How to build the NIS 2 asset inventory
Article 21(2)(j) NIS 2 and CIR §12 set the five mandatory fields. BSI 200-2 §8.1 lets you group identical assets. Most Mittelstand companies finish with 10 to 15 entries, not 200.
The short version
NIS 2 names asset management in Article 21(2)(j) as one of the ten minimum risk-management measures. Commission Implementing Regulation (EU) 2024/2690 turns that into a concrete duty in §12: maintain a register of the assets the entity depends on, with a unique identifier, a description, an owner, a protection level and a location.
The number that scares people (200 servers, 600 laptops, 40 SaaS tools) shrinks once you read BSI Standard 200-2 §8.1 next to CIR §12. Identical assets with the same protection need are grouped into one entry. The 600 laptops become one row with a quantity field, not 600 rows.
A 50-staff Mittelstand operator typically ends up with 10 to 15 grouped entries spanning IT, OT, SaaS, network gear and physical sites. That register is the foundation the risk assessment, supplier register, access policy and incident plan all reference. Build it once, review it once a year, update it when something material changes.
Article 21(2)(j) NIS 2 Directive (EU) 2022/2555
[Risk management measures shall include at least] security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure, and security of human resources, access control policies and asset management.
Article 21(2)(j) names asset management as one of the ten minimum measures every besonders wichtige and wichtige Einrichtung has to take. The Directive does not say what the register looks like. That detail sits one layer down in the Implementing Regulation.
Commission Implementing Regulation (EU) 2024/2690, Annex §12 (asset management)
§12.4: The asset inventory shall include for each asset at least a unique identifier, a description, the asset owner, the protection level required, and the location of the asset. §12.5: The inventory shall be reviewed at planned intervals and at least annually, and on the occurrence of significant changes.
CIR 2024/2690 binds the relevant entities in Annex I and II of NIS 2 directly. §12.4 is the only place in the EU body of law that lists the mandatory fields. §12.5 sets the review cadence. Anything beyond these five fields is a choice, not a duty.
§30 BSIG (Germany) + BSI Standard 200-2 §8.1 (Strukturanalyse, Gruppenbildung)
§30 BSIG: Besonders wichtige Einrichtungen und wichtige Einrichtungen müssen geeignete, verhältnismäßige und wirksame technische und organisatorische Maßnahmen ergreifen, um Störungen zu vermeiden. BSI 200-2 §8.1: Gleichartige Objekte können zu Gruppen zusammengefasst werden, wenn sie ähnliche Eigenschaften und einen vergleichbaren Schutzbedarf aufweisen.
§30 BSIG copies Article 21 into German law. BSI Standard 200-2 §8.1 then explains how the Strukturanalyse is actually done in practice: identical objects with similar properties and comparable protection needs are grouped into one entry. That is the rule that turns 600 laptops into one register row.
Start from the processes, not from the network scan
Write down the eight to twelve business processes the company depends on (order intake, invoicing, payroll, customer support, the production line, district heating control, route dispatch). For each, name the dependencies. This is the entry point BSI 200-2 calls Strukturanalyse. The process map sets which assets matter and what their protection need is. A network scan started cold gives you noise, not a register.
List the assets each process depends on, grouped
Walk each process and capture the assets it needs: applications, databases, servers, endpoints, network gear, cloud and SaaS services, OT and ICS components, physical sites. Apply BSI 200-2 §8.1: 45 identical office laptops are one entry with a quantity field, not 45 rows. Three identical PLCs on the same line are one entry. SaaS services count even though they are not on your network. The output is 10 to 15 grouped entries for a 50-staff company, not 200.
Fill the five CIR §12.4 fields per entry
For every entry, fill the five mandatory fields from CIR §12.4: unique identifier (a short asset ID like ERP-01), description (what it is and what process it serves), owner (a named person, not a department), protection level (the Schutzbedarf in confidentiality, integrity and availability, derived from the process it serves), location (data centre, cloud region, physical site, or the supplier that hosts it). Five fields. No more is required by EU law.
Group identical assets, do not enumerate every device
BSI Standard 200-2 §8.1 says identical objects with comparable protection need are grouped. Use it. 600 laptops in the same MDM profile with the same Schutzbedarf are one register entry. Three identical wastewater pump PLCs are one entry. A pool of identical VDI workstations is one entry. The reader of your register (the BSI, an auditor, your insurer) wants to see that you understand your dependencies, not that you can dump asset tags.
Inventory the dependencies, not just the things you own
CIR §12.4 wants the asset owner and the protection level. Both only make sense if you know which process the asset serves. A server with no named process behind it gets no owner and no defensible protection level, and you fail the field. So map processes first and assets second. The same rule covers SaaS: a tool you do not own but that your invoicing depends on is in scope, hosted by the named supplier in the location field.
BSI: Strukturanalyse plus Gruppenbildung is the canonical method
The BSI's IT-Grundschutz methodology in Standard 200-2 §8.1 names Strukturanalyse as the first concrete step and Gruppenbildung as the scaling mechanism. The BSI's own audit catalogue (ORP.1, OPS.1, CON.3) reads the register against the CIR §12.4 fields. A grouped register with named process dependencies, a clear owner per entry and a documented protection level is what a BSI auditor expects to see in a §30 BSIG audit.
ENISA Technical Implementation Guidance: asset management section 12
ENISA's Technical Implementation Guidance for CIR 2024/2690 dedicates section 12 to asset management. It restates the five mandatory fields, references the review cadence in §12.5 and points at ISO/IEC 27001:2022 Annex A.5.9 and ISO/IEC 27002 §5.9 as recognised implementation references. ENISA's mapping table (CC BY 4.0, v1.2, August 2025) crosswalks CIR §12 to ISO 27001 A.5.9, NIST CSF 2.0 ID.AM and ETSI EN 319 401.
NL, AT and FR: ISO/IEC 27001:2022 Annex A.5.9 carries the same fields
The Dutch Cyberbeveiligingswet, the Austrian NISG and the French transposition all read CIR 2024/2690 §12 directly. National guidance in each Member State points at ISO/IEC 27001:2022 Annex A.5.9 (inventory of information and other associated assets) as a recognised way to evidence the duty. An entity with one register that satisfies CIR §12.4 satisfies all of them. The fields, not the format, are what the law cares about.
We will list every device individually so the register is complete.
No. BSI 200-2 §8.1 explicitly authorises grouping. A register with 600 laptop rows fails the readability test and adds no information a 25-row grouped register does not already carry. The BSI grades on whether the entries are defensible, not on how many rows you can produce.
SaaS is invisible because it is not on our network, so we skip it.
Wrong. CIR §12.4 talks about assets the entity depends on, with a location field designed for exactly this case. A SaaS service your invoicing depends on goes in as one entry, the location is the supplier and region (for example Salesforce, eu-west), and the supplier sits in the supplier register under CIR §5 in parallel.
We can build the register from the network scan and add owners later.
You can, but the owner field will sit empty and the protection level will be a guess. Both are mandatory under CIR §12.4. Without the process step from BSI 200-2 §8.1, an entry has no defensible owner because no business process points at it. The register then fails the audit even though it has 600 rows in it.
A 60-staff machine-building company in the Sauerland mapped eleven business processes (order intake, design, procurement, production line A, production line B, quality, dispatch, invoicing, payroll, customer support, after-sales remote service). The asset walk produced twelve grouped entries: ERP (one), CAD and PLM (one), MES on the shop floor (one), file and print servers (one, three identical boxes), the 50-laptop fleet under one MDM profile (one), two grouped CNC controller families (two), the central network gear (one), Microsoft 365 (one), the customer support SaaS (one), the after-sales VPN appliance (one), and the physical site in Plettenberg (one). Twelve entries covering IT and OT, with named owners, clear protection levels and a known location.
The register took two workshop days to draft and one week of follow-up to confirm owners and protection levels. Annual review is a half-day. The same twelve entries are the spine of the risk register, the supplier register, the access policy, the BCM plan and the incident response runbook. The €30,000 audit-grade CMDB project the integrator originally quoted turned out to be unnecessary; CIR §12.4 only asks for five fields per entry, and BSI 200-2 §8.1 lets you group.
The platform implements CIR §12.4 directly: each asset entry carries the five mandatory fields (identifier, description, owner, protection level, location) plus a quantity field for grouped entries from BSI 200-2 §8.1. You walk the processes you have already mapped in the risk module and attach the assets each process depends on. The register stays in the dozens of entries, not the hundreds.
The annual review under CIR §12.5 is a scheduled task with a named owner and an audit-trail signature. Significant-change events (new SaaS, new OT line, supplier swap) trigger an update prompt instead of waiting twelve months. The same register feeds the supplier link under CIR §5, the access policy under CIR §11, and the incident plan, so the five fields you fill once power the rest of the obligation register.
- Directive (EU) 2022/2555 (NIS 2), Article 21(2)(j): minimum risk-management measures include security of human resources, access control policies and asset management.
- Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024, Annex §12 (asset management): §12.4 lists the five mandatory inventory fields (unique identifier, description, owner, protection level, location); §12.5 sets the review cadence (at planned intervals and at least annually, and on significant change).
- BSIG (Germany), §30 (Risikomanagementmaßnahmen), transposing Article 21 NIS 2.
- BSI Standard 200-2 (IT-Grundschutz-Methodik), §8.1 (Strukturanalyse, Komplexitätsreduktion durch Gruppenbildung): identical objects with comparable properties and protection need are grouped into one register entry.
- ISO/IEC 27001:2022 Annex A.5.9 (Inventory of information and other associated assets), referenced by ENISA's Technical Implementation Guidance for CIR 2024/2690 §12 as a recognised implementation form.