Organizations in charge of critical infrastructure face significant threats today, from acts of sabotage and human error to natural disasters and climate change. To address these challenges and comply with emerging regulations such as the KRITIS Umbrella Act in Germany and the NIS2 and CER directives for the European Union, organizations must take steps now to bring access control systems into compliance. Six actionable steps are available to help organizations address KRITIS and NIS2/CER requirements for access control systems.
(Picture: ELATEC)
What Is the KRITIS Umbrella Act?
The German KRITIS Umbrella Act, signed into draft law on November 6, is a response to two major European Union directives—NIS2 (Network and Information Security Directive, 2022/2555) and CER (Critical Entities Resilience Directive, 2022/2557). KRITIS impacts German operators of critical infrastructure, defined as organizations or facilities whose disruption or failure would result in significant consequences for public safety, supply chain security or other essential societal functions.By merging the NIS2 and CER directives into German law, KRITIS creates a holistic framework that addresses both cybersecurity and physical resilience. The act brings Germany into compliance with the EU's NIS2 and CER directives, which entered into force on January 16, 2023. EU member states are required to transpose these directives into national law; most member states are in the process of doing so now. Similar laws and regulatory frameworks for the protection of critical infrastructure have been passed in other parts of the world in recent years, including the United States, United Kingdom, India, Japan, China and South Korea. This wave of global regulatory action reflects an awareness of the vulnerability of infrastructure such as transportation, energy and medical systems in the face of rising threats from terrorism, natural disasters and cyberattacks.
Six Steps for KRITIS Compliance in Physical and Digital Access Control
Physical and digital access control are cornerstones of the KRITIS Umbrella Act and similar global legislation. Access control systems protect both tangible assets (like buildings and equipment) and intangible ones (like networks and sensitive data) by restricting and monitoring who can access them. Effective access control ensures that only authorized personnel can interact with critical assets and sensitive data, reducing the risk of sabotage, theft, cyberattacks and operational disruptions. Here's how organizations can prepare their access systems for compliance with KRITIS and similar legislation.
1. Move to Passwordless Login with Strong, Phishing-Resistant MFA Password-based systems are vulnerable to phishing and other cyberattacks. Transitioning to passwordless login with strong, phishing-resistant multi-factor authentication (MFA) enhances digital access security. This step aligns with NIS2 compliance requirements, addressing key cybersecurity risks while ensuring smooth, secure authentication for authorized personnel. The simplest way to implement passwordless, phishing-resistant MFA for digital applications is by using a radio-frequency identification (RFID) card or token with a user PIN or a near-field communication (NFC) mobile credential on the smartphone with a PIN or built-in biometrics. The same RFID/NFC credential can also be used for physical access.
2. Use Strong Encryption for Access Applications To protect sensitive data in access systems, organizations must implement robust encryption protocols, such as AES-256 or advanced Elliptic Curve Cryptography (ECC), for all communications between devices and stored credentials. Strong encryption safeguards against unauthorized interception or tampering, ensuring compliance with both cybersecurity and physical security regulations. That includes encrypting communication between the RFID reader and the user card or smartphone and between the reader and backend systems for access management.
Future-Proof Authentication with Universal RFID Readers
3. Modernize Physical Access Control (PAC) Robust physical access control (PAC) systems are needed to safeguard critical infrastructure facilities from unauthorized entry, sabotage and physical threats that could disrupt essential services. Compliance may require upgrades to physical and hardware systems such as reinforced locks, anti-tampering for RFID readers and other security elements, secure entry barriers, and anti-tailgating measures such as turnstiles or mantraps. Organizations may want to implement a zoning strategy, where areas are segmented based on security levels, to limit the exposure of critical areas to unauthorized personnel. In secure areas, MFA methods such as PIN codes or biometric verification can be combined with the RFID/NFC access credential to prevent unauthorized access using a stolen card or smartphone.
4. Unify Physical and Digital Access The KRITIS Umbrella Act takes a unified approach to physical security and cybersecurity. That's because physical and digital security are inevitably intertwined; cyberattacks can be used to sabotage physical systems or manipulate access systems to enable unauthorized entry, while a physical breach in a server room or other sensitive location may lead to a digital breach. Unified access systems that combine physical and digital access controls provide seamless management and monitoring of all entry points—both virtual and physical. In a unified system, the same user credential (card, token or mobile credential) can be used to unlock access to both physical assets (doors, turnstiles, elevators, equipment, etc.) and digital assets (e.g., through single sign-on (SSO) systems for files, applications and business systems.) In addition to increasing user convenience and simplifying access system management, unified systems enhance security by enabling better behavior monitoring and anomaly detection.
5. Implement Real-Time Tracking, Logging and Behavior Monitoring Real-time tracking and behavior monitoring, often supported by AI-driven access management tools, enable organizations to detect anomalies or potential threats proactively. Comprehensive logging of access events ensures accountability and facilitates post-incident analysis. AI-driven analytics can be used to identify suspicious behavior or potential breaches, such as repeated failed entry attempts or location anomalies, and trigger real-time alerts or automated lockdowns for immediate response.
6. Establish Incident Response and Reporting Protocols Regulations under KRITIS emphasize the importance of swift and effective incident response. Organizations should develop and maintain protocols for identifying, reporting and mitigating access-related security incidents. Organizations should also perform routine audits and penetration testing of access control systems to identify and mitigate potential weaknesses. This ensures the system remains robust and compliant with evolving standards and regulations, including KRITIS in Germany and similar laws across the EU and globally.
Date: 08.12.2025
Naturally, we always handle your personal data responsibly. Any personal data we receive from you is processed in accordance with applicable data protection legislation. For detailed information please see our privacy policy.
Consent to the use of data for promotional purposes
I hereby consent to Vogel Communications Group GmbH & Co. KG, Max-Planck-Str. 7-9, 97082 Würzburg including any affiliated companies according to §§ 15 et seq. AktG (hereafter: Vogel Communications Group) using my e-mail address to send editorial newsletters. A list of all affiliated companies can be found here
Newsletter content may include all products and services of any companies mentioned above, including for example specialist journals and books, events and fairs as well as event-related products and services, print and digital media offers and services such as additional (editorial) newsletters, raffles, lead campaigns, market research both online and offline, specialist webportals and e-learning offers. In case my personal telephone number has also been collected, it may be used for offers of aforementioned products, for services of the companies mentioned above, and market research purposes.
Additionally, my consent also includes the processing of my email address and telephone number for data matching for marketing purposes with select advertising partners such as LinkedIn, Google, and Meta. For this, Vogel Communications Group may transmit said data in hashed form to the advertising partners who then use said data to determine whether I am also a member of the mentioned advertising partner portals. Vogel Communications Group uses this feature for the purposes of re-targeting (up-selling, cross-selling, and customer loyalty), generating so-called look-alike audiences for acquisition of new customers, and as basis for exclusion for on-going advertising campaigns. Further information can be found in section “data matching for marketing purposes”.
In case I access protected data on Internet portals of Vogel Communications Group including any affiliated companies according to §§ 15 et seq. AktG, I need to provide further data in order to register for the access to such content. In return for this free access to editorial content, my data may be used in accordance with this consent for the purposes stated here. This does not apply to data matching for marketing purposes.
Right of revocation
I understand that I can revoke my consent at will. My revocation does not change the lawfulness of data processing that was conducted based on my consent leading up to my revocation. One option to declare my revocation is to use the contact form found at https://contact.vogel.de. In case I no longer wish to receive certain newsletters, I have subscribed to, I can also click on the unsubscribe link included at the end of a newsletter. Further information regarding my right of revocation and the implementation of it as well as the consequences of my revocation can be found in the data protection declaration, section editorial newsletter.
Secure and Compliant Authentication in Laboratories
:quality(80)/p7i.vogel.de/wcms/4b/0f/4b0faa6f14d841b9c739c2e3359eb032/0129335117v1.jpeg "Riccardo Rosa, president of Ucimu, the Italian mechanical engineering association, is not pleased with the overall situation in his country. Here is a status report from the \"boot\" of Europe ... (Image:Ucimu)")
:quality(80)/p7i.vogel.de/wcms/af/1e/af1ec4fca4636f521f780ba0ae009c8e/bild3-werkst-c3-bcck-20und-20werkzeug-5204x2928v1v1.jpeg "The main area of application for the new axial gear cutting machine is the production of rotor shafts for electric vehicles. (Image:Profiroll Technologies)")
:quality(80)/p7i.vogel.de/wcms/d1/ab/d1ab452217529e5c29a81add9aca7c22/0128871322v1.jpeg "Only one year to go: the new EU Machinery Regulation makes cybersecurity mandatory. Companies should act now. (Picture: ©Pisit - stock.adobe.com)")
:quality(80)/p7i.vogel.de/wcms/88/53/8853f7df2fe47a3d2c6f1879f6ac38e6/newsimage417073-1500x843v1v1.jpeg "Measuring setup for friction stir welding: Modular acoustic measuring system with flexibly positioned microphones for recording tool wear and process deviations in real time. (Image:Fraunhofer IDMT)")
:quality(80)/p7i.vogel.de/wcms/cd/fe/cdfe212a3b3206e2ff09dcdf71c11240/0129219561v1.jpeg "Extended S-series: The new Cobot models from Omron lift up to 30 kilograms and are now also protected against dust and water thanks to protection class IP65. (Image:Omron)")
:quality(80)/p7i.vogel.de/wcms/c3/6d/c36d161e7709095fd1de4cb9de27d927/0129133682v1.jpeg "Nanjing is Siemens' largest research and production center for CNC systems, drives and electric motors outside Germany. (Image:Siemens)")
:quality(80)/p7i.vogel.de/wcms/70/dc/70dc2fbc09e6958a72c63bd15e986e14/0129206156v1.jpeg "The global shoe machine manufacturer Desma relies on automation and has been revolutionizing shoe production—together with ABB Robotics for over 40 years. (Image:ABB Robotics)")
:quality(80)/p7i.vogel.de/wcms/60/fd/60fd12ddfe1fb623568736f27d1cfe61/0128606899v1.jpeg "The future of supply chains: AI and dashboards to ensure optimal OTIF values (Picture: ©immimagery - stock.adobe.com)")
:quality(80)/p7i.vogel.de/wcms/39/38/393873c2ed943bb715a6419d94049b63/geralt-entrepreneur-1340649-1280-1280x720v1v1.jpeg "Visual Components presents its forecast for production simulation in 2026. (Image:Pixabay)")
:quality(80)/p7i.vogel.de/wcms/60/4e/604e2a1ce26f177c5f28c2bff94c2f7d/der-20rotor-20mit-20aktiv-20verwindbaren-20rotorbl-c3-a4ttern-20im-20windkanal-1920x1079v1v1.jpeg "The rotor with actively twistable rotor blades in the wind tunnel: The open measuring section and sound-absorbing wall and model fuselage cladding enable high-quality acoustic measurements. (Image:DLR)")
:quality(80)/p7i.vogel.de/wcms/a8/9a/a89aef1cba3843fa06a1ec1f07cf659b/adobestock-95634179--c2-a9-20crazyforanimeart-20-e2-80-93-20stock-adobe-com-4762x2678v1v1.jpeg "Copied from the octopus: Researchers have developed a film-like thin-film platform that can dynamically change not only its color but also its surface structure. (Image:AdobeStock_95634179_ CrazyForAnimeArt)")
:quality(80)/p7i.vogel.de/wcms/2b/fb/2bfbb9fa26274cb8f6e8979c24a3d08e/0129243542v1.jpeg "In some cases, the new additively manufactured lightweight bearings only reach
11 percent of the weight of comparable steel bearings. (Image:Rosswag Engineering)")
:quality(80)/p7i.vogel.de/wcms/d2/40/d240b49c8edba464bf610f0e0b3628f0/p90629460-lowres-2250x1265v1.jpeg "(Source: BMW Group)")
:quality(80)/p7i.vogel.de/wcms/e9/60/e960f8c34a847b11fc576c54d9d46ea6/0129325747v1.jpeg "Robobuses, like WeRide here, are well on the way to becoming an integral part of local public transport. (Image:WeRide)")
:quality(80)/p7i.vogel.de/wcms/e3/8d/e38d7a9b1bcb87f6ef6546654a2ee40f/bild1v1.jpeg "(Source: InfiMotion)")
:quality(80)/p7i.vogel.de/wcms/a6/cc/a6cc273294dbe8ab9534fb4316fc8d2b/0129255976v1.jpeg "Porsche sees battery expertise as a key strategic competence and has developed the battery modules for the new Cayenne Electric itself. (Image:Porsche)")
:quality(80)/p7i.vogel.de/wcms/6f/8f/6f8ff5bf9b81829ef22736bc790cecca/0129224894v1.jpeg "View of the quantum optics laboratory at the University of Stuttgart: here, researchers are experimenting with new photon sources for quantum computing and quantum networks. (Image:Barz Group, University of Stuttgart)")
:quality(80)/p7i.vogel.de/wcms/52/3a/523ac3157ae4b4f596c7241c89127061/0129260553v1.jpeg "This artistic illustration shows a thermal analog calculator that performs calculations using excess heat and is embedded in a microelectronic system. (Image:Jose-Luis Olivares, MIT)")
:quality(80)/p7i.vogel.de/wcms/d1/f4/d1f4508c6b79ec2f0432b34a6fa33a98/0114966184v1.jpeg "The Infineon headquarters Campeon in Neubiberg, Munich. (Image:Infineon)")
:quality(80)/p7i.vogel.de/wcms/fa/d3/fad3872cf3f110f43411f2dce9e8f23a/0129265762v1.jpeg "Siemens Energy has discovered the USA as a prosperous growth market for network technology and gas turbines! In order to be able to meet demand at some point, the company is already digging deeper into its pockets ... (Image:Siemens Energy)")
:quality(80):fill(efefef,0)/p7i.vogel.de/wcms/67/ae/67ae0b9ac31f8/elatec-wp-universal-reader.png "Elatec WP Universal Reader")
:quality(80):fill(efefef,0)/p7i.vogel.de/wcms/67/ac/67acb931a438c/elatec-wp-gmp.png "Elatec WP GMP")
:quality(80)/p7i.vogel.de/wcms/d4/42/d4422aaeeb070dc729522bdafcf1e48b/adv-20elatec-20maschine-20authentication-20bild-1200x674v1.png "The Industry 4.0 era challenges companies to adequately protect their interconnected machines and the data they produce, while also striving to increase efficiency and productivity. (Bild: Elatec)")
:quality(80)/p7i.vogel.de/wcms/f4/61/f4615bc4550548c72a754f3e2c58f859/0128580377v1.jpeg "According to a VDMA survey, companies expect cybersecurity incidents to increase in the coming years. (Picture: ©valerybrozhinsky - stock.adobe.com)")