Closing the maturity gap in physical access: how Key2XS gets operators to CER compliance, fast, then right

European energy operators sit on uneven ground. Dutch DSOs are relatively advanced on digitalization, yet many still lag on key management. In Germany and elsewhere, manual sign-out sheets and ad-hoc approvals are still common. NIS2 and the CER Directive remove the wiggle room: board-level accountability, risk-based controls, provable governance, and auditable evidence across both IT and OT.

Key2XS is built to normalize that variance. It gives operators a single control plane to bind physical keys, cylinders, doors, people, roles, and time to the same identity fabric that governs IT, then it automates the maturity journey from “paper-based” to “policy-driven and auditable”.

The reality today

• Fragmented workflows: Local spreadsheets, email approvals, and phone calls between dispatch, security, and field teams.

• Identity drift: Contractors and externals keep keys beyond project end dates; revocation is slow or forgotten.

• Zero auditability: Paper trails are not evidence under NIS2/CER scrutiny. Incident reconstruction is unreliable.

• OT special cases: Remote sites, offline cylinders, and fail-safe needs make “pure IT” controls unrealistic.

A pragmatic maturity model for physical access governance

Key2XS is engineered to move operators one rung at a time, without ripping and replacing lock systems or IAM.

How Key2XS closes gaps, capability map

1) Identity-anchored key and cylinder management

• Native connectors to ASSA ABLOY CLIQ, iLOQ and other leading systems map doors/cylinders to digital identities and roles.

• Role templates for field engineers, SCADA techs, and contractors enforce least privilege and time-boxed rights.

• Just-in-time (JIT) activation: Keys activate via the app for a defined task window; scheduled auto-expire prevents “access creep”.

2) Approval workflows that scale from manual to automated

• Start simple: digitize existing manual/written approvals as structured workflows (named approver, valid-from/until, purpose).

• Step up: enable four-eyes for high-risk assets (e.g., HV substations), plus Segregation of Duties constraints baked in.

• Automate: trigger approvals from work orders (EAM/CMMS), change tickets (ITSM), and maintenance plans, no extra emails.

3) Contractor lifecycle control

• Identity federation: bind external staff identities to your IAM (guest B2B, HR-light), or let Key2XS manage a minimal external directory.

• Auto-revocation: when a contract ends or a PO closes, keys and digital rights are withdrawn; custody is reconciled.

• On-site onboarding: QR-driven pickup/return, e-signature of safety rules, and training checks at the door.

4) Offline-tolerant operations with auditable evidence

• Edge reality: cylinders may be offline; Key2XS syncs event logs as soon as the key is re-provisioned or in range.

• Tamper & exception capture: unusual access patterns, failed attempts, or out-of-window use raise alerts and create audit artifacts.

5) Alarm, monitoring, and dispatch integration

• Alarm arming/disarming via key events (where supported): the same identity that unlocks can switch alarm state.

• Policy-aware arming: auto-rearm after a set window; exceptions require explicit supervisor acknowledgement.

• Event bus: forward enriched access events to SOC/SIEM for correlation with IT incidents (NIS2 incident handling).

6) Evidence, KPIs, and board-level reporting

• Single source of truth: who had access, to what, when, under which approval, and why.

• Regulatory packs: exportable reports aligned to CER control areas: governance, risk, operations, resilience, supply chain.

• KPIs: time-to-revoke, orphaned keys, attestation completion, SLA on high-risk approvals, exception rate per asset class.

Mapping to CER outcomes (operator language, not legalese)

• Governance & Accountability: named control owners, CRO/CISO dashboards, immutable approval records.

• Risk Management: risk-tiered sites and policies (e.g., Level 3+ requires four-eyes & JIT), documented exceptions.

• Operational Resilience: offline-tolerant keys, emergency override with auditable second-factor, rapid revoke.

• Supply-Chain Security: contractor identity assurance, expiring rights, procurement-linked revocation.

• Event Handling & Reporting: SIEM integration, incident timelines with physical access evidence, post-incident attestation.

A realistic adoption path (90/180/365)

Days 0–90: Stabilize

• Inventory all keys/cylinders and link to assets; ingest workforce and contractor identities.

• Digitize current approval methods as workflows, no process shock.

• Enforce basic time-boxing and mandatory check-in/return.

  Outcomes: single register, traceability, fewer lost keys, revocation in hours not weeks.

Days 91–180: Govern

• Introduce role templates, SoD/four-eyes for high-risk assets, and quarterly attestations.

• Connect to ITSM/EAM to auto-open approvals tied to work orders.

• Turn on JIT activation and automatic re-arm of alarms.

  Outcomes: audit-ready evidence, measurable policy adherence, reduced exception noise.

Days 181–365: Automate & assure

• Roll out policy-as-code with risk tiers, anomaly detection, and delegated admin for regions/vendors.

• Enable contractor lifecycle automation (onboarding to revocation) and full SIEM integration.

• Run a CER readiness assessment using Key2XS reports; close residual gaps.

  Outcomes: continuous compliance posture with board-level confidence.

What this means for different operator profiles

Mature DSOs (NL-style) with a weak spot in keys

• Keep your IAM and SOC stack; plug Key2XS into CLIQ/iLOQ.

• Go straight to Level 3–4: JIT, SoD, attestations, and policy-as-code for critical sites.

• KPI focus: orphaned-key rate → near-zero; TTR (revoke) < 2 hours; attestation > 98%.

Operators using manual/written approvals (common in parts of DE)

• Start with Level 1–2: digitize approvals, bind to IAM identities, enforce time-boxed custody.

• Introduce two simple templates: “Routine maintenance” and “High-risk intervention.”

• KPI focus: eliminate paper in 90 days; full custody chain; zero “unknown holder” keys.

Contractor-heavy TSOs and service providers

• Prioritize guest identity federation and automated onboarding/offboarding.

• Use geo/time fences and task-linked JIT to cut standing privileges.

• KPI focus: standing vs. JIT ratio; contractor revocation SLA; exception approvals per 1,000 tasks.

Controls that move the needle (and are easy to defend in audits)

• Time-bound rights by default. No open-ended access.

• Four-eyes for Level-3+ assets. One approver is not enough.

• JIT activation with automatic re-arm. Reduces window of exposure.

• Quarterly attestations. Role owners re-confirm who needs what.

• Auto-revocation on HR/PO close. Contracts end, access ends, no manual chase-up.

• Immutable evidence. Every approval, activation, exception, and return is logged and exportable.

What you need from IT/OT to execute

• Source of truth: HR + IAM directory in scope (employees + externals).

• Lock estate map: cylinders/doors → sites/criticality.

• Two approver pools: operations and security/compliance.

• Integration points: IAM, ITSM/EAM, SIEM; optional alarm/dispatch link.

Why this works for NIS2/CER

CER and NIS2 don’t mandate brands; they mandate outcomes: governed risk, controlled access, rapid response, and evidence. Key2XS operationalizes these outcomes for the physical domain, in language your auditors and your field teams both accept. You get quick wins in 90 days and a straight path to continuous compliance within a year, without derailing operations.