Skip to content
Tertiary enterprise Wi-Fi — KYTOM
Team Works

Tertiary enterprise Wi-Fi

Technical and regulatory framework: Wi-Fi 6, GDPR, ANSSI

Enterprise Wi-Fi is no longer an infrastructure topic: it is a GDPR asset and an OPEX line item at 18-35 EUR/m². Over 850 m² of office space, sizing typically results in 6 to 8 Wi-Fi 6 access points and a minimum coverage of -65 dBm in work areas. Wireless today concentrates the majority of professional data traffic on mid-sized tertiary sites, with each employee mobilising several devices simultaneously, a reality that demands rigorous radio sizing from the design phase onward. Kytom has been deploying these architectures since 2006, predictive radio audit included and signed acceptance. The following details the 5-phase method over 12 weeks, the quantified ratios, the regulatory framework and the key points of attention for IT departments.

Tertiary enterprise Wi-Fi
02

The framework rests on three inseparable operational requirements: density, security, continuity. The Wi-Fi 6 standard (802.11ax) doubles capacity per access point thanks to OFDMA and lowers latency below 10 ms, the threshold required for common video-conferencing tools without perceptible degradation.

Three legal frameworks structure IT department trade-offs:

  • GDPR: the collection of MAC addresses and connection logs falls within the scope of personal data (article 4.1), with mandatory works council (CSE) information and an up-to-date processing register. The DPO must validate the log retention period (CNIL recommendation: 6 months maximum outside specific legal obligation).
  • ANSSI recommendations: WPA3-Enterprise encryption and certificate-based 802.1X for sites with more than 30 employees, VLAN segmentation between corporate, guest and IoT.
  • Social obligations: prior consultation of the works council (CSE) as soon as a device captures presence or indoor geolocation, with a minimum one-month notice period.

Our reading differs from professional doxa on one specific point: most integrators present the guest captive portal with email collection as a marketing best practice. In practice, the majority of guest captive portals we audit collect data without solid legal basis, lacking freely given consent within the meaning of article 7 GDPR and with an unclear purpose. Our recommendation: anonymous guest portal with simple terms-of-use acceptance, or else an explicit marketing purpose with a distinct opt-in. Compliance comes before the database.

Tertiary enterprise Wi-Fi
03

Kytom’s 5-phase method over 12 weeks

The sequence is contractualised over the standard timeframe, with milestones and traced deliverables signed by the single project manager.

  1. Predictive radio audit (weeks 1-2): Ekahau or Hamina modelling on CAD plans, identification of attenuating materials. Glazed partition: -3 dB. Steel-framed plasterboard: -7 dB. Reinforced concrete: -15 dB (Ekahau manufacturer values, Material Attenuation Reference, 2023).
  2. Sizing (week 3): 1 access point per 25 to 50 users in open space, 1 per 8 to 12 in a video room, 1 dedicated to dense IoT areas.
  3. Technology choice (week 4): Wi-Fi 6 or 6E depending on the IT roadmap, cloud controller (Meraki, Aruba Central, Mist) or on-premise depending on the sovereignty policy.
  4. Deployment (weeks 5-10): category 6A copper cabling, PoE+ 30 W power supply, connection to the network core via OM4 or OS2 fibre, configuration of corporate 802.1X SSIDs, guest captive portal and VLAN-segmented IoT.
  5. Acceptance and site survey (weeks 11-12): field measurements across the entire surface, validation of a minimum of -65 dBm in work areas, signed report.

When this method is not the right one: under 200 m² or fewer than 15 employees, the Ekahau predictive audit and certificate-based 802.1X are not economically justified, because the implementation cost generally exceeds the value of the deployed equipment. A pro box with WPA3-Personal and two mesh access points are sufficient. Likewise, for a site set to relocate within 18 months, the ROI of a complete overhaul remains negative: opt instead for a rental of managed access points.

Kytom’s 11 agencies in France and Spain mobilise integrators certified by Cisco, Aruba and Ubiquiti.

Tertiary enterprise Wi-Fi
04

For the IT department: 36-month ROI, measurable SLAs and audit traceability

The Wi-Fi topic is treated as an infrastructure asset, not as a commodity. For the IT department, three indicators structure the decision: contractualised availability, application latency, access traceability for information security audits or SOC 2.

Field feedback documents stable gains after an overhaul. Network availability improves significantly, reducing the incidents and service interruptions observed on our recent projects. Average latency on video-conferencing drops from 45 ms to less than 12 ms (Meraki Dashboard controller measurements).

On the security side, activating 802.1X with certificates eliminates the circulation of shared passwords and removes the risk of unauthorised devices connecting (rogue devices). The ROI materialises on three complementary axes: an audited sizing makes it possible to reduce the number of deployed access points, intelligent PoE power management lowers the LAN’s electricity consumption, and centralised supervision significantly accelerates the resolution of network incidents. The overall payback on collaborative usage generally falls within a horizon of less than three years, depending on the site’s complexity and the level of supervised operation.

Centralised supervision (Meraki Dashboard, Aruba Central) opens the way to quantified CSR steering, integrated into the tertiary decree reports submitted to ADEME, and provides the time-stamped logs required in a security audit (control A.13.1 of the applicable framework).

Limits of the ROI calculation: these gains assume supervised operation with an IT department able to handle alerts. On a site without a dedicated IT team and without a supervision contract, the 36-month ROI does not materialise: without active governance, the infrastructure gradually drifts and the initial benefits erode.

Tertiary enterprise Wi-Fi
05

Tertiary buildings: metal false ceilings and the 6 GHz band

The building conditions performance as much as the technology. Metal false ceilings, common in the French tertiary stock, create shadow zones generally requiring one or two additional access points per floor plate. The Ekahau audit identifies these points in the predictive phase.

The 6 GHz band introduced with Wi-Fi 6E offers 1200 MHz of additional spectrum but sees its range reduced by 20 to 30% compared to 5 GHz (IEEE 802.11ax-2021 specifications), which requires increased density. For open floor plates with high digital density (laptops, DECT-IP headsets, collaborative screens), the additional equipment cost remains offset by the disappearance of channel conflicts.

Contrary to the dominant commercial discourse of manufacturers, Wi-Fi 6E is not the standard to deploy systematically in 2024-2025. On the 4 Kytom pilot sites equipped with 6E, only 2 saw real use of the 6 GHz band above 15% of traffic, due to a lack of compatible devices in the client fleet (6E penetration rate on corporate laptops below 20% at the end of 2024). For a standard site, Wi-Fi 6 (5 GHz) remains the rational choice, with 6E justified only on floor plates larger than 1500 m² with an already-renewed device fleet.

05 — Inspirations

Browse our
projects

Explore Explore

Planning a fit-out project?

Get a complimentary audit of your spaces: an expert eye, concrete recommendations, no commitment.

Request my free audit