StaffIn this comment piece, experts at 2N discuss how robust cybersecurity builds lasting trust beyond compliance ahead of the EU’s Cyber Resilience Act (CRA). As a global leader in access control solutions, the Czech company is trusted to secure data centres, banks, New York schools and luxury residential and working spaces across the world.
Cyber breaches directly affect physical security, which is why the EU’s Cyber Resilience Act (CRA) is set to redraw the rules for every digital intercom and access control device sold in Europe.
With 54% of organisations worldwide already experiencing an IoT‑related security breach and with 60% of those incidents linked to unpatched vulnerabilities, experts at 2N, a global leader in IP intercoms and access control solutions, argue that simply meeting minimum requirements for regulatory compliance is not enough.
Companies will be required to report actively exploited vulnerabilities and major incidents for digital products from September 11 this year. Violations can result in fines of 2.5% of a company’s worldwide annual turnover, with a maximum fine of EUR 15 million. Cybersecurity standards will be required to match the rich innovation of product features, improving product design, support lifecycles, slow patching and insecure default settings.
“Cybersecurity doesn’t start with technology, but with awareness and a culture of responsibility,” says Michal Kratochvíl, CEO of 2N. “By integrating robust frameworks and transparent vulnerability management processes, we manage to stay on top of regulation. New directives are usually in line with the practices we have been sustaining for years.”
CRA requirements can be met through a commitment to sourcing secure components and using EU-approved microchips and suppliers. As the Access Control Market is expected to grow from USD 10.62 billion in 2025 to USD 15.80 billion by 2030, customers are more inclined to invest in manufacturers committed to rigorous supplier due diligence and security assessments that ensure full supply-chain transparency.
2N’s systems not only exceed these expectations, but products like the 2N IP Verso intercom seamlessly integrate into a building’s existing infrastructure, with smart features allowing users to open doors using their smartphone, even when they are not at home.
When one of New York’s most high‑profile universities tasked 2N with developing a completely unified Security Centre for its 18,000 students, 2N’s priority was to deliver a cyber‑secure, remotely-controlled system that enabled dispatchers and campus police to monitor and manage incidents in real time, without the possibility of leaking sensitive biometric data.
“Our device count continues to grow and evolve in response to the degree of threats we’re seeing on our campus and across the country,” says Dave Martin, Security Infrastructure and Support Department for Binghamton University. “Our goal is to make sure the technology helps our university police department stay situationally aware of what’s happening on campus before, during and after any kind of critical incident.”
The configuration and management of the complete access system is ensured by 2N Access Commander. Through the graphical user interface, access permissions and specific functions are set in bulk, such as who has access to specific doors or zones. In due course, it would also be possible to add a time and attendance system which records the attendance of employees and can be viewed via the web interface or exported to an XLS or CSV file.
CRA’s vulnerability reporting requirements will be mandatory from September 11, 2026 and will require manufacturers to establish formal processes for identifying, triaging and communicating security issues, creating accountability beyond simple fixes. For manufacturers, showcasing vulnerabilities should no longer be seen as a weakness – it’s how you build trust with customers securing mission-critical environments.
Companies should embed this discipline into their operations ahead of regulatory timelines, maintain a dedicated vulnerability management section on their website and outline how researchers and customers can report issues. 2N recently became the first manufacturer in its field to be recognised by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).
“In recent years, we have been contacted by security researchers, agencies, and customers reporting potential vulnerabilities in our products,” says Michal. “By becoming a CNA, we can now respond faster and share verified information directly, building even greater trust with our partners.”
One of the most practical messages in CRA for buyers is simple: don’t buy connected products without clear update and support commitments. Companies must be clear about their long-term support, not just at the point of sale but over the entire lifecycle of the device.
In access control, that means specifying how many years of security updates a product will receive, how end‑of‑support is handled, and what mechanisms exist to deliver critical patches quickly and safely.
“We offer a five-year warranty on all products. One of our newest products is 2N IP Force 2.0, an upgrade of 2N’s second-most successful intercom ever. From schools in New York to the F1 Circuit in Belgium, it found global popularity due to its extreme resilience. The new generation of 2N IP Force retains its trademark durability but has a range of new features thanks to the Axis ARTPEC-8 chipset, something our customers have been asking for,” concludes Tomáš Vystavěl, Chief Product Officer at 2N.