Executive summary
European energy operators sit on uneven ground. Dutch DSOs are relatively advanced on digitalization, yet many still lag on key management. In Germany and elsewhere, manual sign-out sheets and ad-hoc approvals are still common. NIS2 and the CER Directive remove the wiggle room: board-level accountability, risk-based controls, provable governance, and auditable evidence across both IT and OT.
Key2XS is built to normalize that variance. It gives operators a single control plane to bind physical keys, cylinders, doors, people, roles, and time to the same identity fabric that governs IT, then it automates the maturity journey from “paper-based” to “policy-driven and auditable”.
Fragmented workflows: Local spreadsheets, email approvals, and phone calls between dispatch, security, and field teams.
Identity drift: Contractors and externals keep keys beyond project end dates; revocation is slow or forgotten.
Zero auditability: Paper trails are not evidence under NIS2/CER scrutiny. Incident reconstruction is unreliable.
OT special cases: Remote sites, offline cylinders, and fail-safe needs make “pure IT” controls unrealistic.
|
Level |
Description |
|
Level 0: Manual / Implicit Trust |
Paper logs, keys exchanged hand-to-hand, no time-bound rights, and no central register. |
|
Level 1: Central register & basic custody |
Single inventory of keys/cylinders, named custodians, manual approvals captured in one place. |
|
Level 2: Identity-bound access |
Tie keys and cards to people in the IAM source of truth (Entra ID, Okta, SailPoint, One Identity). Time windows and role-based templates introduced. |
|
Level 3: Workflow & evidence |
Standardized approval flows (SoD, four-eyes), attestation cycles, automatic revocation on HR or vendor offboarding, exportable audit trails. |
|
Level 4: Policy-as-code & automation |
Risk-based policies, emergency override with just-in-time access, geo/time fencing, anomaly detection, API-level integrations to alarm/SCADA dispatch. |
|
Level 5: Continuous compliance |
Automated recertification, KPI/SLAs, incident-response playbooks linked to access controls, full CER control coverage with board-ready evidence. |
Key2XS is engineered to move operators one rung at a time, without ripping and replacing lock systems or IAM.
Native connectors to ASSA ABLOY CLIQ, iLOQ and other leading systems map doors/cylinders to digital identities and roles.
Role templates for field engineers, SCADA techs, and contractors enforce least privilege and time-boxed rights.
Just-in-time (JIT) activation: Keys activate via the app for a defined task window; scheduled auto-expire prevents “access creep”.
Start simple: digitize existing manual/written approvals as structured workflows (named approver, valid-from/until, purpose).
Step up: enable four-eyes for high-risk assets (e.g., HV substations), plus Segregation of Duties constraints baked in.
Automate: trigger approvals from work orders (EAM/CMMS), change tickets (ITSM), and maintenance plans, no extra emails.
Identity federation: bind external staff identities to your IAM (guest B2B, HR-light), or let Key2XS manage a minimal external directory.
Auto-revocation: when a contract ends or a PO closes, keys and digital rights are withdrawn; custody is reconciled.
On-site onboarding: QR-driven pickup/return, e-signature of safety rules, and training checks at the door.
Edge reality: cylinders may be offline; Key2XS syncs event logs as soon as the key is re-provisioned or in range.
Tamper & exception capture: unusual access patterns, failed attempts, or out-of-window use raise alerts and create audit artifacts.
Alarm arming/disarming via key events (where supported): the same identity that unlocks can switch alarm state.
Policy-aware arming: auto-rearm after a set window; exceptions require explicit supervisor acknowledgement.
Event bus: forward enriched access events to SOC/SIEM for correlation with IT incidents (NIS2 incident handling).
Single source of truth: who had access, to what, when, under which approval, and why.
Regulatory packs: exportable reports aligned to CER control areas: governance, risk, operations, resilience, supply chain.
KPIs: time-to-revoke, orphaned keys, attestation completion, SLA on high-risk approvals, exception rate per asset class.
Governance & Accountability: named control owners, CRO/CISO dashboards, immutable approval records.
Risk Management: risk-tiered sites and policies (e.g., Level 3+ requires four-eyes & JIT), documented exceptions.
Operational Resilience: offline-tolerant keys, emergency override with auditable second-factor, rapid revoke.
Supply-Chain Security: contractor identity assurance, expiring rights, procurement-linked revocation.
Event Handling & Reporting: SIEM integration, incident timelines with physical access evidence, post-incident attestation.
Days 0–90: Stabilize
Inventory all keys/cylinders and link to assets; ingest workforce and contractor identities.
Digitize current approval methods as workflows, no process shock.
Enforce basic time-boxing and mandatory check-in/return.
Outcomes: single register, traceability, fewer lost keys, revocation in hours not weeks.
Days 91–180: Govern
Introduce role templates, SoD/four-eyes for high-risk assets, and quarterly attestations.
Connect to ITSM/EAM to auto-open approvals tied to work orders.
Turn on JIT activation and automatic re-arm of alarms.
Outcomes: audit-ready evidence, measurable policy adherence, reduced exception noise.
Days 181–365: Automate & assure
Roll out policy-as-code with risk tiers, anomaly detection, and delegated admin for regions/vendors.
Enable contractor lifecycle automation (onboarding to revocation) and full SIEM integration.
Run a CER readiness assessment using Key2XS reports; close residual gaps.
Outcomes: continuous compliance posture with board-level confidence.
Mature DSOs (NL-style) with a weak spot in keys
Keep your IAM and SOC stack; plug Key2XS into CLIQ/iLOQ.
Go straight to Level 3–4: JIT, SoD, attestations, and policy-as-code for critical sites.
KPI focus: orphaned-key rate → near-zero; TTR (revoke) < 2 hours; attestation > 98%.
Operators using manual/written approvals (common in parts of DE)
Start with Level 1–2: digitize approvals, bind to IAM identities, enforce time-boxed custody.
Introduce two simple templates: “Routine maintenance” and “High-risk intervention.”
KPI focus: eliminate paper in 90 days; full custody chain; zero “unknown holder” keys.
Contractor-heavy TSOs and service providers
Prioritize guest identity federation and automated onboarding/offboarding.
Use geo/time fences and task-linked JIT to cut standing privileges.
KPI focus: standing vs. JIT ratio; contractor revocation SLA; exception approvals per 1,000 tasks.
Time-bound rights by default. No open-ended access.
Four-eyes for Level-3+ assets. One approver is not enough.
JIT activation with automatic re-arm. Reduces window of exposure.
Quarterly attestations. Role owners re-confirm who needs what.
Auto-revocation on HR/PO close. Contracts end, access ends, no manual chase-up.
Immutable evidence. Every approval, activation, exception, and return is logged and exportable.
Source of truth: HR + IAM directory in scope (employees + externals).
Lock estate map: cylinders/doors → sites/criticality.
Two approver pools: operations and security/compliance.
Integration points: IAM, ITSM/EAM, SIEM; optional alarm/dispatch link.
CER and NIS2 don’t mandate brands; they mandate outcomes: governed risk, controlled access, rapid response, and evidence. Key2XS operationalizes these outcomes for the physical domain, in language your auditors and your field teams both accept. You get quick wins in 90 days and a straight path to continuous compliance within a year, without derailing operations.