NIS2 IT Asset Management: The Complete Checklist for SMBs

The NIS2 Directive (Directive (EU) 2022/2555) became enforceable across EU member states in October 2024. By 2026, national authorities are conducting audits on essential and important entities, and small and medium-sized businesses are firmly in scope. If your company operates in a regulated sector and employs more than 50 people or generates more than 10 million euros in annual revenue, NIS2 applies to you.

One of the most tangible requirements under NIS2 is IT asset management. Article 21 mandates that organizations implement “appropriate and proportionate technical, operational, and organisational measures” to manage cybersecurity risks. In practice, that starts with knowing exactly what devices you have, where they are, who is responsible for them, and what has happened to them over time.

This article provides a complete, practical checklist for SMBs preparing their IT asset inventory for a NIS2 audit.

What NIS2 Requires for IT Asset Management

Article 21(2) of NIS2 lists specific risk management measures that covered entities must adopt. Several of these directly depend on having a solid IT asset inventory:

• Article 21(2)(a) — Policies on risk analysis and information system security: You cannot analyze risk without first knowing what systems and devices you operate.
• Article 21(2)(d) — Supply chain security: Tracking the origin, vendor, and procurement history of every device is essential for supply chain risk management.
• Article 21(2)(e) — Security in network and information systems acquisition, development, and maintenance: This requires lifecycle tracking from purchase through decommission.
• Article 21(2)(i) — Human resources security, access control policies, and asset management: This is the most explicit reference. NIS2 literally names asset management as a required measure.

The directive does not prescribe a specific tool or format. But it does require that your measures be auditable, documented, and proportionate. A spreadsheet that was last updated six months ago is unlikely to satisfy an auditor.

The Complete IT Asset Management Checklist for NIS2

Use this checklist to evaluate your current readiness. Each item corresponds to a question an auditor may ask or a control they expect to find in place.

Step 1: Inventory All Devices

• Create a centralized register of all IT assets: laptops, desktops, servers, network equipment, mobile devices, printers, and IoT devices.
• Record the make, model, serial number, and purchase date for each asset.
• Classify assets by type and criticality (e.g., a firewall is more critical than a keyboard).
• Include software assets where relevant (operating systems, licensed software tied to hardware).
• Account for assets in all locations: offices, warehouses, remote employees, and third-party facilities.

Step 2: Document Custody and Assignment

• For every device, record who currently has it (the custodian).
• Maintain a history of custody changes: who had it before, when it was transferred, and why.
• Require signed acknowledgment when employees receive equipment.
• Track the physical location of unassigned assets (warehouse, storage room, IT department).
• Ensure every device has exactly one responsible person at all times — no orphaned assets.

Step 3: Link Incidents to Assets

• Every IT incident or support ticket should reference the specific device affected.
• Maintain a per-device incident history so you can identify patterns (e.g., a laptop that fails repeatedly).
• Record the nature, severity, and resolution of each incident.
• Ensure incident records include timestamps and the identity of the responding technician.
• This is critical for Article 21(2)(b) — incident handling — and Article 23 — reporting obligations.

Step 4: Maintain a Complete Audit Trail

• Every change to an asset record must be logged: who changed it, when, and what was modified.
• Audit trail entries should be immutable — users should not be able to delete or alter past records.
• The trail should cover the full lifecycle: procurement, deployment, assignment, incidents, maintenance, and decommission.
• Ensure the audit trail is exportable in a format auditors can review (PDF, CSV, or structured report).
• Retain records for a minimum period consistent with your national transposition of NIS2 (typically 3-5 years).

Step 5: Prepare for Auditor Questions

• Can you produce a complete list of all IT assets within minutes?
• For any given device, can you show who has it right now and who has had it in the past?
• For any given device, can you show its full incident history?
• Can you demonstrate that decommissioned devices were properly wiped and disposed of?
• Can you show that your asset management process is regularly reviewed and updated?

Common Gaps in SMB Asset Management

After working with hundreds of European SMBs, certain patterns emerge repeatedly. These are the most common gaps that put companies at risk during a NIS2 audit:

• No centralized inventory: Assets are tracked in multiple spreadsheets, emails, or not tracked at all. Different departments maintain their own records with no single source of truth.
• Stale data: The inventory was created once (perhaps during an ISO 27001 initiative) but has not been maintained. New purchases are not added, transfers are not recorded, and decommissioned devices are not removed.
• No custody records: The company knows it bought 50 laptops but cannot say who has which one. When an employee leaves, there is no record of what they were assigned.
• Incidents disconnected from assets: The helpdesk system tracks tickets by user, not by device. There is no way to pull up the incident history for a specific laptop or router.
• No audit trail: Changes to the inventory are made by overwriting cells in a spreadsheet. There is no record of who made the change or what the previous value was.
• Remote workers are invisible: Devices shipped to remote employees are not tracked after delivery. The company has no visibility into equipment outside the office.

How Proper ITAM Tools Help

An IT Asset Management tool purpose-built for compliance addresses every gap listed above. The right tool should provide:

• A single source of truth: One centralized system where all assets are registered, regardless of location or department.
• Automated lifecycle tracking: Every state change (purchased, deployed, assigned, returned, decommissioned) is recorded automatically with timestamps.
• Custody management with history: Check-out and check-in records with full history, so you always know who has what and who had it before.
• Incident linking: Support tickets are tied to specific assets, building a device-level incident history over time.
• Immutable audit trail: Every action is logged and cannot be altered. Exportable reports for auditors on demand.
• Role-based access control: Not everyone can modify asset records. Permissions are granular and documented.

NIS2 does not require you to use any specific tool. But it does require you to demonstrate that your risk management measures are effective and documented. A purpose-built ITAM platform makes this straightforward. A collection of spreadsheets makes it a constant struggle.

The Timeline Is Now

NIS2 became enforceable in October 2024. National competent authorities across the EU are now establishing their audit and enforcement programs. In 2026, audits are underway. The grace period is over.

For SMBs, the good news is that achieving compliance is not about buying expensive enterprise software or hiring a large compliance team. It is about putting the right processes and tools in place — starting with a proper IT asset inventory.

Use this checklist as your starting point. Walk through each step, identify your gaps, and address them before the auditor does it for you. The companies that prepare now will not only avoid fines — they will operate with better visibility, fewer incidents, and stronger security posture overall.