Art. 21(2) NIS 2 + CIR + IT-Grundschutz BSI 200-2

What is an asset under NIS 2?

An asset under NIS 2 is anything that processes, stores or transmits information your operations depend on. The directive does not say 'asset' once, but seven of the ten Art. 21(2) measures only make sense once you have the list.

Simon OrzelSimon Orzel·

Why the inventory comes first

Most NIS 2 implementations stall in the same place: somebody starts on risk management without first knowing what to assess. The asset inventory is the prerequisite. Without it, risk analysis is guessing, supplier mapping is incomplete, incident response cannot scope, and audits find nothing to test against.

The directive itself does not use the word 'asset' in Art. 21. It talks about 'network and information systems', their security, and the organisation's risk posture. CIR 2024/2690 Art. 2(4) and IT-Grundschutz BSI 200-2 §8.1 fill in the operational meaning: an asset is anything that processes, stores, or transmits information your operations depend on.

For a 60-person Mittelstand the inventory is not a 200-row Excel sheet. It is a one-page list of roughly 10 to 15 grouped entries, which Grundschutz explicitly allows. The point is to have it, keep it current, and let it anchor every other NIS 2 decision.

Where the duty sits
One operative article, one implementing regulation, one BSI methodology.

Art. 21(2)(a) and 21(2)(b) NIS 2

The measures referred to in paragraph 1 shall be based on an all-hazards approach that aims to protect network and information systems and the physical environment of those systems from incidents, and shall include at least the following: (a) policies on risk analysis and information system security; (b) incident handling.

Risk analysis and incident handling are listed first, but both require an object to analyse and to handle: the inventory of what you actually have. The directive treats this as a precondition rather than a separate measure.

CIR 2024/2690, Art. 2 and Annex II §2.1

The relevant entities shall develop, document and implement policies on risk analysis and information system security, in particular by establishing and maintaining an inventory of their assets including software, hardware, and information.

The implementing regulation makes the inventory duty explicit for the entity types it covers (digital service providers). For all other NIS 2 sectors the duty is implicit in Art. 21(2)(a) but Grundschutz makes it operational the same way.

BSI IT-Grundschutz BSI 200-2, §8.1

Gleichartige Objekte können zu Gruppen zusammengefasst werden, wenn sie in der Schutzbedarfsfeststellung gleich behandelt werden können.

Grouping similar objects is explicitly allowed. A 60-person SME does not need 45 laptop rows; it needs one entry for 'employee laptops, 45 units' if they share the same protection profile. This is what makes the inventory tractable.

What counts as an asset
Six categories. Most 60-person Mittelstand entities map cleanly onto 10 to 15 grouped entries across these.

Business applications

ERP, CRM, accounting, HR, project management, sector-specific software (lab system in pharma, billing platform at a utility, MES on a shop floor). One line per application, even if hosted by a SaaS provider.

Data stores

Production databases, file shares, document management, backups, archive systems. Group by sensitivity, not by physical location.

Network and compute infrastructure

Servers (own or hosted), firewalls, switches, routers, VPN concentrators, identity providers, hypervisors, cloud accounts. One line per cluster of identical purpose.

Endpoints

Employee laptops, desktops, mobile devices, tablets. Group by role and OS family. Add separately: privileged admin workstations, kiosks, point-of-sale terminals.

OT and physical systems

SCADA, PLCs, building management, access control, CCTV, physical access readers, sector-specific industrial control. Often missed; for utilities, manufacturing, hospitals this is the biggest single category.

Supplier-provided services

Outsourced IT, hosted email, managed firewall, payroll, cloud office, identity-as-a-service. Note the supplier name and the dependency type per Art. 21(2)(d) NIS 2.

How to group without losing information
Grundschutz BSI 200-2 §8.1 lets you collapse identical assets to a single entry with a count, as long as the protection requirement is the same. Three rules keep the grouping legitimate.

Same protection requirement

Group 45 employee laptops only if they all share the same Schutzbedarf for confidentiality, integrity and availability. If 5 of them carry payroll data, those 5 are a separate group.

Same operational role

Production database server and a developer's sandbox cannot be one group even on identical hardware. Role differs, exposure differs, controls differ.

Count explicitly

Write the quantity. '45 employee laptops' tells an auditor scope. '1 cluster of laptops' is useless. The number is the bridge from inventory to risk analysis.

Build the first inventory in 90 minutes
Four steps. None of them needs a tool. A spreadsheet, a whiteboard, and one knowledgeable person from IT plus one from operations are enough.

Step 1 — Start with services delivered (15 min)

What does your entity actually do for customers? List 3 to 8 core services. For a Stadtwerk: electricity distribution, water distribution, customer billing. Every asset must trace back to a service or it is overhead.

Step 2 — Map applications and data to services (25 min)

For each service, name the applications it runs on and the data it touches. SAP for billing, the meter-reading platform for distribution, the document archive for legal. One line per application.

Step 3 — Drop the infrastructure underneath (25 min)

Servers, network, endpoints, identity, cloud accounts. Group ruthlessly per BSI 200-2 §8.1. A 60-person entity rarely exceeds 10 grouped infrastructure rows.

Step 4 — Add supplier-provided services (25 min)

Any outsourced service that touches the assets above is itself an asset, plus a supplier dependency. SaaS email is one line; the MSP that manages your firewall is one line. This feeds Art. 21(2)(d) supply chain duties.

Three things that get missed
Auditors find the same three holes in almost every first-pass inventory. Cover them now and the second iteration goes faster.

  • OT and building services missing

    Production lines, building access, CCTV, climate control. Easy to skip because they don't sit on the IT team's desk. Under NIS 2 they are assets the moment they process information related to your service.

  • Data flows not mapped

    It is not enough to list the applications. Note which data flows from where to where. A payroll file moving from HR system to bank by SFTP is itself a flow that needs protecting.

  • Shadow IT not surfaced

    Departments often run their own SaaS subscriptions (form builders, survey tools, file-sharing). Ask, do not assume. Shadow IT becomes a supplier dependency under Art. 21(2)(d) regardless of who paid for it.

Sources
  • Directive (EU) 2022/2555 (NIS 2), Art. 21(2), www.eur-lex.europa.eu
  • Commission Implementing Regulation (EU) 2024/2690 (CIR), Art. 2 and Annex II §2.1, www.eur-lex.europa.eu
  • BSI IT-Grundschutz Standard BSI 200-2, §8.1 (Strukturanalyse), www.bsi.bund.de
  • Act on the Federal Office for Information Security (BSIG), §30 (national transposition of Art. 21)

This page provides structured guidance based on publicly available sources (NIS 2 Directive, CIR 2024/2690, BSIG, BSI IT-Grundschutz). It does not constitute legal advice within the meaning of §2 RDG. For specific cases consult an admitted lawyer. As at 2026-06-04.

Build the first inventory today
Sign in and the platform produces a sector-specific inventory template you can fill in 90 minutes.
Sign in to the platform