"NIS2 - for dummies": what, why and what you do today

Some of your tenants have already started asking about NIS2 - or they will soon. Behind the acronym are new requirements on how to protect your connected buildings, who can enter which spaces and how to prove it afterwards. Here we explain in a simple way what NIS2 means for property owners and commercial tenants - and how Parakey can make the access control system one of the things you can check off with a clear conscience.

What is NIS2? - short and understandable

NIS2 is the EU's updated regulatory framework to enhance the cybersecurity of critical and essential activities. It tightens the requirements for:

• how management and the board take responsibility for cybersecurity,
• how risks are managed in practice,
• how suppliers and contracts are monitored,
• how incidents are detected and reported.

Most real estate companies are not on the NIS2 list themselves. But many of your tenants are - banks, municipal operations, energy companies, healthcare, digital infrastructure. They, in turn, need to show that their suppliers, including the property owner, are not the weak link. And all it takes to qualify is a 5G mast mounted on the roof.

Why property owners should care

A modern office building is more computer than concrete. The building is full of connected systems: business systems, ventilation, elevator, fire alarm, access, parking, flex/coworking platforms, cameras and networks. If any of this goes down due to a cyber incident, it affects operations, security and customer relations.

Add NIS2 regulated tenants who start asking questions:
What is the access control? Do you have logs? How do you handle incidents? What requirements do you place on your suppliers?
The property owner who can answer concretely and calmly will be perceived as a safer partner.

In addition, NIS2 is an opportunity. Being able to say "we work in a structured way with cybersecurity" becomes part of your offer - just like energy, environmental certifications and service levels.

Think NIS2 as fire protection rules for digital systems

It's easy to get lost in articles, annexes and abbreviations. That's why it's good to translate NIS2 into something everyone in the real estate world recognizes: fire protection.

A functioning fire protection system includes:

• Technology - Fire extinguishers, sprinklers, fire doors.
• Procedures - evacuation plans, drills, rounds.
• Documentation - drawings, instructions.
• Responsible - someone who actually owns the issue.

NIS2 requires essentially the same thing, but for networks, systems and data:

• Technology - encryption, access control, segmentation, backup, logging.
• Procedures - incident plan, reporting flow, exercises.
• Documentation - risk analyses, policies, processes, supplier requirements.
• Responsible persons - management and designated roles in the business.

The good thing is that a lot of this already exists in some form - NIS2 is about raising the bar, closing the gaps and being able to show what you actually do.

Use case: where NIS2 becomes concrete in the house

Imagine an equipment rooms with a mixed heritage: some mechanical keys, some fobs, a couple of contractors who "always had access". No one really knows who has what where traceability and logs are thin or non-existent.

From a NIS2 perspective, this is a red flag. The technology room is directly linked to operations and security. If you have instead:

• personalized, mobile keys,
• time-controlled access for entrepreneurs,
• logs of who entered and when,

it suddenly becomes much easier to both sleep well and answer questions from a demanding tenant.

Flex and coworking is another example. Many users, short contracts, several different types of spaces. The requirement is that it should be flexible - but also that you know who can come in where and when. Mobile access, automation of key management and good logs are almost a hygiene factor.

How Parakey helps you check off access control system on the NIS2 list

Parakey replaces physical keys, fobs and cards with mobile keys. Behind the scenes, there are three parts: a cloud service that handles key management (and can be automated), an app that is the user's keychain, and hardware at the door that is not connected to the internet.

For you as a property owner, this means:

• Secure technology - Encrypted communication between app, cloud and hardware that is offline, reducing the attack surface and supporting the requirements for secure communication channels.
• Resilience - Doors can be unlocked even when the internet is down. Key management is centralized, but opening is local. Good when you talk about operational security and crisis plans.
• Traceability - Parakey logs both who opened which doors and who distributed or removed authorizations. You get a basis for incident investigations, audits and customer dialog. Of course, GDPR is fully complied with. 
• Control and delegation - You can control access with roles and schedules and let tenants administer their own users without giving up control of the entire property. With two-factor login in the portal, you also get better protection for the administration itself.

The point is simple: Parakey doesn't solve NIS2 for you, but it makes it much easier to say that at least the access control system is both secure, traceable and robust. It's a good start when NIS2 starts to seriously affect the requirements in real estate transactions.

‍

_{Disclaimer: This post is informational - not legal advice. NIS2 is being implemented in Sweden through a new cybersecurity law that, according to current plans, will enter into force on January 15, 2026. Regulations and details are being developed by, among others, MSB. Always work on the basis of your own risk picture and consult legal expertise if necessary.}