Most of the conversation around the EU's NIS2 Directive focuses on incident reporting timelines and network security controls. That makes sense. Those are the headline requirements, and they carry the most dramatic consequences when things go wrong. But there is a quieter provision in the directive that is catching a surprising number of organizations off guard: the requirement for structured, documented asset management with clear ownership.
NIS2 is now being enforced across EU member states in 2026. For companies in covered sectors, the compliance clock is no longer theoretical. And while many organizations have invested in firewalls, endpoint detection, and incident response playbooks, far fewer have addressed the foundational question that NIS2 demands an answer to: who is accountable for each critical asset in your organization, and can you prove it?
For growing companies with 50 to 500 employees, this is where compliance stops being an abstract policy exercise and becomes an operational challenge. You cannot fake asset ownership with a policy document. You either have the records, or you do not.
What NIS2 Actually Requires for Asset Management
Article 21 of the NIS2 Directive sets out the cybersecurity risk-management measures that essential and important entities must adopt. Paragraph 2, point (i) specifically calls out "human resources security, access control policies, and asset management" as a required area of focus. This is not a suggestion. It is a legal obligation for entities that fall within scope.
But what does "asset management" mean in the context of NIS2? The directive is deliberately outcomes-based. It does not prescribe a specific tool, format, or vendor. Instead, it requires that you can demonstrate, during an audit or in the wake of an incident, that you have implemented effective measures. In practice, this breaks down into four concrete requirements:
- A complete inventory of critical assets. This includes hardware (laptops, servers, networking equipment), software (SaaS subscriptions, on-premise applications, development tools), data repositories, and third-party services. If it supports your operations or handles sensitive data, it belongs in the inventory.
- A clear owner assigned to every asset. Not a team, not a department, not "IT." One accountable individual per asset. NIS2's emphasis on accountability means that shared or ambiguous ownership is a compliance gap.
- Documented access controls tied to assets. Who can access each asset, under what conditions, and how are those permissions managed? This connects directly to the access control policies mentioned alongside asset management in Article 21.
- Change logs and transfer records. When ownership of an asset changes, when access is granted or revoked, when an asset is decommissioned or replaced, there must be a record. Auditors need to reconstruct the timeline.
The proportionality principle built into NIS2 means that a 60-person SaaS company is not expected to implement the same controls as a critical infrastructure operator. But proportionate does not mean optional. You must be able to show that your measures fit your risk profile and that they are actually functioning, not just written in a policy binder.
Who Needs to Comply
NIS2 significantly expands the scope of EU cybersecurity regulation compared to its predecessor. Two categories of organizations are covered:
Essential entities include sectors like energy, transport, banking, financial market infrastructure, health, drinking water, digital infrastructure, and public administration. These face the strictest oversight, including proactive supervision by authorities.
Important entities cover a broader set of sectors: postal services, waste management, manufacturing of critical products, food production, chemicals, digital providers (including cloud computing, online marketplaces, and search engines), and research organizations.
The size thresholds are straightforward: organizations with 50 or more employees or annual turnover exceeding 10 million euros generally fall within scope. Some entities are covered regardless of size, particularly those providing critical infrastructure services like DNS, top-level domain registries, or trust service providers.
The proportionality principle is important here. NIS2 explicitly states that measures must be appropriate to the size of the entity, the likelihood and severity of potential incidents, and the entity's exposure to risks. A 70-person logistics company does not need the same controls as a national energy grid operator. But it does need controls, and it needs to be able to demonstrate them.
The Ownership Gap: Where Most Organizations Fail
Here is the uncomfortable truth: most mid-size companies already have some form of asset inventory. They have spreadsheets tracking laptops. They have an ITAM tool listing software licenses. They might even have a configuration management database. On the surface, the asset management box looks checked.
But NIS2 does not just ask whether you have a list. It asks whether you can answer a specific question at any point in time: "Who is accountable for this asset right now?" And not just answer it informally, but answer it with an auditable record that shows the full chain of custody.
This is where the gaps appear. Across organizations of all sizes, four failure patterns show up repeatedly:
- Shared ownership. An asset is assigned to a team or department rather than an individual. When something goes wrong, there is no single accountable person. The auditor sees a gap.
- Informal transfers. An employee leaves a role and their colleague picks up the tools they managed. No record is created. No formal handover occurs. The asset's ownership history has a hole in it.
- Orphaned assets after offboarding. An employee departs, and their hardware gets collected, but their SaaS accounts, shared credentials, and managed subscriptions are not systematically reassigned. Assets end up unowned, sometimes for months.
- No change history. Even when ownership is technically documented, there is no log of when it was assigned, when it changed, or who approved the transfer. The current state might be correct, but there is no way to prove the process was followed.
These are not edge cases. They are the norm in growing companies where the pace of hiring, team changes, and tool adoption outstrips the administrative processes that are supposed to keep track of it all. And they are exactly the kinds of gaps that NIS2 auditors are trained to identify.
Key takeaway: NIS2 does not just require you to know what assets you have. It requires you to know who owns each one, how ownership has changed over time, and to prove it with records. The inventory is the easy part. The ownership trail is where compliance lives or dies.
What "Audit-Ready" Asset Ownership Looks Like
If an auditor walked into your organization tomorrow and asked to see your asset ownership records, what would they need to find? Based on the requirements of NIS2 Article 21 and established frameworks like ISO 27001 (which NIS2 explicitly references as a benchmark), audit-ready asset ownership includes:
- Every asset has exactly one documented owner. No exceptions, no shared assignments, no "TBD" placeholders. Every item in the inventory has a named individual who is accountable.
- Ownership transfers are logged with timestamps and acceptance records. When an asset changes hands, there is a record of when it happened, who transferred it, and confirmation that the new owner accepted responsibility.
- Offboarding includes verified reassignment of all assets. No employee departure is considered complete until every asset they owned has been formally transferred to a new owner or decommissioned.
- A complete history of who owned what and when. Not just the current state, but the full timeline. If an incident occurred six months ago, you need to be able to identify who was responsible for the affected asset at that specific point in time.
- Regular reviews to catch gaps. Quarterly reviews of the asset register to identify unowned items, disputed ownership, or assets that have not been reviewed since assignment. Proactive gap detection is far better than discovering holes during an audit.
How to Prepare: A Practical Checklist
If your organization falls within NIS2's scope and you have not yet addressed the asset ownership requirements, here is a concrete starting point. These steps are ordered by priority and build on each other.
1. Inventory your critical assets. Start with the categories that carry the most risk: SaaS subscriptions with access to company or customer data, hardware assigned to employees, contracts with third-party service providers, and any system that supports essential business functions. You do not need to inventory every pencil. Focus on what matters.
2. Assign one owner to each asset. Go through the inventory and assign a single, named individual as the owner of every item. Not a team, not a mailing list. One person. Where ownership is genuinely unclear, that is itself a finding that needs resolution.
3. Document your transfer process. Define how ownership changes hands. What happens when someone moves teams? When a tool is consolidated? When a vendor contract is renegotiated? The process does not need to be complex, but it needs to exist and be followed consistently.
4. Set up offboarding gates. Build asset reassignment into your employee offboarding workflow as a mandatory step. No offboarding should be marked complete until all assets owned by the departing employee have been formally reassigned or decommissioned. This is one of the highest-impact controls you can implement.
5. Build an audit trail. Every assignment, transfer, and change should be logged automatically with timestamps and the identities of both parties. Manual logs in spreadsheets are fragile and prone to gaps. Automated logging removes the reliance on human discipline.
6. Review quarterly. Set a recurring review cadence to scan for unowned assets, stale assignments, and items that have not been reviewed since their last change. Treat this as a hygiene practice, not a one-time project.
Compliance Is Accountability, Not Just Technology
NIS2 compliance is not just about deploying the right firewalls or having an incident response plan on file. At its core, the directive demands that organizations know who is responsible for what, at all times, and can demonstrate it with evidence. Asset ownership is the foundation that makes everything else work. You cannot secure what you do not know you have, and you cannot hold anyone accountable for an asset that has no documented owner.
Tools like OwndUp are purpose-built for exactly this challenge: a centralized ownership ledger, acceptance-based transfers that create automatic audit trails, offboarding gates that prevent orphaned assets, and a complete history of every ownership change. If your current approach relies on spreadsheets or informal processes, the gap between where you are and where NIS2 expects you to be may be larger than you think.
The stakes are real. Non-compliance with NIS2 can result in administrative fines of up to 10 million euros or 2% of global annual turnover, whichever is higher, for essential entities. Important entities face fines of up to 7 million euros or 1.4% of turnover. Beyond the fines, management bodies can be held personally liable for failures to implement adequate cybersecurity measures.
The organizations that treat asset ownership as a foundational discipline rather than an afterthought will not only be compliant. They will be more resilient, more efficient, and better prepared for whatever comes next.