NIS 2 asset management under Article 21(2)(i)
Asset management is the foundation under every other NIS 2 measure. If you do not know what you have, you cannot protect it, classify it, back it up, or know who can access it. Article 21(2)(i) is where the duty lives, CIR (EU) 2024/2690 §12 spells out the five pieces, and §30(2)(9) BSIG puts the same rule into German law.
The short version
Asset management sits at point (i) on Article 21(2)'s list of ten cybersecurity duties. The text lumps it with personnel security and access control. The reason is simple: all three answer the same question, who can touch what. Asset management is the half that says what 'what' actually is.
CIR (EU) 2024/2690 §12 fills in the detail. It splits asset management into five pieces. Classify your assets by confidentiality, integrity, authenticity and availability. Handle them safely across the full lifecycle. Control removable media. Keep a complete and current inventory. Make sure assets come back when people leave. That is the floor.
Germany puts the same rule into national law through §30(2)(9) BSIG. The wording follows the directive. The BSI then points at IT-Grundschutz for the practical mechanics, including the rule that lets you bundle identical assets together so the inventory stays tractable.
Article 21(2)(i) NIS 2 Directive (2022/2555)
Human resources security, access control policies and asset management.
This is point (i) on the list of ten cybersecurity measures every essential and important entity has to put in place. The directive groups three duties together: personnel security, access control, and asset management. CIR §12 is the part that operationalises the asset half.
CIR (EU) 2024/2690, Annex §12
Asset and value management (Article 21(2)(i) of Directive (EU) 2022/2555).
Because this is a regulation (not a directive), it is directly binding EU law. No national transposition needed. It applies to DNS providers, TLD registries, cloud providers, data centres, managed service providers and the other sectors listed in its Annex. §12 has five subsections covering classification, lifecycle handling, removable media, the inventory itself, and what happens when employment ends.
§30(2)(9) BSIG (Germany)
Human resources security, access control concepts and asset management.
Germany copies the EU text. The BSI then points at IT-Grundschutz for the practical detail: CON.6 covers secure deletion and destruction (CIR §12.2 and §12.5), and BSI 200-2 §8.1 explains how to group identical assets in the inventory (CIR §12.4).
Classify by CIA plus business value
Each asset gets a classification level based on the confidentiality, integrity, authenticity and availability the data on it needs. CIR maps those four onto sensitivity, criticality, risk, and business value. The availability part of the rating ties back to the recovery targets you set under §4.1 for business continuity. So the same inventory drives both access control and BCP.
Handle assets safely across the full lifecycle
You need a written concept for every stage an asset goes through: acquisition, use, storage, transport, and disposal. Secure use, secure storage, secure transport, and irreversible deletion or destruction at end of life. §12.3 extends this to removable media (USB sticks, external drives), and §12.5 extends it to the moment an employee leaves.
Keep a complete, accurate, current inventory
The inventory has to be complete, accurate, up-to-date and consistent, with enough granularity for your needs. Two things go in it: (a) a list of your business processes and services with descriptions, and (b) a list of the network and information systems and other assets that support those processes and services. This is the data structure every other CIR section reads from.
The inventory is the precondition for everything else
CIR §12.4 is not just one section among ten. It is the data structure every other section depends on. Risk management (§2) reads from it. Business continuity recovery targets (§4) read from it. Access control rules (§13) read from it. MFA classification (§9) reads from it. If §12.4 is missing or wrong, every downstream module is missing or wrong. Build it first.
Grundschutz lets you bundle identical assets
BSI 200-2 §8.1 explicitly allows grouping: 45 office laptops with the same image and the same role count as one entry with a quantity of 45. A 50-person Mittelstand company ends up with ten to fifteen grouped entries, not ten thousand individual rows. The inventory has to be complete, but completeness does not mean line-item per device.
BSI / IT-Grundschutz CON.6 + BSI 200-2 §8.1
The BSI points at IT-Grundschutz for the practical mechanics. CON.6 'Löschen und Vernichten' covers secure deletion and destruction (matches CIR §12.2 disposal and §12.5 employment end). BSI 200-2 §8.1 is where the grouping rule lives: identical assets bundled into one inventory entry with a quantity. Both are referenced by the §30 BSIG implementation guidance.
ENISA Technical Implementation Guidance
ENISA's TIG breaks CIR §12 down into concrete evidence: inventory exports, classification schemes, removable-media policies, end-of-employment checklists. It also maps §12 onto ISO/IEC 27001:2022 controls A.5.9 (inventory), A.5.10 (acceptable use), A.5.11 (return of assets), A.5.12 (classification) and A.7.10 (storage media). If you already run ISO 27001, those controls give you most of CIR §12 directly.
National transposition laws
Every member state has its own transposition law (Netherlands: Cyberbeveiligingswet, Austria: NISG, Belgium: NIS2-Wet). The asset-management duty is the same across all of them because the directive sets one EU-wide standard. What differs: which national agency you register with and how they audit the inventory in practice.
We have a Confluence page that lists our systems.
Close, but CIR §12.4 wants more than a system list. It asks for the inventory to be complete, accurate, up-to-date and consistent, and to cover two things: your business processes and services with descriptions, and the systems and assets that support them. A flat list of servers is half the job. The process-to-system mapping is the other half, and it is the half auditors check first.
We shred old laptops, so we are covered on offboarding.
Good for hardware, but §12.5 covers more than that. It asks for a documented procedure that ensures return, handover, or deletion of assets when employment ends, and if that is not possible, that the person can no longer access network and information systems. What about the leaver's cloud accounts, SaaS logins, MFA tokens, mobile devices and VPN profiles? The shredder does not catch those.
We classify data, not assets. The asset is just the container.
CIR §12.1 explicitly classifies the asset by the CIA requirements of the data it handles. The classification lives on the asset because the asset is what carries access controls, backup policies, and recovery targets. Classify both: the data tells you why, the asset is where you act on it.
CIR §12.4 is the foundational artefact of the whole NIS 2 implementation. You build it once, properly, with Grundschutz grouping. After that, every other module reads from it instead of asking the same questions again. Risk register, BCP recovery targets, access control rules, MFA classification, supplier scope. All of them point back at the inventory.
Our rule of thumb in the German Mittelstand: a 50- to 250-person company ends up with ten to fifteen grouped entries on the asset side and roughly the same on the supplier side. Add the process map (eight to twelve business processes for most operators) and the inventory is done. It takes a focused week with the IT lead and the process owners, not a six-month project.
Our Assets module is the §12.4 inventory and the §12.1 classification in one place. You add assets with quantity and grouping the way Grundschutz allows. Each asset carries its CIA classification, owner, location, and the suppliers that touch it. The same record drives risk treatment, BCP recovery targets, and access control scope without you re-typing anything.
§12.2 lifecycle handling, §12.3 removable media and §12.5 offboarding all live as written policies that link to the inventory. When someone leaves, the platform generates the offboarding checklist against their assigned assets. No spreadsheet. No separate HR ticket trail.
- Directive (EU) 2022/2555 (NIS 2), Article 21(2)(i) — eur-lex.europa.eu/eli/dir/2022/2555/oj
- Commission Implementing Regulation (EU) 2024/2690 (CIR), Annex §12 — eur-lex.europa.eu/eli/reg_impl/2024/2690/oj
- BSI Act (BSIG), §30(2)(9) as amended by the NIS2 Implementation and Cybersecurity Strengthening Act
- BSI IT-Grundschutz CON.6 'Löschen und Vernichten' — bsi.bund.de/Grundschutz
- BSI 200-2 §8.1 (asset grouping rule) — bsi.bund.de/200-2
- ENISA Technical Implementation Guidance for CIR (EU) 2024/2690 (as of May 2026)