Perimetro
NIS2 2026

What NIS2 means for physical security

The NIS2 Directive (EU) 2022/2555 is being transposed into national law across the EU. Essential and important entities have new obligations in risk management, incident reporting, and supply chain security — including the physical layer.

Key dates

NIS2 implementation timeline

  1. 17 October 2024

    Transposition deadline

    Member states' deadline to transpose NIS2 into national law.

  2. April 2026 (PL)

    UKSC enters into force

    Poland's NIS2 transposition act enters into force.

  3. October 2026 (PL)

    Entity registration

    Deadline to register essential and important entities in the national list.

    We are here today
  4. April 2027 (PL)

    Full obligations

    Full obligations Chapter 3 — risk management, incident reporting, supply chain.

Regulatory analysis

Who is covered by NIS2 obligations

The NIS2 Directive (EU 2022/2555) introduces two categories of entities: essential and important. Essential entities include energy operators, digital infrastructure operators, transport, banking, healthcare, water utilities, and high-level public administration. Important entities include postal services, food production, waste management, mid-scale ICT providers, chemical manufacturing, and the research sector.

Member-state transposition is in progress across the EU. Germany's NIS2-Umsetzungsgesetz (5 December 2025) expanded the count of regulated entities from about 4,500 to about 30,000. Similar scale is expected across other member states — ENISA estimates several-fold growth versus the old NIS. If your organisation operates a critical infrastructure site, a large energy installation, a port, an airport, a data centre, a fuel terminal, or you are a mid-scale-or-larger ICT provider, you very likely fall in scope.

Most national transpositions assign registration to a national CSIRT or competent authority — registration windows typically run six months after the national law enters into force. Check your national supervisory authority for the exact deadline; the latest published transitions are at the European Commission's NIS Cooperation Group page.

What NIS2 means for physical security

The most common misunderstanding: NIS2 is not just about IT networks. Article 21(2) lists ten categories of technical, operational and organisational measures — including, explicitly, physical access controls, supply chain security and asset management. Item (j) requires policies and procedures for cryptography use and physical security measures where applicable.

Article 23 mandates an incident reporting cycle for significant incidents: an early warning within 24 hours of detection, a formal notification within 72 hours with preliminary root-cause and impact analysis, and a final report within one month. A significant incident is any event causing material operational disruption, affecting a significant number of users, or capable of causing substantial damage — including physical incidents impacting digital or operational infrastructure.

Article 21(2)(d) — supply chain security — is the most commonly underestimated requirement. Essential-entity operators must systematically assess ICT service suppliers, with particular attention to geographic concentration, jurisdiction, and the vendor's status against EU adequacy decisions. For systems using non-EU hardware components (drones, cameras, computer vision boxes), this requires documented risk analysis and a mitigation plan.

How Perimetro supports Article 21 obligations

Perimetro Platform delivers a documented physical-detection layer with an auditable event trail, designed against specific letters of Art. 21(2). Letter (a) — risk analysis and security policies: the audit log provides raw material for risk analysis (events, classifications, false positive rates) plus a threat scenario library for the SOC.

Letter (b) — incident handling: an event state machine with four operator actions (escalate, verify, mark as error, normal handling), an escalation chain with auditable timestamps on every action, and a built-in NIS2 Reporter — a wizard generating PDF + JSON for the 24h early warning and the 72h notification with auto-fill from the audit log.

Letter (c) — business continuity: the edge daemon runs offline (local event queue syncing when connectivity returns), Tower and Connect continue detection without cloud connectivity, Aero has autonomous return-to-home on connectivity loss. Letter (g) — cryptography: per-tenant Customer-Managed Keys, HMAC hash chain for the audit log (tamper-evident), TLS 1.3 + a per-device HMAC-SHA256 signature for edge ↔ cloud communication (with replay protection).

Letter (h) — access control: RBAC with five roles (operator, supervisor, NIS2 Reporting Officer, admin, auditor), MFA required for administrative roles, full access audit. Letter (i) — asset management: inventory of drones, docking stations, Connect cameras and tenant configurations in the operator panel.

The 24h/72h cycle — practical walkthrough

The question CISOs ask most often: "OK, but what does the NIS2 cycle actually look like for us?". Real workflow for an energy operator: T=0 (22:35) a drone on a night patrol detects a HIGH event (person in restricted zone, confidence 0.94, cross-validated RGB + thermal). Event encrypted per-tenant CMK, audit log entry hash-chained.

T+1.2s the event syncs to backend, push to the SOC console. T+47s operator clicks Escalate — webhook to client's Genetec Security Center, auto-recording activated, SMS + push to the Security Manager. T+10min the physical patrol detains the intruder. T+55min the NIS2 Reporting Officer logs in, clicks Generate NIS2 Early Warning. The wizard auto-fills: event details from the audit log, escalation chain with timestamps, sector classification, operator actions, linked artifacts (key frame with audit hash).

T+1h05min the Reporting Officer adds qualifying context (intent assessment, operational impact, scale), clicks Generate report — PDF + JSON ready in 15-25 seconds. Adds a qualified e-signature, submits to the national CSIRT (auto-submission or manual upload). Early Warning sent within 65 minutes of detection — 22h45min buffer for any follow-ups.

T+53h the Reporting Officer generates the full 72h Notification with the wizard auto-filling all Early Warning fields plus the additional ones (final root cause, impact assessment, mitigation measures). Without Perimetro: the Reporting Officer compiles the report manually from CCTV logs, SOC console, guard reports — typically 6-12 hours of compliance officer time plus risk of missing the 24h deadline on a night incident. With Perimetro: 45-90 minutes, full audit trail, deadline with a safe buffer.

Supply chain risk (Art. 21(2)(d))

Art. 21(2)(d) requires systematic supply chain risk assessment, particularly for direct ICT service suppliers. ENISA methodology: dependency identification (vendor + sub-processor list), criticality classification (critical/important/minor), vendor risk profile (jurisdiction, certifications, geographic concentration, EU adequacy status), mitigation measures (contractual, technical, operational), documentation in a vendor risk register.

What Perimetro pre-delivers for the client's NIS2 supply chain assessment: Perimetro Vendor Profile (pre-filled assessment template from client perspective), full sub-processor list (Google Workspace, Vercel as sub-processors), jurisdiction matrix (which data sits in which jurisdiction — all structured events in the EU), security certification status (ISO 27001 roadmap, ISO 42001 for AI management, SOC 2 type II).

For systems with non-EU hardware components (drones, cameras), Perimetro publishes a dedicated supply chain risk analysis with a vendor-swap migration plan. These artifacts reduce client effort from 2-4 weeks (standard from-scratch vendor assessment) to 3-5 days (review of the pre-filled material by the client's counsel).

Which product to choose for your horizon

Product choice depends on deadline horizon and site profile. Perimetro Connect is the fastest path — 7-30 days to a documented detection layer over existing CCTV monitoring. If you're registering as an essential entity and need to demonstrate a detection layer in the first quarter post-deadline, Connect matches that horizon.

Perimetro Tower (30-60 days) is the right choice for sites requiring dual-spectrum RGB + thermal at specific critical points — gates, transformers, restricted zones. Ideal for mapping Art. 8 (risk management) onto specific sub-points of a site. Electrical substations, fuel terminals, ports, airports, data centres — typical candidates.

Perimetro Aero (60-90 days) is the right choice for large and linear sites — high-voltage lines, PV and wind farms, large terminals, mines. Provides an auditable autonomous patrol with mission reports in the audit log. Often deployed as the third stage after Connect (fast detection) and Tower (fixed critical points), in the post-deadline horizon.

In every scenario all three products integrate into one Perimetro Platform with a shared audit log. You can start with Connect for fast compliance and expand with Tower and Aero in subsequent months without replacing the platform or re-configuring integrations with VMS, SIEM, SCADA and access control.

What NIS2 means for physical security