Pip Courcoux, Technical and Product Director, Abloy UK discusses why NIS2, the Cyber Resilience Act and changing market dynamics are reshaping modern security and access control solutions.
As access control systems become increasingly digital, the security industry is entering a new phase of maturity and physical protection alone is no longer the sole requirement.
Modern systems must also demonstrate cyber-resilience, regulatory compliance and long-term reliability, particularly in complex, high-risk environments.
Across Europe, legislation such as the NIS2 Directive and the Cyber Resilience Act (CRA) is accelerating this shift.
At the same time, market growth in data centres and multi-occupancy buildings is placing fresh demands on availability, auditability and system uptime.
Together, these factors are changing how access control is specified, deployed and managed.
Compliance has always been integral to access control, traditionally focused on physical safety, emergency egress and life safety standards.
However, as systems become more connected and software-driven, compliance is expanding into cybersecurity, data protection and operational resilience.
This evolution is not new, but when cloud-based access control solutions first appeared more than a decade ago, adoption was slow.
Organisations were cautious, standards lagged behind innovation and trust took time to establish.
However, frameworks eventually started to emerge, confidence grew and cloud technology became mainstream.
A similar process is now unfolding as digitalisation accelerates across access control.
European regulators are moving quickly to address emerging risks, introducing legislation such as the Data Act, the Radio Equipment Directive Delegated Act and the forthcoming AI Act.
Central to this regulatory push is the Cyber Resilience Act, which will come fully into force by the end of 2027.
The Act aims to ensure that digital products placed on the European market meet defined cybersecurity requirements throughout their lifecycle.
For end users, this provides greater assurance. For the industry, it marks a decisive step towards greater digital maturity.
Although often discussed together, NIS2 and the CRA address different aspects of risk.
NIS2 is organisational in focus and it requires certain organisations to strengthen their operational IT and security controls, covering areas such as access to critical infrastructure, protection of digital assets, governance and incident preparedness.
In effect, it elevates cybersecurity and resilience to a board-level responsibility, backed by meaningful enforcement and penalties.
The CRA, by contrast, is product centric, placing obligations on manufacturers to design security into products from the outset, addressing issues such as secure supply chains, vulnerability management, patching regimes and clearly defined product lifecycles.
Digital products are no longer considered static assets, they must be actively managed, maintained and supported over time.
Together, these regulations create a shared framework of trust.
Rather than relying on informal assurances, organisations can assess products and systems against clear, enforceable standards.
For buyers, this simplifies decision-making and for suppliers, it raises expectations.
One of the most significant consequences of this regulatory landscape is a shift in how organisations perceive risk.
Historically, access control investment was driven primarily by physical security and safety considerations.
Today, organisations are increasingly focused on the potential consequences of failure, such as operational disruption, regulatory penalties, litigation and reputational damage.
High-profile cyber-incidents have sharpened this awareness, with extended outages, halted operations and lost revenue demonstrating how damaging cyber-failures can be.
In response, NIS2 removes much of the discretion organisations previously had.
Certain controls are no longer optional, they are mandatory for those operating in regulated sectors.
This is also reshaping supplier relationships and the traditional, project-based model where a system is specified, installed and largely forgotten, is becoming obsolete.
Firmware updates, vulnerability patching and encryption management mean that access control systems now require ongoing attention throughout their lifecycle.
As a result, trust is no longer a one-off decision at the point of specification.
Instead, it is built and maintained through long-term partnerships, with manufacturers and integrators playing a more continuous role in system performance and compliance.
The renewed emphasis on cyber-resilience is influencing design choices around online and offline access control.
Not every environment requires constant connectivity and in residential and multi-occupancy buildings, for example, offline or hybrid access control solutions can provide flexibility and security without unnecessary infrastructure complexity or data exposure.
Privacy is a particularly important consideration in these settings.
In contrast, high-security environments, such as data centres, pharmaceutical facilities and IP-sensitive corporate sites, view online access control as essential.
Real-time monitoring, instant lockdown capabilities and comprehensive audit trails are critical to managing risk and meeting regulatory expectations.
Resilience must be at the core of both approaches and while systems need to continue functioning safely during network outages, cyber-incidents or power failures, they must also fail in a controlled and predictable manner.
Under both NIS2 and the CRA, this level of resilience is becoming a baseline expectation rather than a differentiator.
Data centres represent one of the fastest growing and most tightly regulated security environments in Europe.
Standardisation is a defining trend, with operators seeking specifications that can be replicated across multiple sites and countries.
In this context, access control is inseparable from uptime and business continuity.
Any failure, whether caused by power loss, system outage or unauthorised access, can have immediate and severe consequences.
Regulatory scrutiny in the data centre sector is intense, reflecting the critical role these facilities play in digital infrastructure.
Access control systems must therefore deliver not only robust security, but also high availability, redundancy and integration with wider resilience strategies.
Multi-occupancy buildings are another key growth area, particularly in urban environments where space constraints and housing demand continue to drive higher-density living.
Despite predictions that cities would hollow out following the pandemic, the demand for city-based accommodation close to amenities remains strong.
At the same time, new-build projects are facing increased volatility due to supply chain challenges, inflation, political uncertainty and enhanced regulation with the introduction of the Building Safety Act.
As a result, the retrofit market is becoming increasingly important.
Repurposing and upgrading existing buildings is often a more sustainable approach and more achievable than new construction.
For access control, this creates opportunities for flexible, scalable solutions that can be installed with minimal disruption.
One area gaining increased attention under NIS2 is power resilience, as access control systems must continue operating during power outages, supported by reliable battery backup and uninterruptible power supplies.
The Life Safety Power solution from Abloy can play a critical role by supporting access control panels with monitored power supplies.
It enables remote battery testing, performance monitoring and even selective power cycling of individual panels.
This allows organisations to identify degrading batteries before failures occur and maintain compliance with availability requirements.
In large, power-intensive environments such as data centres, this level of visibility is essential.
It also reinforces a broader shift in thinking that access control is no longer just about locks or controllers, but about the resilience of the entire system.
As regulation continues to evolve, digital maturity will remain a defining theme for the access control industry.
Hardware alone is no longer sufficient and value increasingly lies in the ability to help organisations remain compliant, resilient and confident in the face of growing cyber and regulatory risk.
For manufacturers, integrators and end users alike, the challenge is clear.
Access control strategies must be designed not just for today’s threats, but for a future that is complex, heavily regulated and always evolving.
This article was originally published in the February edition of Security Journal UK. To read your FREE digital edition, click here.
