2N urges tougher cyber rules for access control devices

2N has urged manufacturers of digital intercoms and access control devices to go beyond compliance with the EU's Cyber Resilience Act, calling for stronger vulnerability reporting, tighter component sourcing and closer supply-chain scrutiny.

The appeal comes as the EU prepares to require companies to report actively exploited vulnerabilities and major incidents in digital products. The rules will apply to connected devices sold in Europe, including access control systems used in buildings, campuses and other sites where cyber risk can affect physical security.

Figures cited by 2N show that 54% of organisations worldwide have already experienced an internet-of-things-related security breach, and 60% of those incidents were linked to unpatched vulnerabilities. The legislation also carries financial penalties, with violations punishable by fines of up to 2.5% of worldwide annual turnover or EUR 15 million.

2N, which makes IP intercoms and access control products, expects the new framework to raise standards not only for product design but also for support lifecycles, patching and default settings. It argues that buyers will increasingly favour vendors that can demonstrate clear processes for identifying security problems and resolving them throughout a device's life.

"Cybersecurity doesn't start with technology, but with awareness and a culture of responsibility," said Michal Kratochvíl, Chief Executive Officer, 2N.

"By integrating robust frameworks and transparent vulnerability management processes, we manage to stay on top of regulation. New directives are usually in line with the practices we have been sustaining for years," Kratochvíl said.

Supply Chain

Component sourcing is one area 2N highlighted. It said CRA requirements can be met by using secure components, including EU-approved microchips and suppliers, backed by vendor due diligence and checks across the supply chain.

Broader market conditions may reinforce that pressure. Citing a MarketsandMarkets forecast, 2N noted that the access control market is expected to grow from USD 10.62 billion in 2025 to USD 15.80 billion by 2030, potentially intensifying competition among suppliers over security credentials as well as product features.

The company pointed to deployments in data centres, banks, schools and residential buildings as examples of sectors where cyber resilience in access control is already a practical requirement. In one higher-education project in New York, it was asked to build a unified security centre for a university with 18,000 students, with a focus on remote monitoring and protecting biometric data.

"Our device count continues to grow and evolve in response to the degree of threats we're seeing on our campus and across the country," said Dave Martin, Security Infrastructure and Support Department for Binghamton University.

"Our goal is to make sure the technology helps our university police department stay situationally aware of what's happening on campus before, during, and after any kind of critical incident," Martin said.

2N added that configuration and management for complete access systems is handled through its Access Commander software, which lets operators set permissions in bulk for doors and zones. The system can also be expanded to include time and attendance functions, with records viewed through a web interface or exported in spreadsheet formats.

Reporting Issues

Vulnerability disclosure is a second area of focus. Under the incoming rules, manufacturers will need formal processes for identifying, assessing and communicating security issues. For suppliers serving sensitive environments, 2N said public handling of vulnerabilities should be seen as part of customer trust, not a sign of weakness.

It urged manufacturers to create dedicated channels through which researchers and customers can report security concerns. 2N also noted that it has been recognised by the Common Vulnerabilities and Exposures programme as a CVE Numbering Authority, allowing it to assign CVE identifiers to verified vulnerabilities in its own products.

"In recent years, we have been contacted by security researchers, agencies, and customers reporting potential vulnerabilities in our products," said Michal Kratochvíl, Chief Executive Officer, 2N.

"By becoming a CNA, we can now respond faster and share verified information directly, building even greater trust with our partners," Kratochvíl said.

Support Terms

2N also argued that buyers should pay closer attention to update commitments and end-of-support terms when purchasing connected products. In practice, that means asking how long security updates will be issued, how support will end and how urgent patches are delivered.

The company said it offers a five-year warranty across its product range. It also highlighted the latest version of its IP Force intercom, describing it as an update to one of its best-selling models and noting its use of the Axis ARTPEC-8 chipset.

"We offer a five-year warranty on all products. One of our newest products is 2N IP Force 2.0, an upgrade of 2N's second-most successful intercom ever. From schools in New York to the F1 Circuit in Belgium, it found a global popularity due to its extreme resilience. The new generation of 2N IP Force retains its trademark durability but has a range of new features thanks to the Axis ARTPEC-8 chipset, something our customers have been asking for," said Tomáš Vystavěl, Chief Product Officer, 2N.

Since joining Axis Group in 2016, 2N said it has built its systems around EU- and NDAA-compliant components, long-term support and formal vulnerability handling.