Translation of an op-ed published on L’Essentiel de l’Éco – NIS 2 and the CRA: Vincent Dupart, President of SPAC Alliance, explains how these European regulations require a complete rethink of both cybersecurity and physical security.
In the collective mindset, cybersecurity first evokes the protection of digital systems. While these systems are vulnerable from the inside (malicious emails, compromised credentials, etc.), they also rely on physical infrastructure (offices, data centers, factories, etc.) which can also fall victim to intrusions. New European regulations, such as the NIS 2 Directive and the CRA (Cyber Resilience Act), should rightfully bring physical security back to the heart of cyber strategies.
The physical threat: a reality that must now be confronted.
We have long lived with a “disembodied” vision of cybersecurity, focused solely on software attacks. Yet physical attacks are very real and often support cyberattacks. These are known as hybrid attacks. Groups such as Killnet or Sandworm now combine cyberattacks and physical intrusions to sabotage critical infrastructure, particularly in territories at war or in tense geopolitical contexts. In 2023, French telecom facilities were deliberately damaged, causing loss of connectivity for healthcare institutions and local authorities.
The cost of theft or sabotage of physical data can exceed several million euros in operational repercussions, GDPR penalties or loss of customer trust. According to recent studies, 60% of organisations report having suffered a physical security breach in the past 12 months. The average cost of such an intrusion for an SME is estimated at $450,000. It is therefore not only a regulatory requirement, but a strategic imperative. Physical security is the anchor point of our cybersecurity. It must not be neglected.
NIS 2, CRA: a turning point for physical security.
Currently being transposed in France, the European NIS 2 Directive raises the overall level of cybersecurity for organisations across 18 sectors designated as critical. These include public administrations, healthcare, research, transport and the banking sector. A distinction has been made between two levels of criticality: essential entities (250 employees or annual turnover above 50 million euros) and important entities (at least 50 employees or annual turnover and balance sheet above 10 million euros). What marks a real turning point – and must be welcomed – is the explicit integration of physical security into compliance requirements. Essential entities are required to implement access control mechanisms (video surveillance, guarding, alarms), rigorous access rights management, as well as traceability of both external and internal access.
As for the CRA, it reinforces this evolution by requiring digital manufacturers to integrate physical security requirements from the design stage and throughout the product’s lifecycle. The compliance framework now used for the SecNumCloud label or in response to certain sectoral requirements (OIV, OSE) reflects this shift toward the protection of technical premises, server rooms and physical access. Physical security has now become a firm regulatory expectation for all essential entities.
With NIS 2 and the CRA, the European Union places physical security back at the core of cybersecurity. This is a major step forward, recognising that protecting our access points, infrastructures and environments strengthens digital trust. By establishing physical security as the first line of defence, Europe is paving the way for more comprehensive and resilient cybersecurity.
Vincent Dupart – President of SPAC Alliance
Published on 6 November 2025 on the website L’Essentiel de l’Éco.
