NIS2 and DORA: Why Physical Security Is Becoming a Compliance Factor

When people think of NIS2 and DORA, they think of firewalls, penetration tests, and incident response. What often gets overlooked in practice is that both frameworks explicitly require physical security as well. No matter how well you secure your network, if you don’t have control over the entry point, an auditor will find the vulnerability. And this is precisely where the employee ID card with a photo shifts from being an HR issue to a compliance requirement.

What NIS2 and DORA specifically require

The two sets of EU regulations are structured differently, but they converge when it comes to physical access control.

The NIS2 Directive requires organizations to implement minimum risk management measures. In addition to supply chain and personnel security, it also specifies encryption and access controls—physical security is not merely implied here, but is an explicit requirement.

The DORA Regulation for the financial sector also explicitly calls for guidelines and tools to ensure both the logical and physical security of ICT resources. The accompanying EBA guidelines provide further details through requirements such as access badges, visitor logs, and identification requirements.

In practical terms, this means that in Switzerland and the EU, any entity—such as critical infrastructure, banks, insurance companies, pharmaceutical firms, energy suppliers, or large industrial companies—that falls under one of these regulations—or is integrated into a regulated supply chain as a supplier—must have its access control under control.

Why a photo ID is essential

In many companies, the “employee ID” is still just an anonymous RFID chip or even a keychain. This makes social engineering a breeze: a found chip works for anyone. A borrowed card goes unnoticed because it contains no personal information. Auditors with NIS2 or DORA mandates scrutinize precisely these vulnerabilities.

A forgery-proof photo ID addresses three issues at once:

1. Visual checks at the front desk and in access control lanes —the photo on the card must match the person presenting it. It sounds trivial, but it’s the simplest form of multi-factor verification in the building.
2. Proving compliance to auditors – standardized, documented photo IDs demonstrate that a controlled process is in place. Anonymous chips show the opposite.
3. Reliability in the event of an incident – when a security incident is being investigated, it is virtually impossible to identify individuals at doors and security checkpoints without a photo.

The challenge in practice: scaling

Once you understand the requirement, you face the next challenge: How do you obtain several thousand consistent, high-quality employee photos—in compliance with data protection regulations, verifiable, and within a reasonable timeframe? Traditional methods fall short at this point:

• Hiring a professional photographer on-site: too expensive, too slow, and a logistical nightmare when locations are spread out.
• Employees upload their own photos: poor quality, inconsistent backgrounds, lack of compliance with the corporate identity, and no audit trail.
• Photo booth in the lobby: long wait times, standalone systems, no integration with HR or access control systems.

It is precisely this breakdown in the process that causes compliance to fail in practice.

How Photo Collect safeguards Photo Collect process

Photo Collect the Swiss B2B software for automated Capturing . Here’s how it works: Employees receive a personalized link via email or text message, take the photo with their own smartphone—no app or login required—and the AI automatically checks for focus, background, head position, glasses, and other parameters. Four key features make the process NIS2- and DORA-compliant:

Hosting in Switzerland, safe and secure. All photos can be processed exclusively in an ISO 27001-certified data center in Switzerland. Visible Solutions can handle the entire image processing, including AI models, in-house, without relying on foreign cloud services. This ensures that image data is fully protected from the US CLOUD Act —a point that is increasingly being scrutinized during NIS2 audits.

A dedicated platform for each customer. Instead of a multi-tenant cloud , each customer can manage its own isolated instance. This means that data segregation can be achieved not only through logical separation in a shared environment, but also structurally.

Data minimization and automatic deletion. After a successful export—via ZIP, sFTP, REST API, or optionally OpenPGP-encrypted —the image data is automatically deleted. This complies with GDPR and CH-DSG requirements regarding purpose limitation and storage limitation. Documented via DPA and SLA.

No generative AI on the face. Photo Collect not Photo Collect faces. This is crucial from a regulatory standpoint: In an ID photo, the person must be recognizable—not an enhanced version of themselves. The AI checks, crops, and replaces the background—nothing more. For more background , see the article “Image Enhancement with AI—What’s Allowed?”

What that means in numbers

Photo Collect has processed over 4 million photos Photo Collect ; on average, this process takes less than 2 minutes per employee. At an industrial conglomerate with 20,000 employees, the rebadging process was completed in three weeks—with virtually 100 percent employee acceptance and an error rate of less than 2 percent. In the optional manual quality control step, a person double-checks incoming images for compliance. The optimized user interface allows for the review of thousands of photos per hour. AI validation supports the process and flags potential issues as early as the upload stage.

For an NIS2 or DORA implementation involving a large volume of rebranding, this is the difference between a project that stays on track and one that will keep the auditor busy again in the next round.

Integration into the existing security architecture

Photo Collect integrated into existing processes. Using a REST API and pre-built integrations, the platform integrates seamlessly with existing access control, HR, and card printer systems. This ensures that the verified photo is sent directly to the HR or card management system, without any manual steps and without an unsecured data path.

If you Photo Collect host Photo Collect on your own subdomain and SMTP server, you keep the entire process within your own trusted domain—an aspect that regularly comes up in DORA audits of supply chain risks.

Compliance starts at the front door

NIS2 and DORA are not just IT issues. Anyone who treats physical access control as a secondary facility management issue will be called out on it during the next audit. A standardized, forgery-proof employee ID card with a photo is no longer just a cosmetic HR measure, but an integral part of the compliance framework.

Photo Collect the gap between the requirement—consistent, quality-checked photos for thousands of people—and the operational burden that has previously brought many projects to a standstill. Swiss hosting, dedicated instance, automatic deletion, no generative AI applied to faces. For those who need to implement NIS2 or DORA, this means one less thing to worry about.

‍