIS2 introduces enhanced measures like mandatory incident reporting within 24 hours, detailed risk assessments, and improved crisis management frameworks such as CyCLONe. It also mandates rigorous supply chain oversight and vulnerability management to ensure that organisations strengthen their defences collectively. The directive not only raises the regulatory bar but fosters greater harmonisation and cooperation between member states, aiming to build a resilient cybersecurity ecosystem within the EU.

Parallel to NIS2, the Cyber Resilience Act (CRA) focuses explicitly on products with digital components, targeting manufacturers, importers, distributors, and resellers. Signed into law in October 2024 and enforceable from December 10, 2024, the CRA mandates that products must be secure by design, support regular updates and patches, and come with explicit information about their cybersecurity features. Non-compliance carries severe penalties, including fines up to €15 million or 2.5% of annual turnover, signalling the EU’s uncompromising stance on product security. The regulation’s lifecycle approach ensures manufacturers maintain security through the entire lifespan of their products, driving accountability and vigilance throughout the supply chain.

Within this tightening regulatory environment, ASSA ABLOY Opening Solutions EMEIA highlights the necessity of integrating security from the design phase onward. Gill emphasizes that the company treats security not merely as a compliance exercise but as a competitive differentiator embedded in its DNA. ASSA ABLOY’s approach includes rigorous supplier oversight, ongoing risk assessments, rapid incident reporting, and post-incident analyses to foster continuous improvement. By aligning product development and lifecycle management with these standards, they aim to provide customers with solutions prioritising compliance, resilience, and trust.

Artificial intelligence (AI) plays a dual role in this context. While AI enhances cybersecurity capabilities—offering intelligent monitoring, faster anomaly detection, and streamlined operations—it also expands the attack surface with new threats such as deepfakes, AI-driven phishing, and automated vulnerability exploits. The emerging regulatory frameworks explicitly underscore the need for transparency, accountability, and continuous monitoring in the use of AI. According to Gill, rather than shunning AI due to its risks, ASSA ABLOY is embedding strong governance and cybersecurity standards around AI to harness its potential for bolstering security and regulatory compliance.

The ongoing digital transformation of physical security systems demands vigilance and agility. The implications of NIS2 and the CRA extend beyond internal systems to include the entire supply chain and product lifecycle. For end-users and customers, the message is unequivocal: digital security must be foundational, not an afterthought. Recognising this, ASSA ABLOY supports its customers with practical resources like detailed whitepapers outlining the regulatory requirements and illustrating how intelligent access solutions facilitate compliance.

As the security landscape evolves with accelerating digitalisation and the rise of sophisticated cyber threats, industries involved in access control and related domains face a complex challenge. Meeting regulatory requirements such as NIS2 and the CRA and effectively managing AI risks is crucial. Companies that succeed in embedding comprehensive cybersecurity practices will not only avoid regulatory penalties but also build the essential trust and resilience that underpin leadership in this vital sector.

📌 Reference Map:

Source: Noah Wire Services