NIS2 and Government: IT Asset Control in Public Administration and Defense

In March 2021, Spain’s SEPE (State Public Employment Service) suffered a Ryuk ransomware attack that paralyzed services for weeks. During the pandemic, with millions of citizens depending on unemployment benefits, offices had to revert to paper processes. Recovery took months. The attack entered through an email on a workstation missing the latest security updates.

The public sector is one of Europe’s most attacked targets. And NIS2 has included it as an essential entity.

Why NIS2 applies to government and defense

NIS2 classifies public administration as an essential entity (Annex I). This includes central, regional, and local government bodies providing essential services. In defense, while purely military activities may fall outside NIS2’s scope, administrative and logistics support IT systems are covered.

• Mandatory asset inventory: all government devices must be documented
• Incident management: notification to the national CSIRT within 24/72 hours
• Senior management accountability: political and technical leaders can be held responsible
• Public service continuity: plans identifying which assets support essential citizen services
• Fines: while public administrations may have different sanction regimes, NIS2 requires active supervision

Real incidents in government and defense

• SEPE (Spain), 2021: Ryuk ransomware paralyzed the public employment service. Thousands of civil servants lost system access for weeks. Millions of citizens affected in benefits collection. Vector: malicious email on an unpatched workstation.
• European city halls, 2019-2023: Dozens of municipalities fell victim to ransomware: Antwerp, Frankfurt, Potsdam, and multiple Spanish cities. Municipal services paralyzed, citizen data exposed, administrative processes blocked for weeks.
• SolarWinds and governments, 2020: The SolarWinds supply chain attack compromised multiple government agencies, including the US Treasury and Commerce departments. Attackers had access to emails and classified documents for 9 months.
• Estonia, 2007: The first national-scale cyberattack against a government. Massive DDoS attacks paralyzed Estonian government websites, banks, and media for weeks. This incident spurred creation of the NATO Cyber Defense Centre in Tallinn.

Why exhaustive asset control is essential

• Public administration has massively distributed assets. Ministries, regional offices, local branches, embassies — each location has its own device fleet. Without a centralized inventory, there’s no visibility of the total estate.
• Staff turnover is high. Civil servants changing positions, temporary staff, contractors — each movement involves device assignment and return. Without a tracking system, devices get lost between departments.
• Devices handle sensitive information. Citizen data, classified documents, tax information — a lost laptop or unencrypted device is a potential data breach with legal and political consequences.
• Public budgets require justification. Every euro spent on IT must be justified. An accurate asset inventory enables renewal planning, avoids duplication, and demonstrates efficient use of public resources.
• Financial audit bodies add pressure. Beyond NIS2, financial control bodies (Courts of Audit, Comptroller General) can audit IT asset inventories as part of public assets.

What you need to control

• Laptops and PCs: Per employee, with classification level, encryption, and patch status
• Mobile devices: Corporate phones, tablets, with MDM and security policies
• Secure communications equipment: Encryption systems, secure terminals, radios
• Infrastructure per site: Servers, switches, firewalls, UPS per government office
• Printing and scanning equipment: Network multifunction printers with internal storage
• Access systems: ID cards, biometric readers, physical access control

Metrica Control provides the centralized inventory public administration needs. Every device documented with its site, assigned employee, classification level, patch status, and complete history. Ready for NIS2 audits and asset control.