What CIR 2024/2690 Annex Section 13 Requires for Data Centre Physical Security — and the 1-Hour Rule That Triggers Incident Reports

Data centre operators have spent the past year building cybersecurity policies, incident response plans, and supply chain frameworks. What many discover only when their competent authority makes contact is that Commission Implementing Regulation (EU) 2024/2690 — the binding technical rulebook for NIS2 — devotes its Annex Section 13 entirely to environmental and physical security, and Article 8 draws a direct line from a cooling unit failure to a mandatory incident notification.

The NIS2 Directive’s Article 21(2) requires entities to take “appropriate and proportionate technical, operational and organisational measures” to manage risks to their network and information systems. CIR 2024/2690, which entered into force in January 2025, translates that obligation into more than 150 specific controls across 13 Annex sections. Three of those sections govern the physical environment surrounding every data centre’s IT stack: Section 4 (business continuity and utility redundancy), Section 11 (logical and physical access control), and Section 13 (environmental and physical security). This guide maps each section’s requirements to implementation decisions, explains how Article 8’s 60-minute threshold connects a power or cooling failure to a mandatory 72-hour report, and identifies the documentation an auditor expects to see.

Data Centre Scope Under NIS2 and CIR 2024/2690

The NIS2 Directive identifies “data centre service providers” as essential entities under Annex I, placing them in the same regulatory tier as operators of electricity, gas, and water infrastructure. CIR 2024/2690 is the sector-specific implementing regulation that applies to these and other digital infrastructure operators: cloud computing service providers, managed service providers, content delivery network providers, DNS service providers, and top-level domain name registries are all within scope.

Three CIR Annex sections directly govern the physical data centre environment, and they must be read together rather than treated as separate compliance silos:

• Section 4 — Business Continuity and Crisis Management: treats power, cooling, and connectivity infrastructure as continuity assets requiring documented redundancy, continuous monitoring, and tested recovery procedures.
• Section 11 — Access Control: requires a single, unified policy covering both logical and physical access, with multi-factor authentication for privileged system access including building management interfaces.
• Section 13 — Environmental and Physical Security: mandates physical security zones, perimeter controls, access logging, CCTV coverage, environmental monitoring, and visitor management — integrated with logical access controls.

Understanding how CIR 2024/2690 is structured is the starting point for any compliance programme. The regulation’s 13 Annex sections map to NIS2 Article 21(2)’s ten cybersecurity risk management measures, with Section 13 implementing aspects of Article 21(2)(c) (business continuity), (e) (security in network and information systems), and (i) (access control policies and asset management).

Who Must Comply: Qualifying Entities and Thresholds

NIS2 distinguishes between essential and important entities on the basis of size and sector criticality.

Essential entities are those with at least 250 employees or annual turnover above €50 million and balance sheet total above €43 million, operating in one of the critical sectors listed in NIS2 Annex I — which includes digital infrastructure (data centres, cloud providers, DNS registries, internet exchange points, CDN providers). Essential entities face proactive, ex-ante supervision: competent authorities can audit, inspect, and require information without waiting for an incident.

Important entities meet the 50-employee or €10 million revenue threshold in Annex II sectors and face reactive, ex-post oversight triggered by incidents or complaints.

Data centre service providers are classified as essential entities under NIS2 Annex I regardless of the sectors they serve. A colocation operator providing power, cooling, and connectivity to third-party equipment falls directly under CIR 2024/2690’s full requirements. An enterprise IT team running a private data centre room inside a manufacturing facility is not a “data centre service provider” in the directive’s sense — but it must still implement Article 21(2) measures for that infrastructure as part of its overall NIS2 obligations, and the CIR sets the technical benchmark against which “appropriate and proportionate” will be measured.

For organisations that own but do not sell data centre services: Article 21(1) requires proportionate measures, but a competent authority assessing your physical security or business continuity response will compare it against the CIR Annex controls even if your entity type is not explicitly named in the CIR’s scope article. The standard applies; what varies is the supervisory intensity.

CIR Annex Section 13: Physical and Environmental Security Requirements

Section 13 of the CIR Annex is the regulation’s dedicated physical security chapter. It covers five distinct control areas, each of which must be documented in your organisation’s Physical & Environmental Security Policy.

Supporting Utilities

Section 13.1.1 requires entities to “prevent network and information system losses, damage, compromise, or operational interruption from supporting utility failures or disruptions.” This is a performance requirement rather than a prescriptive standard: the regulation specifies the outcome you must achieve, not the exact number of UPS strings you must install. Power, cooling, fire suppression, and telecommunications must each be treated as infrastructure whose failure threatens the availability or integrity of the NIS environment.

The ENISA Technical Implementation Guidance, published in June 2025, specifies that supporting utilities “should have redundancy and be monitored continuously, with emergency supply tested regularly.” This translates Section 13.1.1 into three auditable obligations: a documented redundancy architecture, continuous automated monitoring of utility status, and a tested emergency supply with recorded results and corrective actions.

Security Zones and Perimeter Controls

Section 13 requires defining physical security zones with perimeter-based access controls appropriate to the sensitivity of each area. In practice, this maps to the four-class framework in the European data centre security standard EN 50600-2-5, which competent authorities and compliance practitioners treat as the sector benchmark for what “appropriate” perimeter controls look like:

Protection Class	Applicable Area	Key Controls
PC1	Public/reception areas	Basic access control, visitor logging
PC2	Staff office areas	Authenticated entry, audit trails
PC3	IT suites, power rooms	Dual-factor authentication, continuous CCTV, tamper alerting
PC4	High-security cages or vaults	Anti-tailgating, cabinet-level access logs, tamper-evident sealing

CIR 2024/2690 does not explicitly cross-reference EN 50600-2-5 by name, but establishing your protection class classification per zone and documenting it in your Physical & Environmental Security Policy is the evidence auditors expect. Perimeter controls for PC3-class areas include fencing, vehicle barriers or crash-rated bollards at access points, and a staffed or remotely monitored gatehouse. Inner zone transitions use electronic access locks with event logging at each layer.

Access Logging: The Four-Layer Architecture

All access to secure zones must log the user’s identity, the timestamp, and the authorisation basis. This cascades through four physical access layers, each of which must produce an independently searchable log:

1. Site perimeter — gate or entrance entry events linked to credential identity
2. Module or building access — electronic lock events with individual badge authentication
3. IT suite or server room level — door events recording user ID and entry/exit time
4. Cabinet level (required at PC4) — electronic cabinet locks logging open/close events by individual identity

Log completeness is a frequent audit finding. A system that records the badge number but not the individual identity behind it, or that logs entry but not exit, does not satisfy the Section 13 requirement. Access log data must also be retained and protected against unauthorised modification — consistent with the log integrity requirements in CIR Section 3.2.

CCTV Coverage and Retention

CCTV must cover approach paths, vehicle access points, and all access layer transitions in secure zones. The EN 50600-2-5 framework provides the practitioner baseline for retention periods: a minimum of 30 days for PC3-equivalent areas such as IT suites and power rooms, and 90 days for PC4 zones. The CIR itself does not specify a retention figure; your organisation’s risk assessment and any applicable national guidance from your competent authority set the floor. The 30/90-day framework reflects established practitioner consensus, not a binding regulatory figure.

Two technical requirements sit alongside the retention baseline. First, footage must be stored on a network isolated from internet-facing systems — CCTV infrastructure on an OT-equivalent segment, not the corporate LAN. Second, tamper alerting is mandatory for PC3 and PC4 areas: if a camera is blocked, repositioned, or loses power, the system must generate an alert within seconds. CCTV events should also be tagged to the corresponding access badge entry so any investigation can pull both streams simultaneously.

Environmental Monitoring and Visitor Management

Continuous monitoring is required for temperature, relative humidity, water intrusion, and smoke or fire conditions in any area housing network and information systems. “Continuously monitored” means automated alerting to an operations function capable of response — not a periodic manual walkthrough. Alarms must be routed to personnel who can act within the recovery time window your BIA defines.

Visitors to areas beyond PC1 must be logged upon entry, escorted by an authorised staff member throughout their access, and restricted to the specific zone approved for their purpose. Written visitor access procedures must document each of these steps, and visitor logs must be retained and available for inspection.

The 1-Hour Threshold: Why Power and Cooling Failures Trigger Incident Reports

Article 8 of CIR 2024/2690 defines what constitutes a “significant incident” for data centre service providers. Four conditions trigger mandatory reporting under NIS2 Article 23:

1. A data centre service is completely unavailable
2. Availability of a data centre service is limited for more than one hour
3. The integrity, confidentiality, or authenticity of stored, transmitted, or processed data is compromised as a result of a suspected malicious action
4. Physical access to the data centre is compromised

Conditions two and four carry the most practical weight for physical infrastructure planning. A cooling unit failure that forces a partial shutdown of servers — even if only a subset of racks is affected — qualifies under condition two the moment the degraded state persists past 60 minutes. A physical security breach — an unauthorised entry to the server suite, a forced door, a tailgating event that is not immediately detected and contained — triggers condition four regardless of how long the intrusion lasts.

These thresholds function as design criteria, not just reporting triggers. Your physical infrastructure must achieve below-60-minute restoration time for power and cooling failures, and your perimeter must detect and contain a breach before it meets the “access compromised” standard. Both outcomes must be demonstrated through tested procedures, not assumed from equipment specifications.

CIR Section 4: Treating Physical Infrastructure as a BCP Asset

Section 4.1.3 requires a business impact analysis that assesses the consequences of disruption. Most BIA methodologies in use before CIR treat the data centre as a monolithic service input. CIR requires the BIA to scope individual utility failure scenarios explicitly: what happens when a single UPS string fails, when a CRAC unit loses refrigerant, when a primary power feed is cut? Each scenario must have a defined impact assessment and a recovery time objective.

Section 4.2.4 requires “partial redundancy of systems, assets/facilities/equipment/supplies.” For a data centre this translates to documented architecture: N+1 UPS configuration, N+1 cooling units per thermal zone, documented failover paths and switchover procedures. N+1 is the minimum; your BIA-derived RTO may require 2N or higher.

Section 4.2.5 requires resources to be “monitored informed by backup and redundancy requirements.” PDU output monitoring, UPS battery state-of-health alerts, CRAC unit sensor alarms, generator fuel level monitoring, and inlet temperature trending are all within scope. Alerts must reach an operations team within the incident recovery time window — not just logged in a dashboard reviewed weekly.

Section 4.2.6 requires regular recovery testing with documented results and corrective actions. A generator test that runs the machine at no-load idle does not constitute evidence of tested failover. The test must demonstrate realistic load transfer, be documented with date, test conditions, result, and any deficiencies identified, and the deficiency log must show corrective actions with completion dates.

The business continuity requirements that govern your physical infrastructure carry the same compliance weight as your cybersecurity incident response plan — and the Article 8 thresholds mean the two are directly connected.

CIR Section 11: Logical Access Control for the Physical Environment

Section 11.1.1 of the CIR Annex requires entities to establish, document, and implement “logical and physical access control policies based on business and security requirements.” A single policy covers both domains. The regulation does not anticipate a separation between IT access management and facilities access management — these must be documented together, reviewed together, and owned by a named function within the organisation.

Physical-Logical Integration

The practical implication: badge access events for server suites must feed the same identity management system as network authentication. A user whose system account has been deactivated must not retain active physical access — Section 11.2’s requirement to “assign/revoke rights using least privilege principles” and “modify rights upon employment termination or changes” applies to door credentials as directly as it applies to network passwords.

Access registers required by Section 11.2 must document physical area access rights per individual, the authorisation basis for each right, and a periodic review schedule. Section 11.2.3 requires access rights to be reviewed “at regular intervals” with “modifications documented based on organisational changes.” An access list for server room entry that has not been formally reviewed and signed off since the last staff changes is a recurring audit finding under Article 21(2)(i).

MFA for Building Management Systems

Section 11.3 requires privileged system administration accounts to use “strong identification/authentication including multi-factor authentication.” Building Management System consoles, PDU management interfaces, UPS monitoring platforms, and cooling control panels are system administration systems for the purposes of Section 11. Access to these must use MFA, dedicated accounts (not shared login credentials), and must be restricted to administrative purposes only, per Section 11.4.

Section 11.7 reinforces this with the requirement that entities “ensure users authenticate using multiple factors where appropriate per asset classification.” For areas equivalent to PC3 or PC4, the asset classification mandates MFA for logical access to building management systems and, where technically feasible, for physical badge access to the zone. Our access control guide and MFA requirements overview cover the full implementation of Section 11.

OT/BMS Network Segmentation

PDU controllers, UPS management cards, CRAC control interfaces, and HVAC automation systems constitute an operational technology environment within the data centre. Reading Section 11 alongside CIR Section 6.8 (network segmentation) requires this OT layer to be segregated from IT production networks.

The applicable technical framework is IEC 62443, which defines Security Levels for industrial control environments. The OT management zone containing BMS and utility controllers requires a minimum Security Level 2; the physical security zone (access control systems, CCTV storage) requires Security Level 3 and must be isolated from both IT and OT zones. Management protocols on utility controllers must use SNMPv3 with HMAC-SHA authentication (SNMPv1 and v2c disabled), HTTPS with TLS 1.3 on web management interfaces, and SSH (with Telnet disabled). Default credentials must be rotated before any device enters production.

Segmentation is not just a network hygiene measure here. Because CIR Article 8 includes “physical access compromised” as a significant incident trigger, an attacker who reaches a BMS console via the IT network and modifies cooling setpoints — causing a thermal event — could simultaneously trigger conditions two and three of Article 8. The OT/BMS segmentation boundary is a compliance control, not optional best practice.

Building Your Audit Evidence Package

Demonstrating compliance with CIR 2024/2690 Sections 4, 11, and 13 requires a specific set of documented outputs. An essential entity operating a data centre should have all six of the following ready for inspection:

Document	CIR Section	Core Content
Physical & Environmental Security Policy	Section 13	Zone definitions, perimeter controls, CCTV policy, visitor management, environmental monitoring procedures
Access Control Policy	Section 11	Logical and physical access rules, MFA requirements, privileged account policy, OT/BMS access controls
Business Impact Analysis	Section 4.1.3	Disruption consequence assessment covering power, cooling, connectivity, and physical access scenarios with defined RTOs
Business Continuity / Disaster Recovery Plan	Section 4.1.1–4.1.2	Recovery sequencing, redundancy architecture, activation conditions, resource requirements
Backup Policy	Section 4.2	Redundancy requirements, monitoring obligations, recovery testing schedule, retention periods
Crisis Management Plan	Section 4.3	Roles, escalation contacts, NCA communication channels, notification procedures under Article 23

Policies alone are insufficient evidence. Auditors look for test records: generator failover test logs, UPS load test results, BCP tabletop exercise reports with “lessons incorporated” as Section 4.1.4 explicitly requires. CCTV footage retention logs, badge access event exports, and OT network configuration documentation are all within scope of a Section 13 inspection.

Role and Responsibility Allocation

Section 4.3 requires crisis management processes that assign clear personnel roles. For data centre operators, this means defining ownership across physical and logical domains:

Responsibility	Assigned Role
Physical perimeter security policy ownership	CISO or Facilities Director
UPS and cooling failover decision	Data Centre Operations Manager
Article 23 incident notification	NIS2 Compliance Officer or CISO
Board/management escalation	CISO or CTO
Access register periodic review	IT Security Manager + Facilities Manager (joint sign-off)
Supplier and utility coordination during crisis	Supply Chain or Vendor Manager

The management body — board or senior leadership team — remains personally liable under NIS2 Article 20 for approving the implementation of Article 21 measures. A board resolution confirming approval of the Physical & Environmental Security Policy and the BCP forms part of the governance audit trail that competent authorities expect from essential entities.

Implementation Gap Analysis

Gap Area	Typical Current State	CIR Required State	Effort
Physical and logical access policies unified	Separate IT and facilities access documents	Single integrated policy per Section 11.1.1	Low
BMS/PDU/cooling on isolated OT segment	BMS on IT management VLAN	IEC 62443 SL2 OT zone with SNMPv3 and TLS 1.3	High
CCTV with tamper alerting and badge integration	Standalone DVR, no event tagging	Badge-tagged video events, automated tamper alerts	Medium
Generator and UPS load-tested with documented results	Manual test, no formal corrective action log	Documented load test with deficiency log and closure dates	Low
BIA scoping physical utility failure scenarios	IT-only scope covering server and network failures	Physical scenarios (power, cooling, connectivity) per Section 4.1.3	Low
Access register reviewed at defined intervals	Ad hoc reviews, no documented schedule	Periodic review on defined cycle with sign-off record per Section 11.2.3	Low

Frequently Asked Questions

Does Article 8’s 1-hour threshold apply to private data centres, not just colocation providers?

Article 8 of CIR 2024/2690 applies specifically to “data centre service providers” as classified under NIS2. An organisation running a private server room for its own use is not a data centre service provider under the directive’s definition. It must still notify its competent authority of significant incidents under NIS2 Article 23, but the applicable threshold will be assessed against the general Article 23 criteria and any sector-specific guidance from its national competent authority rather than CIR Article 8 directly.

Does CIR 2024/2690 specify a CCTV footage retention period?

No. CIR 2024/2690 does not set a fixed retention period for CCTV footage. The access logging and monitoring obligations in Section 13 and the log management requirements in Section 3.2 require retention, but the duration is determined by your organisation’s risk assessment and any national guidance from your competent authority. The 30-day (PC3 areas) and 90-day (PC4 areas) figures referenced in this article derive from EN 50600-2-5, the European data centre security standard — they reflect established practitioner consensus rather than a binding regulatory figure. Some member states have issued national guidance specifying minimum retention periods; confirm with your competent authority.

Is fire suppression infrastructure covered by Section 13?

Yes. Section 13 addresses environmental threats including fire. Fire suppression systems, smoke detection infrastructure, and associated monitoring must be documented in your Physical & Environmental Security Policy and tested at regular intervals with results recorded. A suppression system that has not been tested or that lacks a documented maintenance record is a Section 13 compliance gap.

Does CIR require a third-party physical security audit?

CIR 2024/2690 Section 2.3 requires an “independent review of information and network security” at regular intervals. For data centre operators, this review should assess physical security controls as part of the overall programme. The regulation does not mandate a standalone independent physical security audit by name, but a Section 2.3 review that omits the Section 13 control domain would be materially incomplete against the regulation’s own requirements.

This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.

Sources

1. Article 21 — Cybersecurity Risk-Management Measures, NIS2 Directive (EU) 2022/2555, nis-2-directive.com
2. CIR 2024/2690 Annex 1: Technical and Methodological Requirements, Springlex
3. Article 8: Significant Incidents for Data Centre Service Providers, Advisera
4. NIS2 CIR 2024/2690: Cybersecurity Requirements for Digital Infrastructure, Advisera
5. Data Centre Physical Security Controls, ModulEdge
6. ENISA NIS2 Technical Implementation Guidance Summary, nis-2-templates.com
7. NIS2 Documents Required List — CIR 2024/2690, nisd2.eu
8. NIS2 Implementing Act (EU) 2024/2690: NIS2 / ISO 27001 Mapping, OpenKritis