Back

In today’s landscape, cybersecurity and data protection have become critical priorities for operators of essential services. From utilities to transportation, organisations are under increasing pressure to comply with new regulations such as NIS2 in Europe, KRITIS in Germany and international standards like ISO 27001. Yet, confusion remains. Many still wonder whether NIS2 is a directive, a certification, or merely a set of best practices. Others question whether ISO 27001 alone is sufficient, or how KRITIS interacts with these frameworks.

At ISEO, we believe clarity is essential. NIS2 is a European directive that establishes mandatory requirements for operators of essential services. ISO 27001 is a voluntary international standard that provides a systematic approach to managing information security. KRITIS is a German regulatory framework targeting critical infrastructures. These instruments are not mutually exclusive. Together, they shape a robust approach to risk management and resilience.

What matters most, however, is not ticking boxes but building trust. For years, ISEO has applied security-by-design principles to access management, combining mechanical verification, digital authorisation and auditable traceability. These foundations help operators meet regulatory obligations while maintaining operational continuity.

At ISEO, we don’t just support our clients in achieving compliance, we hold ourselves to the same high standards within our own solutions and processes. We view compliance as a baseline, not the end goal. Our role as a trusted partner is to guide clients beyond compliance, towards resilience and long-term confidence.

Why critical infrastructures demand more

Utilities, transportation networks and other operators of essential services are particularly exposed to cyber and physical threats. Power substations operate without permanent staff. Water treatment plants manage distributed access points essential to public health. Gas compression stations require strict protocols to prevent catastrophic consequences. Rail and metro sites must coordinate multiple contractors and third parties on a daily basis. In these contexts, even a single breach can disrupt entire communities, cause significant economic damage and undermine public confidence.

This is why the debate between NIS2, ISO 27001 and KRITIS cannot remain theoretical. Operators need solutions that work in practice, under real-world conditions.


ISEO’s practical approach: the F9000 family

A distinctive element of ISEO’s offering for these sectors is the F9000 mechatronic product family. F9000 combines mechanical verification and digital authorisation within a single, physical credential. Opening a lock requires both the correct mechanical profile of the key (pins and counter-pins, cuts or bittings) and the appropriate digital permissions stored in the key’s memory, read by induction when the key is inside the cylinder.

This “dual verification” model functions much like two-factor authentication but it is achieved with a single physical device. A purely digital credential breach is not sufficient to open a door, an attacker would also need a compatible physical key. Furthermore, F9000 cylinders, padlocks and devices are stand-alone: they have no external network connectivity and exchange information only with ISEO programming and user keys. As a result, the typical remote hack vectors aimed at networked access devices are impractical in this architecture.

Integration with wider systems

Beyond intrinsic product resilience, ISEO’s approach is pragmatic and integrative. Our mechatronic hardware works seamlessly with LSA software modules and can be incorporated into customers’ asset management workflows (CMMS), OT/SCADA incident procedures and lone-worker systems without exposing critical control networks.

The result is a layered defence: strong, auditable access control at the physical edge; software support for policy management and traceability; and minimal attack surface because field devices are intentionally offline. For operators of utilities and other critical infrastructures, this combination translates into lower operational risk, clearer audit trails and a security posture that supports (not conflicts with) compliance obligations such as NIS2, KRITIS or ISO 27001.


Looking beyond compliance

Cybersecurity threats evolve faster than regulations can be written. That is why ISEO encourages its partners to view compliance as a minimum baseline rather than a final objective. True resilience demands more: technology designed for the operational realities of critical infrastructures, solutions that integrate with existing control environments, and a partner with decades of proven expertise in both physical and digital security.

In an era of growing interdependence between IT (Information Technology) and OT (Operational Technology), the ability to trust access management is no longer optional, it is fundamental. ISEO stands ready to support operators of essential services with solutions that embed security by design, provide clarity amid regulatory complexity, and deliver confidence that extends well beyond compliance.

Previous
Previous
ISEO receives the “Top Electronic Access Control System in Europe 2025” award
© 2025 ISEO Serrature S.p.A. All right reserved
P.IVA C.F. N.Reg.Imprese BS 08499190018 | Cap.Soc.Deliberato € 24.340.965 | Cap.Soc.Sottoscritto e Versato € 23.969.040 | C.C.I.A.A. Brescia N.REA 447181 |. Mecc. BS 083839 | SDI CODE SN4CSRI