ISPS made port security a legal duty. For the Port Facility Security Officer, it's a daily one.

Every person on site — employees and subcontractors alike — has to be verified, cleared and accounted for, under ISPS and a widening set of rules around it.

We at Inphiz have just come back from day two at Breakbulk, and we left with something more valuable than great meetings: confirmation. We're encouraged to see Swedish ports already thinking this way — toward making compliance digital, traceable and auditable. We went to test an idea — that the hard part of port compliance isn't the cargo or the systems, it's the people moving through the facility every day, employees and subcontractors alike. Conversation after conversation, the same thing happened. Heads nodded. Stories came out. And almost every port we spoke to wanted to know the same thing: how do you actually do this?

So it feels like something has started. ISPS and compliance — usually the part of the operation nobody wants to talk about — turned out to be exactly what people wanted to talk about. This article is our attempt to put words to what we heard.

A shared challenge, not a local one

Inphiz in conversation at a port stand during Breakbulk Conversation after conversation, the same gap came up.

Breakbulk confirmed what we'd already begun to see. Over recent months we've been in conversation with port associations and authorities across France, Spain, Italy and Portugal, and the picture is strikingly consistent. The same gap turns up everywhere: securing and proving compliance for the people who move through a facility — employees and subcontractors — under ISPS and a widening set of rules around it.

Inphiz with French port representatives at a map of France's ports Talking it through with French ports — HAROPA, Ports de Lille, MedLink and more.

It isn't a problem any single operator, or any single country, solves alone. The conclusion we keep arriving at, and increasingly share with the people we talk to, is that this has to be worked on together: common ground on how ports onboard, verify and trace the workforce that keeps them running.

Inphiz with an Italian port and logistics contact, Port of Taranto backdrop The same challenge in Italy — port after port, country after country.

One thing stands out. UK ports are ahead in the thinking — further along in treating this as an operational, provable discipline rather than a once-a-year audit scramble. There's a lot the rest of Europe can take from how they approach it.

Inphiz at the Port of Aberdeen stand UK ports are ahead in the thinking — here at Port of Aberdeen (est. 1136).

The bar keeps moving

A protected port facility with restricted-access signage A port is a protected facility — access is controlled, and now it must be proven.

A port never really stops. Ships arrive, subcontractors roll through the gate, cargo moves, shifts change — thousands of times a year, every year. And around all of that movement sits a growing wall of rules: the ISPS Code under SOLAS, now NIS2, and from this spring a revised ISO 14001. The expectations keep rising. What hasn't kept up is how most ports prove they meet them.

ISPS has asked port facilities to control access and keep security plans current for two decades, with facility security assessments reviewed on a regular cycle. NIS2 — in Sweden now law as the Cybersäkerhetslagen — adds tighter risk management, fast incident reporting and personal accountability at management level. ISO 14001:2026 raises the bar again on demonstrating real, measurable performance, not just documented intent.

Notice the common thread. None of these frameworks are satisfied by a policy sitting in a folder. They ask the same hard question: can you prove it? Who was cleared before they entered. Which competencies were valid that day. What instruction was sent, read and understood. What actually happened at the gate, on the quay, in the report.

For most operators, that proof still gets assembled by hand — spreadsheets, email threads, a binder pulled out the week before an audit. It works, until it doesn't.

From manual to self-governing

Here's the shift worth watching: a small but growing number of operators are no longer treating compliance as paperwork to chase. They're digitising the whole process and letting it run on its own.

The idea is simple. Set the rules up once — who needs which training, which certificate, which permit, for which task and which area — and let the system enforce them continuously. Onboarding, competence checks, instructions with read-and-understood confirmation, site access, the work itself, the offboarding when the job is done. Each step becomes a logged, verifiable event instead of a thing someone has to remember to record.

This is the part that's genuinely new: once it's configured, it becomes a self-governing framework. Access reflects real status, not last month's snapshot. Expiring certificates flag themselves. Instructions reach the right team and confirm they landed. And increasingly, AI does the watching — surfacing the gap, the lapse, the missing sign-off before it becomes a finding. The framework keeps itself honest.

Where Inphiz fits

The Inphiz dashboard showing live compliance status, renewals and AI assistant Compliance that keeps itself honest — the live operating picture in Inphiz.

This is the work Inphiz is built for — the full arc from onboarding to offloading, for employees and subcontractors alike. Every person is qualified and authorised before they start; every permit, instruction and report is captured as it happens; and the whole security framework stays traceable and audit-ready by default.

The payoff isn't only a smoother audit. When the chain of evidence is continuous, you can hand a client far stronger proof that you run compliance efficiently — and that same discipline raises the quality of the operation itself. Fewer gaps, less rework, clearer accountability. Compliance stops being the cost of doing business in a regulated industry and starts being something you can point to.

There's a bigger picture, too. That proving compliance for the workforce has stayed so manual for so long perhaps reflects how little investment has reached the field over the years. Turn that around — give the people on site the same quality of tools the office has long had — and something useful happens: the very system that proves compliance also drives productivity and efficiency, and with them, higher quality in the end.

The rules will keep tightening, and they'll keep converging across borders. The operators — and the countries — who treat that as a shared systems problem, not a local paperwork problem, are the ones who'll prove it without breaking stride. We'd rather build that together than each reinvent it alone.

Sources: IMO ISPS Code (SOLAS Chapter XI-2); EU NIS2 Directive 2022/2555, implemented in Sweden as Cybersäkerhetslagen (2025:1506), in force 15 January 2026; ISO 14001:2026, published 15 April 2026. Verify current wording against primary sources before publication.