Companies and organizations are increasingly facing stricter IT security requirements that demand Secure Configuration or System Hardening. You can find out what these are here.
Stricter rules for greater cybersecurity
“If we don’t manage to defend ourselves and our vulnerabilities against the entire spectrum of threats in the short term, we will remain vulnerable – and sooner or later we will be wounded. So let’s not let it get that far.”
This quote comes from Claudia Plattner, President of the BSI, the German cybersecurity authority. She sees this not as a request, but as an urgent call to action. One that Plattner wrote down in the report “The State of IT Security in Germany 2025.”
The situation is critical: cyberattacks are becoming increasingly professional, automated, and targeted. They affect start-ups, medium-sized companies, and corporations alike. The consequences include data theft, production downtime, immense costs, and company bankruptcies.
The BSI therefore demands: Protect your attack surfaces! Consistent attack surface management directly reduces the risk of compromise. IT managers must therefore establish preventive measures to significantly increase the resilience of the entire system landscape – from single-user computers and servers to IoT/OT devices.
💡 Secure Configuration, also known as System Hardening, is very effective in this regard.
System Hardening as a legal and normative obligation
Until a few years ago, System Hardening was often seen as an optional supplement to other security measures. Today, it is explicitly required in almost all relevant IT security standards and cybersecurity guidelines — and for good reason.
Various studies (for example, this one, this one, and this one) show that a large proportion of successful cyberattacks can be traced back to poorly configured or outdated systems. By closing these security gaps, the risk of data breaches, ransomware attacks, and the often-associated operational disruptions can be significantly reduced.
While manual settings or individual scripts were often sufficient in the past, current regulations now require structured processes, automated tools, and demonstrable compliance. A key driver of this development is the realization that modern IT environments are too complex to be secured by human oversight alone.
Instead, current standards recommend automated hardening solutions that centrally manage configurations, detect deviations in real time, and implement corrections without manual intervention. This approach is not only more efficient but also highly auditable – a decisive advantage in light of the various tightened reporting and documentation obligations that are already in force or are yet to come.
Here we provide you with an overview of the most important regulations, directives, laws, and standards that require Secure Configuration aka System Hardening.
_________
Note: The information provided in this post is for general informational purposes only and does not constitute legal advice. For specific questions regarding the implementation of the mentioned standards, please contact a specialized law firm.
_________
ISO 27001:2022
ISO 27001 has long been the international benchmark for information security management systems (ISMS). However, with the release of the 2022 version, the standard has been fundamentally modernized to address the challenges of today’s threat landscape.
One of the most significant changes in ISO 27001:2022 concerns Configuration Management, which is now regulated in much greater detail than in previous versions. Since then, organizations have been required to define hardened standard configurations for all IT systems, review them regularly, and promptly correct any deviations.
Particularly relevant is the requirement for a structured and documented process for System Hardening. It is no longer sufficient to implement security measures on an ad hoc basis. Instead, System Hardening must be integrated into a continuous improvement process. In addition, ISO 27001:2022 emphasizes the importance of automated tools that help centrally manage configurations and demonstrate compliance.
🛑 Good to know: A central aspect of ISO 27001:2022 is its stronger alignment with other standards such as NIS2, DORA, the EU AI Act, or CRA. Those who meet the requirements of ISO 27001 are often already a big step closer to compliance with other regulatory frameworks.
These synergy effects make the standard an ideal starting point for anyone who wants to establish their IT security in a holistic and future-proof way.
NIS2
Implementation was somewhat sluggish in some countries, but the directive is now in effect. That’s a good thing, because NIS2 represents one of the most important cybersecurity regulations in Europe. While NIS1 primarily affected operators of critical infrastructure, NIS2 significantly expands the scope: As of December 6, 2025, all companies with more than 50 employees or an annual turnover exceeding 10 million euros must comply with the new requirements. In Germany alone, around 30,000 companies are affected.
System Hardening is not an optional extra under NIS2 but a central pillar. The ENISA NIS2 Implementation Guide explicitly recommends using automated solutions for IT System Hardening to increase resilience against cyberattacks.
Another key aspect of NIS2 is the obligation to ensure supply chain security. All affected organizations must now make sure that their service providers and suppliers also meet the new security requirements. This demands not only technical measures but also contractual agreements and regular audits. For many organizations, this means a profound cultural shift, as IT security becomes a top management priority.
CRA
In September 2026, the Cyber Resilience Act (CRA) will gradually come into force in the EU. It is aimed at all manufacturers whose products have digital functions and are connected to networks or the internet. These include, for example, software solutions, smart home devices, industrial control systems, routers, and smartphones.
The aim of the CRA is to make digital products more resilient to cyberattacks from the outset and to better protect consumers and businesses. The Cyber Resilience Act therefore requires manufacturers to develop their products according to the “secure by default” principle. This includes a secure default configuration, minimizing attack surfaces, and providing regular security updates throughout the entire lifecycle.
Manufacturers must document in detail how they ensure the security of their products. This includes risk analyses, security concepts, and a complete list of all software components used (SBOM). Anyone who violates these rules faces severe consequences: in addition to heavy fines, unsafe products may be taken off the market and no longer allowed to be sold.
DORA
While NIS2 applies across industries, the Digital Operational Resilience Act (DORA) is specifically aimed at the financial sector. The regulation has been in effect since January 17, 2025. Its goal is to strengthen the digital resilience of banks, insurance companies, and other financial service providers (for example, in the field of medical factoring). A key component: System Hardening, which has been established as a fundamental principle in DORA.
DORA replaced BAIT (Supervisory Requirements for IT in Banks) and VAIT (Supervisory Requirements for IT in Insurance Companies). This also comes with stricter requirements. While individual solutions were often sufficient in the past, the new regulations demand standardized processes and automated tools. Those who fail to adapt risk losing the trust of supervisory authorities and facing fines.
In other words: System Hardening is in the financial and insurance sectors now a *must* , not just a *nice-to-have*!
EU AI Act
The EU AI Act has been gradually introduced since 2024. It establishes comprehensive rules for the use of artificial intelligence in Europe. Even widely used tools such as Microsoft Copilot, ChatGPT, and others may be affected by the EU AI Act – especially when used in business processes classified as “high-risk.”
The AI Regulation requires that AI systems be inherently secure and hardened against cyberattacks. To achieve this, the use of established frameworks such as ISO 27001 is recommended to ensure comprehensive risk management. However, compliance with the standard alone is not enough! The AI Act imposes additional requirements, such as on data quality, transparency, and human oversight.
With this, Europe makes it clear: cybersecurity is a central pillar for the deployment of artificial intelligence. Developers, operators, and users must adhere to the new rules to avoid legal consequences.
CER
The Critical Entities Resilience Directive (CER) obliges critical entities in the EU — including companies in the energy, transport, banking, healthcare, digital infrastructure, and public administration sectors — to implement comprehensive resilience measures. These include technical and organizational precautions such as System Hardening, regular risk assessments, structured risk management, as well as the reporting and handling of security incidents.
The directive recommends the use of standards such as ISO 27001 to ensure demonstrable security management. Non-compliance may result in sanctions, up to and including the withdrawal of the operating license.
Key milestones will take effect starting in 2026: by January 17, all EU Member States had to adopt a national resilience strategy and conduct a risk assessment. By July 2026, Member States will officially identify the critical entities within the eleven regulated sectors. The affected companies and organizations will then have only ten months to implement and demonstrate compliance with the new requirements. The European Commission will monitor progress.
PCI DSS 4.0.1
The Payment Card Industry Data Security Standard (PCI DSS) is mandatory for all companies that store, process, or transmit credit card data. With version 4.0.1, which has been fully in effect since March 2025, the requirements have become significantly stricter—especially through “Requirement 2” (“Apply Secure Configurations to All System Components”).
This requirement obliges companies to change default passwords, disable unnecessary services, and use automated tools to centrally manage configurations and correct deviations in real time. Failure to comply can result in contractual penalties, higher fees, or even termination by credit card providers such as Visa or Mastercard.
Another key focus of PCI DSS 4.0.1 is the expansion of the assessment scope. While previously only directly involved systems were often affected, companies must now include all components that interact with the Cardholder Data Environment (CDE), including network devices, cloud services, and third-party systems. This requires not only technical measures such as regular vulnerability scans and patching but also organizational adjustments, such as clear accountability and risk management processes.
eIDAS 2.0
The eIDAS 2.0 regulation (electronic Identification, Authentication and Trust Services) has been enforcing new security standards for digital identities in the EU since May 2024. It requires providers such as Trust Service Providers (TSPs) or operators of the European Digital Identity Wallet (EUDI Wallet) to harden and securely configure their systems—with cryptographic protection, tamper resistance, and regular security audits.
External interfaces and authentication processes are particularly critical and must be secured against attacks. ISO 27001 certification is considered mandatory to demonstrate compliance.
The EUDI Wallet will be gradually introduced in 2026. Public authorities as well as large online platforms must offer it as a login option. Companies using digital identity solutions must adapt.
TISAX
In the automotive industry, TISAX (Trusted Information Security Assessment Exchange) is the leading standard for information security. Based on the VDA ISA Catalog 6.0, TISAX requires companies to secure their IT systems according to the principles of ISO 27001 – with a particular focus on secure configurations, cloud security, and prototype protection.
A central aspect of TISAX is the regular review of security measures through external audits (Assessment Levels 1–3). This means that companies must regularly demonstrate that they use hardened standard configurations, can detect unauthorized changes, and promptly address vulnerabilities.
Particularly relevant is the requirement for documented and verifiable implementation — a point that poses a special challenge in the automotive industry given the complex supply chains and international collaboration.
GDPR
The European General Data Protection Regulation (GDPR), which has been in effect since 2018, will be enforced more strictly by supervisory authorities in 2026 — for example, regarding liability in the event of data breaches. The reason: the GDPR requires companies to implement technical and organizational measures (TOMs) to ensure the confidentiality, integrity, and availability of personal data.
This includes securing IT infrastructure, to which System Hardening makes an effective contribution. Particularly important is the requirement for documented and verifiable implementation — a point that is gaining increasing importance in audits and with data protection authorities.
Another key aspect of the GDPR is the provider control obligation. Companies must ensure that their service providers and suppliers also meet high security standards. Failure to comply with these obligations risks not only fines of up to 20 million euros or 4% of global annual turnover but also the loss of trust from customers and business partners.
WLA-SCS
In the lottery and sports betting industry, the World Lottery Association Security Control Standard (WLA-SCS) serves as the essential security foundation. Since April 2025, version 2024 has been in effect, defining System Hardening (“Lottery Hardening”) as a central requirement. Companies must demonstrate that they secure their IT systems according to the principles of ISO 27001 — with a particular focus on secure configurations and regular reviews.
A key point: the annual re-certification, which ensures that security measures are continuously adapted and improved. Failure to meet these deadlines risks not only the loss of licenses but also exclusion from tenders and partnerships.
Particularly relevant is the requirement for documented and verifiable implementation — a challenge in the lottery industry given the high demands for integrity and confidentiality. Those who fail to comply risk not only fines but also the loss of trust from customers and regulators.
The common message: System Hardening is no longer optional!
The analysis of current and upcoming IT security regulations shows a clear pattern: the goal of significantly reducing attack surfaces is firmly embedded in all relevant standards, norms, guidelines, laws, and regulations. Configuration management or secure configuration is often explicitly mentioned, or the regulations refer to ISO 27001, in which System Hardening is a core element.
The requirements to harden applications and operating systems are no longer recommendations but binding obligations. Non-compliance can result in heavy fines or market bans. And if a compromise occurs because systems were not properly secured, it leads to data leaks and operational disruptions. The costs of a cyber incident can reach millions — or even result in insolvency.
For companies, this means there is tremendous pressure to act. Anyone developing digital products, deploying AI systems, managing digital identities, or operating critical infrastructures must demonstrate hardened systems by 2026.
How to successfully implement System Hardening in 2026
Implementing comprehensive and professional System Hardening is not a one-time project you can complete and forget. Instead, it requires a continuous process encompassing technical, organizational, and procedural measures.
🔻 The first step is a comprehensive analysis of the current IT infrastructure, for example through a Hardening Audit. Companies should not only focus on their own systems but also those of their service providers and suppliers, since many new regulatory requirements demand a holistic view of the supply chain.
🔻 The next step is to design a tailored hardening strategy. Decision-makers can choose between different approaches such as Layered, Rapid, or Lifecycle Hardening. The latter is perfectly suited for a Windows 11 rollout project.
🔻 If you aim to meet strict regulations, you will face several challenges. Each system requires hundreds of parameters to be adjusted, in accordance with established standards such as the CIS Benchmarks. Manual configuration is therefore generally not feasible in terms of time.
That’s why the Enforce Administrator is a very good solution
Many companies still rely on Group Policies (GPOs) for System Hardening. However, given today’s requirements, GPOs quickly reach their limits. Modern IT regulations demand more flexibility, automation, and verifiable compliance. These requirements cannot be satisfactorily implemented through manual measures.
The solution: automation. With Enforce Administrator, FB Pro offers a proven solution that allows thousands of systems to be hardened centrally, consistently, and with minimal staffing effort. Using this hardening tool, you can perform automated System Hardening based on established standards — including the latest recommendations from BSI, CIS, DISA, ACSC, and Microsoft.
With the Enforce Administrator, you can harden various applications and operating systems almost at the push of a button. For example, it’s possible to perform both Windows Server Hardening and Linux Hardening. In addition, you can meet required audit obligations by generating a recognized hardening report with the Enforce Administrator.
⏬ Download: Enforce Administrator
Product Brochure (PDF)
Conclusion
The time for mere reaction is over! Modern IT regulations such as NIS2, DORA, or CER demand proactive security — and for good reason: cyberattacks are on the rise and becoming increasingly sophisticated.
Therefore, allocate your IT budget where it truly matters: in preventing vulnerabilities and reducing attack surfaces — not just in detecting them!
Take your IT security to a new, decisive level this year! Our Secure Configuration experts are happy to support you in designing and implementing effective System Hardening.
Images: Freepik, , FB Pro