Have you already taken a close look at NIS2? Then you should read the new guide from the European Cyber Security Agency. It provides excellent tips for implementation. And it goes into detail about one measure that you should not neglect under any circumstances: hardening your systems.
ENISA helps with NIS2 implementation
The revision of the Network and Information Security Directive, also known as NIS2, continues to make headlines. On the one hand, this is because implementation by individual European countries is progressing slowly. On the other hand, many IT managers are unsure about what they need to do specifically to implement the current EU regulation correctly. Are you in the same position?
To facilitate implementation, the European Union Agency for Cybersecurity (ENISA) published a free guide called “NIS2 – Technical Implementation Guidance” in June 2025.
The 170-page document is intended to facilitate the handling of the NIS2 directive and its implementation. The PDF covers 13 areas of action – from “Risk Management Framework” and “Incident Handling” to “Business Continuity & Crisis Management” and “Supply Chain Security” to “Asset Management” and “Environmental & Physical Security”.
Configuration Management and System Hardening also play an important role in the guide.
The high importance of Hardening
Systems that are not configured securely, or only inadequately so, i.e. that are not “hardened,” offer a large attack surface. Hackers and other attackers exploit this. ENISA therefore establishes “Hardening” as a mandatory task within Configuration Management. Chapter 6.2 states literally:
“Consider hardening guides/best practices and general cybersecurity principles (e.g. least functionality and least privilege) as a basis for deriving the defined security configurations.”
In addition, the guide mentions “strict Configuration Hardening” in two places. This request is underscored by the following recommendation:
“Employ a deny-all, permit-by-exception policy to allow authorised software to run.”
👉 These statements make it clear: According to the European Cybersecurity Authority, System Hardening is not a voluntary option, but a regulatory requirement!
ENISA recommendations for System Hardening
In Chapter 6.3 and following, the European Union Agency for Cybersecurity provides numerous recommendations. These include, for example:
➡ Configuration Management planning
You must create a Configuration Management plan that defines roles, responsibilities, processes, and procedures for Configuration Management. This document must be protected from unauthorized disclosure and modification.
➡ Permitted software and services
Unauthorized software must be identified. And there should be a “deny-all, permit-by-exception” policy to run only authorized software.
➡ Automation for all systems
Use automated mechanisms to centrally manage, apply, and verify the configuration settings of your hardware and software (including mobile devices and connected vehicles).
➡ Standards and monitoring
All network, software, and system configurations must comply with established security and operating standards. You must identify, document, and approve any deviations.
➡ Implementation of alternatives
For legacy systems, you must implement additional measures in addition to System Hardening. These include network segmentation or isolation, the introduction of intrusion IDS solutions, and regular vulnerability scans.
➡ Regular review
All configurations must be reviewed at planned intervals, at least monthly, and updated as necessary. This applies in particular after patches, backup problems, major system changes, or significant cyber incidents.
Important: Automation and documentation are mandatory!
As with more and more IT regulations, laws, and standards, the NIS2 Technical Implementation Guidance requires Secure Configuration and System Hardening to be carried out in accordance with established standards (e.g., CIS benchmarks and DISA STIG).
The document states:
“Employ automated mechanisms to centrally manage, apply and verify configuration settings for software and hardware, including mobile devices and the entity’s connected vehicles.”
ENISA also requires regular reviews:
“Review and, where appropriate update configurations at least monthly to ensure that patches have been applied, that the backup has been executed according to the plan and that monitoring is in place to identify and alert to fatal server/device/disk errors without delay.”
If systems are no longer state-of-the-art or there are no current patches available, ENISA recommends compensatory measures:
“If patching is not feasible, consider alternative measures such as strict configuration hardening, intrusion detection systems, regular vulnerability scanning, network segmentation or isolation …”
In addition, regular, clean documentation of the configuration is required. The objectives include:
“Documented secure baseline configuration containing at least (indicative, non-exhaustive list): essential capabilities of operation; restricted use of functions; security by default;ports, protocols and/or services allowed […] Documented and approved exceptions to the configuration baseline containing the alternative measures in place to ensure the confidentiality, availability and integrity of the CI. “
Hardening according to NIS 2: How can this be achieved?
Don’t even try to comply with the numerous NIS 2 requirements using GPOs or other manual measures! The effort involved in implementation, readjustment, and monitoring is enormous. ENISA therefore advises:
“Employ automated mechanisms to centrally manage, apply and verify configuration settings …”
So opt for automated Secure Configuration. This is possible with Enforce Administrator. The Hardening Tool is the ideal solution for hardening large and complex IT system landscapes centrally and fully automatically in accordance with globally established standards. And it creates complete documentation of the system configurations, which can be used for audits, for example.
Further information is available here:
⏬ Download: Enforce Administrator Product Brochure (PDF)
Conclusion
With its free Technical Implementation Guidance, ENISA provides a practical framework that specifies the NIS2 obligations. The topic of System Hardening / Secure Configuration is a key element without which you cannot meet the NIS requirements.
It is also clear here that automation is a must-have! ENISA explicitly calls for centralized, automated mechanisms for managing, applying, and verifying configurations. The days of self-developed solutions are finally over.
Do you have any questions?
Would you like to know more about System Hardening? Or would you like to know how you can implement automated System Hardening in your company? Contact us – our experts are happy to help!
Images: ENISA, Freepik