ISJ hears from Steven Commander, Head of Consultants & Regulations, HID.
Securing a building used to mean locking the right doors.
In 2026, the door is where the encryption and cybersecurity compliance starts. For years, the security industry drew a clear dividing line: Physical security on one side, IT and cybersecurity on the other. Separate teams, separate budgets, separate mandates. That divide is disappearing.
What’s emerging in its place is a more complex landscape that demands a fundamentally different approach to how organisations design, deploy and evolve their access control infrastructure.
The convergence of physical and cybersecurity is no longer a theoretical discussion. It is an operational reality reshaping procurement decisions, compliance requirements and risk profiles across every sector from critical infrastructure and government to financial services and enterprises.
And for security integrators, technology partners and end-users alike, the central question is no longer whether to unify these disciplines; it’s how to do so without disrupting what already works.
The walls between security domains are coming down
Modern access control systems have evolved far beyond their original mandate.
Where once a reader at a door simply authenticated a credential and triggered a lock mechanism, today’s systems are deeply integrated with IT networks, HR platforms, building management infrastructure and cloud-based management consoles. This integration has expanded strategic value and attack surface.
HID’s 2026 State of Security and Identity Report, which surveyed more than 1,500 end-users and industry partners, puts a number on what security professionals have been sensing for some time: 75% of organisations have already deployed or are actively evaluating converged physical-digital identity solutions.
Managing fragmented systems is now the primary challenge, cited by 52% as their single biggest barrier. And, with 60% planning to increase spending on identity management this year, the question has shifted from whether to converge physical and cybersecurity to how fast.
That urgency isn’t abstract – a compromised access control system doesn’t just expose data, but it allows bad actors to access restricted physical areas, disable alarms, alter permissions and steal proprietary information.
When physical and cyber-threats intersect at the perimeter, a single vulnerability can carry consequences across both domains at once. That trajectory has only accelerated as threat actors grow more sophisticated and regulatory pressure across Europe continues to harden.
Compliance is the new forcing function
The mandate now arrives from two directions at once: From the threat landscape and from regulators who are no longer prepared to wait.
Across Europe in particular, governments and standards bodies are moving from guidance to mandate when it comes to transparent architecture in access control, in a principle that requires encryption keys to remain under the exclusive control of the organisation, rather than the technology vendor.
This shift represents a significant departure from how many legacy systems have historically operated. Traditional access control deployments often rely on shared or vendor-managed key structures that provide convenience at the expense of sovereign control.
As nation-states and state-sponsored actors increasingly target critical infrastructure, regulators in France, Germany, the UK and the Nordics are demanding architectures that eliminate perimeter vulnerabilities and give organisations full visibility and control over their own security data.
For organisations facing these mandates, the instinctive response is often the most disruptive and expensive one: Replacing controllers, reconfiguring PACS software and reissuing credentials across the entire user base.
In large or complex facilities, that can mean months of operational disruption, significant capital expenditure and substantial business risk during the transition window. But full replacement is rarely the only path to compliance. And, increasingly, it isn’t the best one.
Intelligent architecture: Protecting investments while eliminating risk
Rather than a product decision, the most consequential shift in how forward-thinking organisations are approaching compliance is an architectural philosophy.
The principle is simple: Addressing vulnerabilities precisely where they exist instead of replacing an entire access control infrastructure.
This approach, described as gateway-based or transparent architecture, allows organisations to achieve compliance at high-risk entry points without touching the controllers, software or credentials that underpin their existing investment.
Encryption key management is decoupled from the reader layer and placed firmly in the hands of the organisation. Perimeter vulnerabilities are eliminated where they matter most, while low-risk areas continue to operate as normal. The result is a phased, scalable path to full compliance that respects both security priorities and budget realities.
Critically, this model works with existing OSDP-compatible controllers and requires no PACS software integration. This means integrators can deliver compliance outcomes for customers without the overhead of custom engineering and end-users can continue using current credentials through the transition.
Deployment requires no downtime, no system reconfiguration and no credential reissuance. Organisations can pursue compliance selectively, starting with the entry points that carry the highest risk.
For integrators and OEM partners, the business case is equally strong. The ability to respond to compliance-driven tenders with a cost-effective, infrastructure-preserving solution based on open European and international standards including EN IEC 60839 is a significant competitive differentiator.
It positions integrators to respond credibly to government agencies, critical infrastructure operators and high-security facilities that face regulatory deadlines but lack the appetite for wholesale replacement.
The intelligence layer: Building for what comes next
Compliance, however, is not a destination. Regulatory requirements evolve.
Threat landscapes shift. The access control systems organisations deploy today must be capable of adapting to mandates and scenarios that don’t yet exist. This is where the concept of an evolutive platform becomes critically important.
The most forward-looking access control architectures being deployed today are not simply designed to meet current standards; they are engineered to accommodate AI-enabled use cases, real-time threat intelligence and deeper integration with enterprise security operations centres.
Processor architectures that support machine learning capabilities at the edge are enabling a new generation of intelligent security functions: Behavioural analytics, anomaly detection, predictive access management and automated response.
This matters because the unification of physical and cybersecurity is not a static convergence.
It is a dynamic and ongoing integration.
As cloud-based management platforms become the norm, as mobile credentials displace physical cards and as biometric authentication layers into multi-factor architectures, the access control layer becomes an increasingly rich source of security intelligence, belonging in the same operational picture as network traffic analysis, endpoint detection and identity and access management.
The organisations that will be best positioned in this environment are those that treat today’s compliance upgrade not as a cost to be minimised, but as an investment in an adaptive, intelligent security infrastructure. Sovereign control over encryption keys today becomes the foundation for AI-assisted anomaly detection tomorrow.
What security leaders should be asking now
For CISOs, physical security directors and the integrators who advise them, the practical question is where to start. The convergence agenda can feel vast and complex.
But the most effective approach is to begin with an honest audit of where the greatest perimeter risk currently exists and to identify which entry points, if compromised, would carry the most severe consequence.
From there, the architectural question becomes cleaner: Can existing infrastructure be extended and hardened at those specific high-risk points, while preserving the investment that has already been made?
In most cases, the answer is yes, provided the solution deployed is built on open standards, compatible with existing controller infrastructure and designed to evolve alongside both the threat environment and the regulatory landscape.
The era of siloed physical and cybersecurity is ending. What replaces it is a more resilient, more intelligent approach to protecting the people, assets and data organisations depend on.
The perimeter has changed, so the architecture organisations deploy today will determine how well they can respond to what comes next.
