ENISA Good Practices on Physical Security: What the Agency Actually Recommends

ENISA does not issue binding rules on physical security, and that fact is more useful than it appears. The European Union Agency for Cybersecurity publishes good practices, threat landscapes and reference documents that operators use as anchors when their national regulator stops short of prescription. The physical layer sits inside that body of work, often as a paragraph or a subsection, rarely as the headline, and almost never as a checklist that can be lifted into a tender document.

That is the first observation worth holding. Operators searching for "ENISA physical security requirements" will not find a regulation. They will find a corpus that, read carefully, takes a clear position: physical access is the precondition for every other control, and the absence of a physical baseline makes the rest of the cyber architecture an assertion rather than a defence. The second observation follows from the first. The agency's tone is operator to operator. It assumes that the reader can translate guidance into a procurement, a fence line, a door schedule, an alarm tier. It does not write for compliance officers who need a paragraph to quote.

What ENISA actually is, and what it is not

ENISA is the European Union Agency for Cybersecurity, established in 2004 and given an expanded mandate under the Cybersecurity Act of 2019. It supports the Member States, the Commission and the institutions of the Union in matters of network and information security. Its outputs are guidance documents, threat landscapes, technical reports, certification schemes and exercises. Its outputs are not regulations. The legal force that operators encounter under NIS2, the Critical Entities Resilience Directive or sector specific rules comes from the directives themselves and their national transpositions, not from ENISA.

This distinction matters because the agency's good practices are read with two contradictory expectations. Some operators treat them as soft law, citing them in audits as if they carried the weight of a standard. Others ignore them because they are not enforceable. Both readings miss the point. ENISA documents are reference material. They condense what the agency has seen across Member States, sectors and incidents, and they offer a vocabulary that allows national regulators, insurers and operators to converge on a shared understanding of what good looks like. When a German operator under the BSI framework reads an ENISA paper on smart grid security, the function of that paper is to confirm that the German requirements are not idiosyncratic, that the same logic appears in Finnish, Italian and Spanish guidance, and that the operator is not being asked something exceptional.

The agency's reports often cross-reference IEC 62443 for industrial control systems, ISO 27001 for information security management, the NIST Cybersecurity Framework 2.0 for risk management language, and NIST 800-53 for control catalogues. The cross-referencing is deliberate. It signals to operators that ENISA does not invent a new control set. It interprets and contextualises the existing canon for the European setting. The physical security material follows the same pattern. It does not introduce new perimeter categories. It explains how existing categories apply in the operational technology environment, in cloud infrastructure, in 5G base stations, in hospital networks, in railway signalling huts. The translation is the value.

Where the physical layer appears in the corpus

Most readers find ENISA through its annual Threat Landscape report, which catalogues incidents, threat actors and trend lines across the Union. The physical dimension appears there in the discussion of supply chain attacks, insider threats, sabotage of industrial control systems and, increasingly, hybrid threats that combine cyber intrusion with physical reconnaissance. The report does not separate cyber from physical with the rigour of an older threat model. It treats them as adjacent surfaces because that is how recent incidents have unfolded.

A more technical layer sits in the agency's ICS and OT publications. The "Good Practices for Security of Internet of Things in the context of Smart Manufacturing" paper, the studies on the security of smart cars, the railway cybersecurity guidance, the work on maritime port security, the recommendations on the security of 5G networks. Each of these documents contains a physical security section, usually framed around three themes: access to the asset, integrity of the asset under physical interference, and resilience of the asset against environmental and intentional disruption. The vocabulary is consistent. Zones and conduits from IEC 62443. Layered defence from NIST. Asset criticality from the operator's own risk register.

Where ENISA is most concrete is in the operator-facing toolkits for sector regulators. The NIS Cooperation Group documents, which ENISA supports, contain reference security measures that Member States have agreed to apply. Measure on physical and environmental security typically reads as a short paragraph requiring controlled access to facilities housing network and information systems, protection against environmental threats such as fire, flooding and power failure, and protection of cabling and supporting infrastructure. That paragraph is the entire physical baseline in many national transpositions. It is also the paragraph that auditors most frequently find under-implemented, because it is short, it sounds obvious, and it is therefore deprioritised against more visible cyber controls.

What the recommendations actually say on perimeter

Read across the documents, ENISA's position on perimeter is conservative and unsurprising. The agency recommends a layered approach. An outer boundary that demarcates the site and discourages casual approach. A controlled approach zone with surveillance, lighting and intrusion detection. A building envelope with access control at every entry point, including loading docks and service entrances. An internal zoning that separates general office areas from operational technology rooms, server rooms, control rooms and equipment rooms. Each layer reduces the dwell time of an unauthorised person, increases the probability of detection, and creates an evidentiary record that supports response.

This is the same model that ASIS International has codified in its facilities physical security measures and that insurers reference in their property risk surveys. ENISA does not claim originality. It claims applicability. The agency notes, in several of its sector documents, that the layered model is often degraded in practice by three patterns. First, the outer perimeter is treated as a property boundary rather than a security boundary, which leaves the approach zone unmonitored. Second, access control is concentrated at the main entrance, while side doors, fire exits, roof access and basement service ducts are managed under a weaker regime. Third, the internal zoning between office and operational environments is drawn on a floor plan but not enforced in the access control system, which means that a contractor with cleaning access can walk into the SCADA room.

The agency's recommendation on cabling deserves a separate note. In the ICS publications, ENISA recurrently flags that the physical protection of cabling, patch panels and field equipment is the weakest link in many critical entities. Fibre runs through unsecured risers, patch panels sit in unlocked cabinets, field devices stand in roadside enclosures with consumer-grade locks. The cyber controls on the segment above are excellent. The physical access to the segment below is open. An attacker with a screwdriver and ten minutes does more damage than an attacker with a laptop and a week.

How national regulators cite the work

In Germany, the BSI references ENISA in its KRITIS guidance and in the orientation documents accompanying the IT-Sicherheitsgesetz 2.0. The BSI does not adopt ENISA reports as law. It uses them to justify the proportionality of national requirements and to align German vocabulary with European practice. Insurers in the GDV framework do the same, in the property and cyber lines, when they negotiate coverage for operators of essential services. In France, ANSSI cites ENISA in its sector guidance for OIV operators. In Italy, the ACN draws on ENISA in its perimetro di sicurezza nazionale cibernetica work. The pattern is consistent across the Union. National authorities use ENISA to anchor their own positions in a European context.

For an operator, this means that an audit response citing ENISA good practices is read favourably by national authorities and by insurers, even when the operator is not strictly required to follow the agency's recommendations. The citation signals that the operator has looked beyond the minimum and has aligned with European practice. The citation also signals that the operator understands the convergence between physical and cyber, because ENISA documents make that convergence explicit. A facility security plan that references only national fire codes and a single ISO standard reads as compliance. A facility security plan that references ENISA, IEC 62443, NIST CSF 2.0 and the relevant ASIS standard reads as a programme. The difference is not cosmetic. It changes how auditors and adjusters approach the file.

The book BOSWAU + KNAUER. From Building to Security Technology develops this point at length in its chapter on industrial customers. The argument there is that operators who treat physical security as a procurement category buy systems. Operators who treat it as a programme buy outcomes. The ENISA corpus, read seriously, supports the second posture. It gives the operator a language to defend an investment that is otherwise hard to justify in a budget cycle dominated by cyber spend.

What the corpus does not give the operator

The honest reading also requires noting what ENISA does not provide. The agency does not publish detailed engineering specifications for fences, gates, vehicle barriers, intrusion detection sensors or video analytics. It does not specify mounting heights, lux levels, cable trenching depths or door hardware grades. Those specifications sit in national standards, in IEC and ISO documents, in insurer requirements and in vendor reference designs. An operator that reads ENISA expecting a procurement specification will be disappointed.

The agency also does not arbitrate trade-offs. The most common questions operators face on the physical layer are trade-offs. Camera coverage against privacy. Vehicle barriers against operational flow. Visitor management against business hospitality. Biometric access against works council resistance. Perimeter intrusion detection against false alarm tolerance. ENISA does not resolve these. It identifies them and recommends that the operator resolve them through a documented risk assessment. The resolution sits with the operator, the security director, the works council, the data protection officer and the auditor. The agency provides the framework, not the answer.

What the agency does well, and what is worth extracting from the corpus, is the insistence that physical and cyber be treated under the same governance. Several reports recommend that the chief information security officer, the head of physical security and the operational technology lead report into a single risk committee, with shared incident classification and shared response procedures. This recommendation has more practical weight than it appears. In most large operators, physical and cyber sit in separate organisations with separate budgets, separate tooling and separate vocabularies. The result is that incidents that span both surfaces are handled twice, slowly, and often in contradiction. ENISA's quiet insistence on unified governance is, in the agency's own measured tone, the most consequential recommendation in the corpus.

What holds

ENISA good practices are not binding. They are read by national regulators, insurers and operators as the European reference for how the physical and cyber layers should be addressed together. The physical recommendations are conservative, layered and consistent with IEC 62443, NIST CSF 2.0, ISO 27001 and ASIS practice. The value sits in the translation of those frameworks to the European setting and in the explicit treatment of the physical layer as part of the cyber programme rather than as a separate facility concern.

For an operator, the operational consequence is straightforward. Read the relevant sector document. Map the recommendations against the existing physical security plan. Identify the three or four gaps that an auditor would find first. Close them in the next budget cycle. Cite the agency in the file. The exercise costs a week of senior attention and produces a position that is defensible against national authorities, insurers and the next incident.

For operators uncertain where their physical baseline stands against the ENISA reference, the appropriate first step is a confidential sixty minute conversation under Path I of the engagement model, in which the gap can be sketched without commitment. Where the picture is more complex, a three to five day audit under Path II produces the documented standortbestimmung that the file requires.

Frequently asked questions

What does ENISA publish?

The agency publishes annual threat landscapes, sector specific good practice documents covering ICS, OT, IoT, 5G, cloud, maritime, railway, energy and health, technical studies, certification schemes under the Cybersecurity Act, and exercise reports from pan-European cyber exercises. The output is freely available on the ENISA website. The documents range from short policy briefs to extended technical studies of several hundred pages. The corpus is updated continuously, with the threat landscape published annually and sector documents revised on multi-year cycles depending on regulatory developments and incident patterns.

Is it binding?

No. ENISA does not have regulatory authority. Binding obligations on operators come from EU directives such as NIS2 and the Critical Entities Resilience Directive, from national transpositions of those directives, and from sector specific legislation. National authorities such as BSI in Germany, ANSSI in France or ACN in Italy reference ENISA in their own guidance and use the agency's documents to anchor proportionality arguments, but the legal force sits with the national framework. An operator cannot be sanctioned for non-compliance with an ENISA report. An operator can be sanctioned for non-compliance with the national law that the ENISA report informs.

How is it cited?

Citations typically follow the document title, the publication year and the section. Examples in audit files include "ENISA, Good Practices for the Security of Smart Cars, 2019, Section 4.3" or "ENISA Threat Landscape 2024, Chapter on Supply Chain Threats". National regulators reference ENISA in their own publications and accept operator citations as evidence of alignment with European practice. Insurers in the GDV framework and the broader European market accept ENISA citations in risk surveys. Auditors under ISO 27001 and IEC 62443 schemes accept the citations as supporting evidence, though not as substitutes for the standards themselves.

What physical layer does it cover?

The corpus addresses perimeter and approach zones, building access control, internal zoning between general and operational environments, protection of cabling and supporting infrastructure, environmental protection against fire, flood and power failure, protection of field equipment in distributed installations, and the governance interface between physical and cyber security. It does not address detailed engineering specifications, which sit in national standards and vendor documentation. It treats the physical layer as the precondition for the cyber programme rather than as a separate domain, which is the most consequential framing in the agency's work.