For a long time, organizations managed their security as two separate domains.

Physical security handled access control, video surveillance, and on-site human presence.
Cybersecurity, on the other hand, protected networks, digital identities, and information systems.

This model worked as long as these worlds did not interact.
Today, this compartmentalization is no longer viable: buildings are digitalized, equipment is connected, and every element once purely physical — badge, lock, camera — can now act as a digital vector.

What is tangible can now enable a cyberattack.

 

Regulation is now formalizing this convergence

The European NIS2 directive, applicable from 2024, explicitly requires the implementation of technical, organizational, and physical measures to ensure the security of information systems [1].
ANSSI confirms in its 2024 activity report that protecting data also requires protecting the physical infrastructures that host it [2].

This is no longer a recommendation: it is a regulatory obligation.

A concrete example illustrates this perfectly.
The firm Carinel, a security expert, recalls that in August 2023:

A fire in a Proximus datacenter in Belgium made emergency numbers (112, 101, 100) unreachable for nearly 30 minutes [4].

A physical incident generated a major cyber and societal impact.

 

A persistent gap in investments

Despite this reality, investments remain unbalanced.

According to IT Social, in 2024:

47% of IT professionals prioritized the deployment of cybersecurity tools,
compared to 27% of security and safety professionals [5].

In other words:
we are heavily securing networks, but not necessarily the access points that can expose them.

An unrevoked badge or a poorly configured IP camera can compromise millions of euros in cyber investments. The weak link is no longer only in the information system, but also in the physical infrastructure.

 

Physical systems are becoming network endpoints

The transformation of access control is the most significant example.

According to InformatiqueNews, based on the HID PACS 2025 report, 69% of decision-makers in Europe plan to replace badges with mobile access via smartphone [3].

The smartphone then becomes simultaneously:

  • a means of accessing buildings,
  • a professional digital identifier,
  • a terminal connected to the network.

The question is no longer who “has a badge,” but who holds access to critical systems through a network-connected device.

At this stage, access control falls as much under security as it does under cybersecurity.

 

EVA: unified security designed for the convergence of risks in France and Europe

At Ozion Security, the convergence between operational security and cybersecurity is not a forced evolution: it is a strategic direction embraced for several years. Designed and developed in France, EVA integrates from its very architecture the regulatory and technical requirements that now govern the security of public and private organizations.

Its “cyber-by-design” approach combines physical security, data integrity, and compliance with major French and European standards: NIS2, ISO 27001, GDPR, as well as national information system security policies (PSSI). This sovereign design ensures that data is processed strictly within the territory, while meeting the reliability and traceability standards required by critical operators.

EVA does not merely comply: it anticipates. Our teams work continuously to integrate new European directives and to strengthen the coherence between field security and cybersecurity, in order to provide French companies with a unified vision of their protection system.

Rooted in France, designed for markets around the world, EVA embodies modern, sovereign, and responsible security — where risk convergence becomes a lever of control and performance.

 

Conclusion

The convergence between physical security and cybersecurity is neither a trend nor a hypothesis.
It is already the operational reality of modern organizations.

  • Physical systems are now connected.
  • Attacks now exploit both the physical environment and the network simultaneously.
  • Regulation requires integrated governance.

Attackers think in a convergent way.
Organizations must defend in a convergent way.

 

Contact

We invite you to contact us via the form below to discuss implementing a convergent security framework tailored to your organization.

 

Sources

[1] Directive européenne NIS2 — Article 21
https://eur-lex.europa.eu/legal-content/FR/TXT/?uri=CELEX%3A32022L2555

[2] ANSSI — Rapport d’activité 2024
https://cyber.gouv.fr/actualites/lanssi-publie-son-rapport-dactivite-2024

[3] InformatiqueNews — Rapport HID PACS 2025 : 69 % des décideurs misent sur l’accès mobile
https://www.informatiquenews.fr/rapport-hid-pacs-2025-69-des-decideurs-misent-sur-lacces-mobile-107076

[4] Carinel — NIS2 : Pourquoi votre RSSI a besoin de votre directeur sûreté (et vice-versa)
https://www.carinel.com/post/nis2-securite-physique-cybersecurite-convergence

[5] IT Social — La cybersécurité et la sécurité physique sont intimement liées
https://itsocial.fr/cybersecurite/cybersecurite-articles/la-cybersecurite-et-la-securite-physique-sont-intimement-liees