Skip to content
Tertiary access control: badges, biometrics, integrated BMS — KYTOM
Team Works

Tertiary access control: badges, biometrics, integrated BMS

Are you weighing biometrics against badges for your next floor plate, with the quote difference reaching 1500 euros excl. VAT per door? On the majority of tertiary sites we deliver, the DESFire EV2 badge combined with a PIN code covers real needs for 800 to 1200 euros excl. VAT per door, versus 1800 to 2500 euros excl. VAT for centralised biometrics, a significant gap to weigh against your required security level. The CNIL deliberation 2019-001 in fact reserves biometrics without consent for enhanced-security zones, never for open-plan entrance doors.

Our low-voltage systems team has handled the entire package since 2006: flow audit, technology arbitration, pre-wiring, Active Directory integration via LDAP/SCIM, BMS connection in OPC UA or BACnet, fire safety system slaving, acceptance testing across 50 scenarios. On a 5000 m² building hosting 250 to 350 employees, we orchestrate 15 to 25 controlled doors in 12 weeks, compliant with the CNIL standard regulation.

Here is how we structure the decision for your CIOs, CISOs and CFOs.

01
the framework

15 to 25 doors to size, three functions to articulate

On a 5000 m² floor plate hosting 250 to 350 employees, your system orchestrates three inseparable functions: authentication (who enters), authorisation (where and when), traceability (timestamped history usable in case of incident). This generally represents 15 to 25 controlled doors on this type of floor plate, distributed according to usage zones.

Zone Readers
Main entrance and lobby turnstiles 2 to 4
Floor landings and lift airlocks 5 to 10
Sensitive zones (server room, archives, HR, management) 6 to 10
Technical rooms and logistics access 2 to 3

Article R.4227-5 of the Labour Code conditions positioning: a single emergency staircase of 1.40 to 1.50 m allows a maximum of 100 people per floor, which structures flows and fire safety system slaving. We establish the zone mapping (public, semi-public, restricted, sensitive) before any technical choice, and trigger the prior GDPR impact assessment in accordance with the CNIL standard regulation (deliberation 2019-001).

When your project does not fall under this approach: below 6 to 8 doors on a single floor plate with fewer than 40 employees, a simple standalone electronic cylinder suffices and investing in a centralised system is generally not justified. Conversely, centralised biometrics only becomes relevant from 50 genuinely sensitive doors onward: below that, neither the DPIA complexity nor the licence cost is amortised.

02
CIO architecture

IP architecture, IS integration and documented support arbitration

Our controller integrates 50 to 5000 doors depending on the size of the estate, in IP TCP/IP architecture over LAN or RS485 bus below 20 doors. We activate active-active redundancy beyond 500 doors, a recommended configuration on multi-site estates to guarantee service continuity. BMS integration goes through OPC UA or BACnet depending on the building’s reference standards, directory integration through LDAP or SCIM, and conditions the quality of HR provisioning: automatic creation and revocation on staff movements.

Architecture Door volume Topology IS integration
Single-site up to 50 single controller direct LDAP
Federated multi-site 50 to 500 distributed controllers + supervision LDAP/SCIM + OPC UA
Extended estate beyond 500 redundant private cloud SCIM + BACnet + SIEM
Sensitive site any volume isolated architecture dedicated directory

On the support side, the Mifare DESFire EV2 RFID badge remains our reference with AES 128-bit encryption, for 8 to 12 euros excl. VAT per badge. The NFC mobile badge on smartphone removes physical logistics. Wall readers represent 150 to 600 euros excl. VAT each, powered at 12V or 24V from shared enclosures.

Our reading, at odds with the integrator orthodoxy: morphological biometrics (fingerprint, vein pattern) are not justified in standard tertiary zones. The CNIL only admits biometrics without individual consent for premises whose nature of activities or stored information requires enhanced security (deliberation 2019-001). On open spaces or meeting rooms, the DESFire EV2 badge combined with a PIN code covers the vast majority of real tertiary access control needs. Going further exposes your CIO to a non-amortisable DPIA risk.

03
your gains

24 to 36 month ROI and usable data for your departments

Your operation produces three measurable benefits that structure a return on investment generally observed between 24 and 36 months, factoring in energy savings, the reduction in losses and the administrator time freed up.

  • Administrative productivity and HR-CIO SLA: you reduce the time spent on badge management (creation, revocation, loans) thanks to the digital workflow connected to the HR directory via SCIM, with a target revocation cycle of under 4 hours on employee departure (common CISO objective).
  • GDPR compliance and auditability: traceability through timestamped logs retained for 3 months as standard or 12 months for justified sensitive zones, usable in case of incident or labour dispute, in accordance with the CNIL standard regulation (deliberation 2019-001).
  • Property optimisation and tertiary decree: counting data per zone usable for reporting and adjusting HVAC setpoints during low-occupancy periods, a direct lever on your Tertiary Energy Efficiency trajectory.
04
Method
  1. Flow audit and DPIA
    We map your zones (public, semi-public, restricted, sensitive), inventory user profiles (permanent staff, fixed-term staff, contractors, visitors) and conduct the prior GDPR impact assessment in accordance with the CNIL standard regulation (deliberation 2019-001). Duration: 2 weeks. Deliverable: zone mapping, DPIA, flow scenarios validated by your CISO.
  2. Technology arbitration
    We compare 3 to 4 manufacturers on protocol openness (OPC UA, BACnet, REST), vendor longevity and total cost of ownership over 7 years. Duration: 1 week. Deliverable: costed decision matrix, reasoned recommendation of DESFire EV2 badge or biometrics depending on the threshold of 50 sensitive doors.
  3. Pre-wiring integrated into the low-voltage package
    We integrate pre-wiring into the low-voltage systems package: one power supply per group of 4 to 6 doors, VDI pathways sized at +30% reserve. Duration: 3 weeks. Deliverable: execution drawings coordinated with the electrical, HVAC and partition packages.
  4. Installation, configuration and IS integration
    We install the readers, integrate Active Directory via LDAP/SCIM, configure fire safety system slaving on fire doors and run the switchover tests. Duration: 4 weeks. Deliverable: operational system, automated HR provisioning, validated fire safety system slaving.
  5. Acceptance and administrator training
    We conduct acceptance testing across 50 standard scenarios and train your administrators over two 3-hour sessions. Duration: 2 weeks. Deliverable: complete as-built documentation, operating procedures, CIO team autonomous on daily management.
05 — Inspirations

Browse our
projects

Explore Explore

Planning a fit-out project?

Get a complimentary audit of your spaces: an expert eye, concrete recommendations, no commitment.

Request my free audit