In your access control system, where does encryption happen? At the reader mounted on an exterior wall, or at a controller in a secured, interior location?

Typically, readers handle encryption — they decrypt credentials locally and send access decisions to controllers. But a different model has entered the conversation, at least in Europe: transparent architecture. 

What Is Transparent Architecture?

“Transparent architecture” sounds like it could mean many things. Transparent to whom? About what?

The term describes an approach where readers become “transparent” to cryptographic operations. Instead of handling encryption themselves, readers capture credential data and pass it to more centrally located controllers to handle the cryptographic work.

Why Is Transparent Architecture Becoming More Prevalent in Europe?

This architectural shift is driven by regulatory frameworks, particularly in high-security environments.

France’s ANSSI Certification de Sécurité de Premier Niveau (CSPN) certification requires transparent architecture for certain facilities. Government buildings, critical infrastructure and operators of vital importance must demonstrate that cryptographic operations occur in physically secured locations, not at exposed perimeter readers. 

The approach is spreading. Similar frameworks are under consideration in Germany and the Nordic countries. The concern is consistent across these discussions: readers mounted on exterior walls, in parking structures or at building perimeters are more vulnerable to physical tampering than equipment housed in controlled server rooms.

To be clear, transparent architecture isn’t replacing traditional access control universally. Most commercial buildings, corporate offices, educational institutions and healthcare facilities will continue using reader-level encryption successfully. Transparent architecture addresses specific regulatory requirements for specific environments.

How Does Transparent Architecture Differ From Other Approaches?

Access control systems can employ a variety of architectural approaches, but reader-level encryption is quite common. Here’s how that typically works:

1. Someone presents a credential (card or mobile device) to a reader
2. The reader decrypts the credential data using keys stored locally. (Best practice is to store the keys inside a EAL certified secure element, but this is not the case for all manufacturers.)
3. The reader sends the decrypted credential data to the controller. This can be done in plain form using Wiegand or unencrypted RS-485 communication, but it is highly recommended to use OSDP with encrypted communication. In this case, the reader encrypts the credential data first.
4. The controller receives the data and makes a decision to deny entry or unlock the door

The reader is essentially a small computer with its own processing power, memory and secure storage of encryption keys. Solutions using this architecture — including smart card systems with secure channel communication — provide strong protection when properly implemented. The model is proven, widely deployed and trusted across countless doors globally.

Transparent architecture relocates the cryptographic operations away from the reader.

Here’s how this might look:

1. Someone presents a credential to a reader
2. The reader captures the credential data and passes it through without any cryptographic processing
3. The data travels to a controller or gateway located in a physically secured area
4. The controller/gateway decrypts the credential
5. If gateway is used, it sends the credential to the controller 
6. The controller validates it and makes the access decision
7. The door is unlocked or remains closed, as appropriate

The reader stores no encryption keys. It performs no decryption. From a security operations standpoint, the reader is transparent — you can essentially “see through” it to the secured location where the actual cryptographic work happens.

France’s Agence nationale de la sécurité des systèmes d’information (ANSSI) describes these as “transparent” readers in their certification requirements. They have physical protections and communicate securely, but they don’t participate in cryptographic processes themselves.

When Transparent Architecture Matters

Transparent architecture addresses specific regulatory mandates, not universal security needs. Organizations typically deploy it selectively — at high-risk entry points, government facility perimeters or critical infrastructure access points — while maintaining reader-level encryption elsewhere.

Novel solutions like HID’s M1 Transparent Gateway sit between existing OSDP controllers and readers, centralizing cryptographic operations without full system replacement. Organizations can upgrade door-by-door based on compliance needs and security priorities.

As European regulations evolve, understanding the basics of controller-centric and reader-centric encryption architecture will help you navigate both current mandates and future requirements.