Skip to content
Access control panels: architectures and integration — KYTOM
Team Works

Access control panels: architectures and integration

IP or RS485: the tipping point is at 50 doors

The access control panel is not a security device: it is an IT infrastructure asset governed by GDPR article 5 and integrated with LDAP, not by security doctrine. This reframing changes everything: a redundant architecture drastically reduces availability risks compared to a single-server solution, with a direct impact on business continuity. A panel manages 50 to 5000 doors via IP (TCP/IP over a segmented VLAN) or an RS485 bus (32 readers per loop, 1200 m, TIA-485-A). Kytom has been active since 2006, sizes 8 to 12 readers per standard floor plate and integrates OPC UA or BACnet/IP for the BMS. The budget represents 3 to 7% of fit-out works, structured across three layers: physical controllers, logical panels, IT integration.

Access control panels: architectures and integration
02

Two families of architectures structure the office access control market. The RS485 bus is capped at 32 readers per loop over 1200 m (TIA-485-A specification), in single-site topology, with cabling costs significantly lower than an IP architecture, a notable economic advantage on small perimeters. It remains relevant for branches of fewer than 20 doors: single panel, MIFARE DESFire EV2 readers, centralised 12 or 24 V power supply. The IP architecture supports 5000+ doors across multiple sites, OM4 distances up to 150 m and OS2 over kilometres between buildings (ISO/IEC 11801-1 standard), with native integration (REST API, LDAP).

Contrary to the dominant discourse of security integrators, IP is not always the right answer. Our experience on sites that have moved from RS485 to IP is more nuanced: IP becomes essential from 50 doors onwards for remote supervision, centralised firmware updates and native redundancy, below that, the return on investment is not guaranteed. GDPR article 5 compliance limits log retention to 3 months without documented justification (CNIL, Guide pratique contrôle d’accès et vidéoprotection, updated 2023).

When IP is not the right answer: below 20 doors on a single-building site with no planned extension, IP generates an infrastructure surcharge (dedicated PoE+ switches, VLAN, supervision) that does not pay off before 5 to 6 years. RS485 then remains more cost-effective. Likewise, for remote branches with low bandwidth (< 10 Mbps stable), a centralised IP panel not backed by a local degraded mode degrades the user experience in the event of a WAN outage: prefer a standalone local panel with periodic synchronisation.

Access control panels: architectures and integration
03

4 Kytom scalability tiers, from the 50-door branch to the 5000-door cluster

The Kytom sizing grid is structured into four progressive tiers, drawn from our field experience on a variety of deployments:

  1. Tier 1 (1 to 50 doors): single panel on an RS485 bus, MIFARE DESFire EV2 readers, centralised 12/24 V power supply. Target: single-site branches.
  2. Tier 2 (50 to 500 doors): IP architecture with remote controllers per floor, dedicated PoE+ switches, single supervision server. Target: SME headquarters.
  3. Tier 3 (500 to 2000 doors): active/passive panel redundancy, replicated database, LDAP/Active Directory integration for automatic badge synchronisation. Target: mid-sized multi-site companies.
  4. Tier 4 (2000 to 5000 doors): server cluster, multi-site supervision with geographic failover, REST API for business applications. Target: large groups.

For the IT director: BMS integration is the real architectural challenge, not the choice of reader. OPC UA (TLS encryption, object-oriented model, OPC Foundation UA Part 2 Security Model specification) or BACnet/IP (ASHRAE 135-2020 standard) determine the ability to unify access control, HVAC BMS and energy supervision under a single auditable console. The BACnet/IP compatibility rate across the office BMS estate that Kytom encounters in operation is largely high, covering the vast majority of audited sites. Deploying a tier 2 takes 12 weeks: flow audit, dedicated structured cabling, configuration of logical zones, training of administrators on the client side. On the SLA side, contractually requiring an MTTR 50,000 h on the controllers constitutes the minimum auditable level for an IT department.

When the 4-tier segmentation does not apply: for sites with strong seasonality or mixed uses (coworking, third places, university campuses) with more than 30% visitor badges, the tier logic based on the number of doors becomes secondary. Sizing must then start from the volume of badges active simultaneously (peak hour) and the revocation frequency, not the number of doors. An 80-door site with 4000 visitor badges per month requires a tier 3 server capacity.

Access control panels: architectures and integration
04

Electrical continuity and GDPR compliance: what the IT department must require from 200 doors onwards

Access control availability depends directly on power supply and network segmentation. Three sizing rules apply on sites with more than 200 doors:

  • Dedicated UPS as standard for the panel and the controllers, 10 to 30 minutes of autonomy depending on criticality.
  • VLAN segmented from the office VLAN, with strict firewall rules: 3 typical TCP ports for supervision, logging enabled (ANSSI recommendation Guide hygiène informatique, rule 22).
  • Fibre cabling OM4 multimode up to 150 m, OS2 single-mode for distances between buildings (ISO/IEC 11801-1 standard).

For the IT department and the DPO: access control is personal data within the meaning of GDPR article 4, not a technical log. This qualification requires a record of processing activities (article 30), an impact assessment if the data is cross-referenced with video surveillance, and controlled retention (3 months without documented justification according to CNIL decisions). LDAP/Active Directory synchronisation automates badge creation on hiring and revocation in under 15 minutes on departure, a key compliance point: without this automation, the manual revocation delay observed in our audits frequently exceeds several days, i.e. a documented post-departure access risk.

On the operations side, centralised access control helps to significantly reduce physical security incidents in the first months following deployment, with second-level timestamping on sensitive accesses. An Office Manager can manage all employees from a single console, greatly reducing the administrative workload compared to door-by-door management.

When a dedicated UPS is not justified: below 200 doors on a single-building site connected to a building UPS of sufficient capacity (> 30 minutes of verified autonomy), a dedicated access control UPS may represent a surcharge that is difficult to pay off, to be assessed on a case-by-case basis.

05

Frequently asked questions

From how many doors should you switch from RS485 to an IP architecture?

The tipping point is around 50 doors. Below that, RS485 remains cost-effective thanks to significantly lower cabling costs. Beyond that, IP becomes essential for remote supervision, centralised firmware updates and native redundancy, with a surcharge paid off in 24 to 36 months. Exception: single-building sites of fewer than 20 doors with no planned extension, where RS485 remains more relevant.

05 — Inspirations

Browse our
projects

Explore Explore

Planning a fit-out project?

Get a complimentary audit of your spaces: an expert eye, concrete recommendations, no commitment.

Request my free audit