--- title: "NIS2 Systems & Assets Inventory Guide" description: How to build a NIS2 inventory of relevant systems and assets. Practical guide for creating an auditable register that meets baseline documentation requirements. canonical: https://www.aegister.com/en/cms/insights/nis2-systems-assets-inventory-auditable-register/ url: /en/cms/insights/nis2-systems-assets-inventory-auditable-register/ lang: en --- ![](/static/images/header-contact.webp) # NIS2 inventory of relevant systems and assets: practical guide to build an auditable register --- ![NIS2 inventory of relevant systems and assets: practical guide to build an auditable register](/static/images/cms/nis2-requisiti-di-base.webp) ## NIS2 inventory of relevant systems and assets: practical guide to build an auditable register February 02, 2026 [NIS2](/en/cms/keyword/nis2/) [ACN](/en/cms/keyword/acn/) [compliance](/en/cms/keyword/compliance/) [asset inventory](/en/cms/keyword/asset-inventory/) +4 NIS2 baseline compliance requires organizations to maintain structured documentary evidence for inventories, including physical assets, services, systems, software applications, and related network flows. In practice, the inventory of relevant information and network systems is not just a technical list. It is a governance control that supports risk evaluation, control prioritization, and incident response traceability. ## Key takeaways - Inventory quality directly affects NIS2 risk, incident, and continuity controls. - The baseline documentation model expects inventories to be complete, current, and usable by governance and operations. - A useful inventory links systems to NIS services, criticality, ownership, and dependencies. - Static spreadsheets without lifecycle governance quickly become non-compliant evidence. ## Regulatory framing for inventory evidence The ACN reading guide identifies inventories as a core documentary evidence category, including assets, services, software systems, and network flows. This means inventory is part of baseline implementation and audit readiness, not an optional IT hygiene artifact. From an execution perspective, inventory must support other controls: access governance, vulnerability management, incident handling, and supplier-risk supervision all depend on asset visibility. ## What a NIS2-ready inventory register should contain | Field group | Why it matters | | --- | --- | | System/asset identifier | Enables unambiguous traceability across controls | | Service linkage (NIS scope) | Connects assets to regulated activity/service perimeter | | Asset type and location | Distinguishes IT/OT/cloud/network exposure context | | Owner and accountable function | Clarifies governance accountability and approvals | | Criticality and CIA impact | Supports risk ranking and remediation prioritization | | Dependencies (internal/external) | Maps operational and supplier single points of failure | | Lifecycle status | Keeps the register aligned with acquisition/change/dismissal events | | Last review timestamp | Demonstrates governance cadence and evidence freshness | ## Practical structure from the Aegister template approach ### 1. Scope and identification criteria Define which NIS services and activities are in scope and how relevant systems are identified. ### 2. Core inventory register schema Adopt one canonical schema for systems, networks, applications, data stores, and owners. ### 3. Criticality and classification model Classify assets by operational impact and confidentiality, integrity, availability exposure. ### 4. Ownership and governance workflow Assign asset owners and define who validates and approves inventory changes. ### 5. Dependency and supplier mapping Include key dependencies, including managed services and external platforms. ### 6. Review cadence and evidence controls Set periodic review cycles and maintain auditable change history. ## Common inventory quality gaps to avoid - Asset lists not linked to NIS-regulated services. - No clear owner for critical assets. - Cloud/SaaS and externally managed assets missing. - Inventory updates handled ad hoc without governance trail. - No linkage between inventory and risk/incident workflows. ## 20-day hardening checklist | Week | Priority actions | | --- | --- | | Week 1 | Confirm NIS service perimeter and minimum inventory schema | | Week 2 | Complete owner assignment and criticality classification | | Week 3 | Validate dependencies, run quality review, and lock governance cadence | ## FAQ ### Is an inventory really a compliance document under NIS2 baseline? Yes. The ACN reading guide explicitly includes inventories among required documentary evidence categories for baseline implementation. ### Can we keep separate inventories (hardware, software, network) instead of a single file? Yes, if the structure remains coherent, complete, and easy to use for governance and controls. ### What is the minimum practical output expected? A maintained, role-owned inventory register that supports risk, incident, and continuity decision-making. ## Conclusion and next steps For NIS2, inventory quality is a control enabler across the whole cybersecurity governance model. Organizations that standardize schema, ownership, and review discipline early can reduce operational blind spots and improve audit defensibility. ## Related reading - [NIS2 mandatory documents master guide: what must be approved by the board and what to prepare now](/en/cms/insights/nis2-mandatory-documents-master-guide-board-approval/) - [NIS2 risk assessment document for systems and networks: practical guide for ID.RA-05 approval](/en/cms/insights/nis2-risk-assessment-document-id-ra-05/) - [NIS2 Identification Controls (ID): Inventories, Risk Assessment, and Improvement Cycle](/en/cms/insights/nis2-identification-id-inventories-risk-assessment/) - [Aegister NIS2 Compliance Service](/en/solutions/compliance/nis2/) - [Free NIS2 Assessment](/en/assessment/) ## Official sources - [ACN – Guida alla lettura delle specifiche di base](https://www.acn.gov.it/portale/documents/d/guest/guida-alla-lettura-specifiche-di-base) - [ACN – Determinazione obblighi di base 379907/2025](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed) Share this post ## Related News [![NIS2 operational registers for logs, backups, and recovery: practical guide to auditable evidence](/static/images/cms/nis2-requisiti-di-base.webp)](/en/cms/insights/nis2-operational-registers-logs-backups-recovery/) [NIS2 operational registers for logs, backups, and recovery: practical guide to auditable evidence](/en/cms/insights/nis2-operational-registers-logs-backups-recovery/) [NIS2 baseline requires operational evidence beyond policies. This guide covers how to build auditable registers for logs, backups, restore tests, and post-incident recovery, with practical schemas, common gaps, and a 20-day hardening checklist.](/en/cms/insights/nis2-operational-registers-logs-backups-recovery/) [NIS2](/en/cms/keyword/nis2/) [ACN](/en/cms/keyword/acn/) +7 [![ACN NIS 2026 Platform Rules and New Deadlines: Master Overview](/static/images/cms/nis2-basic-measures-acn.webp)](/en/cms/insights/nis-acn-platform-2026-new-deadlines-overview/) [ACN NIS 2026 Platform Rules and New Deadlines: Master Overview](/en/cms/insights/nis-acn-platform-2026-new-deadlines-overview/) [ACN's April 2026 package sets new NIS deadlines for subjects listed for the first time in 2026 (incident notification from 1 January 2027, baseline measures by 31 July 2027) and updates the platform operating rules for registration, annual and continuous updates, relevant suppliers, and categorization.](/en/cms/insights/nis-acn-platform-2026-new-deadlines-overview/) [NIS2](/en/cms/keyword/nis2/) [ACN](/en/cms/keyword/acn/) +8 [![NIS2 Executive Board Reporting: How to Turn Audit Outputs into Governance Decisions](/static/images/cms/compliance-documentation-audit-nis2.webp)](/en/cms/insights/nis2-executive-board-reporting-audit-governance/) [NIS2 Executive Board Reporting: How to Turn Audit Outputs into Governance Decisions](/en/cms/insights/nis2-executive-board-reporting-audit-governance/) [Practical executive reporting model for NIS2 audit outcomes with minimum KPI set, traffic-light escalation, and evidence-based closure visibility for board governance.](/en/cms/insights/nis2-executive-board-reporting-audit-governance/) [NIS2](/en/cms/keyword/nis2/) [ACN](/en/cms/keyword/acn/) +8 ### NIS 2 Compliance with Aegister Complete solutions for NIS 2 Directive compliance: expert consulting, implementation and ongoing support. [Discover](/en/solutions/compliance/nis2/)