docs: add ENISA NIS2 reference to best practice intro

[Xata]

Fixes #2019

Adds ENISA NIS2 Technical Implementation Guidance to the list of referenced security standards on the best practice page. Restructures the intro into a list for readability and removes the redundant second paragraph.

Updates .spelling to include new terms introduced by this change.

[cert-manager-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign hawksight for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[netlify]

✅ Deploy Preview for cert-manager ready!

Built without sensitive environment variables

Name	Link
🔨 Latest commit	2e85999
🔍 Latest deploy log	https://app.netlify.com/projects/cert-manager/deploys/6a312dbb2e7a25000834d1ac
😎 Deploy Preview	https://deploy-preview-2020--cert-manager.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[Copilot]

✅ Ready to approve

The changes are documentation-only, align with the issue/PR description, and the spelling allowlist updates match the newly added terminology.

Note: this review does not count toward required approvals for merging.

Pull request overview

Updates the “Best Practice” installation documentation intro to explicitly include an EU-level framework reference (ENISA NIS2) alongside the existing Kubernetes hardening/security standards, and improves readability by restructuring the intro as an annotated list.

Changes:

• Restructured the page intro into a bullet list of referenced security standards / hardening guidance with short explanations.
• Added an ENISA NIS2 Technical Implementation Guidance reference (plus related EU legal references) to the intro.
• Updated the project spelling allowlist to include newly introduced terms.

File summaries

File	Description
content/docs/installation/best-practice.md	Reworks the intro into an annotated standards list and adds ENISA NIS2 references/links.
.spelling	Adds new terms used by the updated intro to the cspell project dictionary.

Copilot's findings

• Files reviewed: 2/2 changed files
• Comments generated: 0

Note

Your feedback helps us improve the quality of this feature.
Please use 👍 or 👎 to tell us whether this assessment is correct.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[wallrj-cyberark]

Thank you for this contribution — the restructuring of the intro into a bulleted list with expanded descriptions is a clear improvement, and the corrections to the NSA/CISA attribution and BSI publication name are both accurate.

I have a concern about the ENISA NIS2 reference, though. The existing three references (CIS, NSA/CISA, BSI) all contain specific Kubernetes hardening sections that map directly to the operational guidance on this page (pod security contexts, network policies, RBAC, container image security). The page's framing is: "how to configure cert-manager to comply with popular security standards."

I downloaded and searched the ENISA NIS2 Technical Implementation Guidance PDF (170 pages). It contains no mention of "Kubernetes" or "container" anywhere in the document. Its section 9 (Cryptography) does cover certificate lifecycle management — issuing, revoking, and managing public key certificates — and footnote 86 explicitly mentions X.509. So there is a tangential connection to cert-manager's domain: cert-manager helps organisations comply with NIS2 section 9.2(c) by automating certificate lifecycle.

However, that is a different claim from "here is how to configure cert-manager to comply with NIS2", which is what the other three references on this page deliver. The ENISA document operates at the organisational cybersecurity policy level ("have a key management policy"), not the Kubernetes operational hardening level ("set runAsNonRoot=true"). Listing it alongside the CIS/NSA/BSI references implies a level of Kubernetes-specific guidance that the document does not contain.

Would you be open to either:

1. Moving the ENISA reference to a separate paragraph that frames it differently — e.g. "cert-manager also supports compliance with broader regulatory frameworks such as NIS2, which requires automated certificate lifecycle management (section 9.2.c)" — rather than listing it alongside the Kubernetes hardening guides, or
2. Adding a brief qualifier to the ENISA entry noting that it covers organisational cryptographic policy rather than Kubernetes-specific hardening?

The rest of the changes look good:

• NSA/CISA joint attribution is correct
• BSI "IT-Grundschutz Compendium" is the official name; removing the #page=475 anchor in favour of naming module APP.4.4 in-text is a reasonable editorial choice (page numbers can shift across editions)
• Removal of the Datree reference is justified — Datree was acquired by Run.ai in 2023 and the product was discontinued
• .spelling additions are correct