NIS2 compliance through client hardening: requirements, implementation, evidence

1 Why client hardening is so important in NIS2

Most cyber attacks don't start in the data center, but at the end device. Insecure configurations, unnecessary services, or too broad access rights make clients a preferred target for attack — and therefore a risk for NIS2 compliance.

‍

Because any wrongly set policy or unpatched application can not only open up security gaps, but according to NIS2, can also be regarded as an organizational failure — not just as a technical negligence.

‍

This is particularly clear in Annex VI of the NIS2 Implementation Regulation: There, protective measures such as access control, secure configuration, logging and regular testing are explicitly mentioned — all key aspects of client hardening.

‍

Although patch management is also part of hardening end devices, this article focuses on configuration management according to NIS2, which also includes identity and access management. More about NIS2-compliant patch management can be found here.

‍

‍

2 Important documents about client hardening in the context of NIS2

The regulatory basis for NIS2 implementation consists of several documents that are not easy to understand at first glance. They range from the EU directive to the binding EU implementing regulation to the German implementation law. The documents systematically build on each other: With the NIS2 Directive, the EU provides the framework, the implementing regulation specifies technical measures — and German legislation adopts this framework taking into account national requirements.

‍

‍

Particularly important: Section 30 paragraph 2 of the German Cyber Security Act requires that the measures referred to in paragraph 1 “comply with the state of the art” and take into account “relevant European and international standards.” This expressly includes what is required in the EU regulation under “Configuration Management” (Annex 6.3) — i.e. measures that essentially amount to systematic client hardening.

‍

‍

3 The NIS2 requirements for client hardening and configuration management in detail

ENISA addresses this point in its Technical Implementation Guidance of June 2025 and explains in chapter 6.3 what is meant by configuration management. Among other things, it recommends implementing security configurations based on established hardening guidelines, taking into account the principle of minimal functionality and the lowest possible authorizations. Using best practices for System hardening is not regarded as a recommendation but as a standard requirement.

‍

Even though the term “configuration management” is understood more comprehensively in regulatory texts — i.e. includes servers, network technology or cloud systems in addition to clients — in this article, we focus on implementation in the area of end devices. System hardening is an essential part of configuration management. To reduce complexity, we equate both terms below.

‍

The main requirements include in particular:

‍

• access control: Only authorized users may operate systems. At endpoint level, this means, among other things, the abandonment of local admin rights, the use of MFA and a clear role and rights model. In addition, tiering models and privileged access management (PAM) specifically secure particularly critical accesses.
  
  

• Secure configurations: Systems must be set up in such a way that unnecessary areas of attack are excluded. This includes disabling unnecessary services, restrictive firewall settings, and applying BSI or CIS hardening policies.
  
  

• Logging and monitoring: Events on end devices must be comprehensibly documented — for example through central log storage or endpoint detection & response solutions.
  
  

• Encryption and integrity protection: Whether BitLocker, TPM, or Secure Boot — modern clients must actively protect sensitive data and processes from manipulation.
  
  

• Continuous review: The effectiveness of the measures must be regularly tested and proven — this is also mandatory according to NIS2.
  ‍

These requirements apply not only to servers or networks, but also explicitly to clients — i.e. to all devices that access critical information or services. Companies must therefore be able to prove that their endpoints are hardened, documented and verified in accordance with current security standards.

‍

‍

4 Common challenges with NIS2-compliant client hardening

The requirements of the NIS2 Directive are clear — but implementing them in practice is anything but trivial. Especially in the area of client hardening, many companies encounter typical stumbling blocks:

‍

• Time and resource bottleneck: Client hardening requires planning, regular maintenance and control — but many IT teams are tied up in day-to-day business. Without clear prioritization, hardening measures are left behind or are only implemented incompletely — and above all not regularly reviewed and adapted to new challenges (see also Configuration Drift)
  

• Historically developed IT structures: Different operating systems, software versions and configurations make uniform protection difficult.
  

• Unclear responsibilities: Who is responsible? Infrastructure team, security, or compliance?
  

• Lack of standards: Without clearly defined hardening requirements, there is a lack of comparability and control.
  

• Local admin rights: In many organizations, users still have too many rights on their devices — a huge risk.
  

• Acceptance issues: Hardening often means restrictions — for example when installing software or accessing system functions.
  

• Configuration Drift: Even cleanly rolled out curing guidelines lose their effect over time: New devices, manual changes or exceptions cause end devices to deviate from the target configuration — often unnoticed.

‍

In addition, many companies rely on tools that cover individual measures but do not provide holistic management. This creates a patchwork of security measures, but not consistent compliance.

‍

‍

5 This is how the practical implementation works — NIS2-compliant client hardening

NIS2-compliant client hardening requires more than individual security settings — it requires a clear, reproducible process. The following applies: What is not documented and comprehensible is considered not implemented in case of doubt.

‍

This is how companies successfully implement the requirements:

• Centralized administration: Tools such as Microsoft Intune, MECM, Baramundi or group policies (GPOs) enable uniform, scalable control of security policies — even across hybrid or decentralized environments.
  

• Define hardening standards: Orientation to proven benchmarks such as CIS, BSI guidelines or the Microsoft Security Baselines. These provide specific recommendations for a secure client setup.
  

• Review and update hardening standards regularly: Hardening guidelines are not a static set of rules. Benchmarks are regularly developed to respond to new threats. Companies must therefore regularly compare existing configurations with current standards, evaluate adjustments and roll out changes in a controlled manner in order to remain compliant and effective over the long term.
  

• Detect and correct configuration drift: Tools such as Eido or the Tenant Manager help you to regularly compare the target and actual status. They identify deviations from hardening guidelines, for example based on CIS benchmarks, and help to automatically bring misconfigured or slipped clients back to the desired level.
  

• Documentation & verification: Every measure must be verifiable: Rollouts, exceptions, test protocols and deviations should be centrally documented and regularly reviewed.
  

• Integration with ISMS & risk management: The hardening should be part of a comprehensive information security management system (ISMS) — this is the only way to create a consistent security architecture.
  

• continuity: System hardening is not a one-time measure. Standards are evolving, systems are changing, new requirements are being added. To ensure that clients remain permanently protected, clear processes for maintenance, adjustment and control are required — technically, organizationally and continuously.

‍

‍

6 Conclusion — Client hardening is key to NIS2 compliance

The NIS2 Directive places high demands on the technical security of IT systems — and the hardening of clients is a central element of this. Devices such as laptops, desktops, or mobile devices must be configured to withstand attacks, enforce access controls, and be regularly audited. Companies that take their client hardening seriously are not only meeting legal requirements, but are also actively increasing their cyber resilience.

‍

The key lies in clear processes, technical automation and complete documentation. Anyone who masters this triad can efficiently implement NIS2 requirements — and is also well prepared for upcoming audits. In complex environments, it can be useful to support specialized service providers such as SOFTTAILOR: They not only have the technical know-how, but also the necessary experience in audit-proof implementation. This does not make client hardening a burden, but a strategic security measure.