On October 18, 2024, the NIS2 Directive came into effect, marking a significant step toward enhancing cybersecurity across the EU. This directive is part of a broader European Union initiative...
Blog - January 2025: Why ITAM and Security teams should collaborate to comply with the NIS2 directive
...to implement standardized cybersecurity measures for entities whose service downtime or data breaches could have a substantial impact on society.
The NIS2 Directive mandates that EU member states integrate these enhanced cybersecurity measures into national laws. It introduces additional security requirements, expands reporting obligations, and enforces stricter compliance measures.
Does this apply to my organization?
If you work for a larger organization, it is likely that NIS2 applies to your entity. Any organization with 50 or more full-time employees that operates or provides services within the EU may be impacted by this change. Even organizations based outside the EU may need to comply if they engage with EU-based businesses. Similar to GDPR, the NIS2 Directive’s influence extends beyond EU borders.
What are the consequences of non-compliance?
The NIS2 Directive enforces compliance through penalties, which can be substantial and vary depending on whether the organization is classified as “Essential” or “Important.”
- Important sectors (such as food, chemicals, manufacturing, and research) face fines of up to €7 million or 1.4% of global annual turnover, whichever is higher.
- Essential sectors (including water supply, digital infrastructure, finance, and healthcare) face fines of up to €10 million or 2% of global annual turnover, whichever is higher.
What role does the ITAM team play?
IT Asset Management (ITAM) has long been an important ally of security, given that ITAM oversees the asset inventory and can identify potential software vulnerabilities. To ensure compliance with NIS2, ITAM teams should collaborate closely with Security teams to support the following key processes:
- Lifecycle Management: Both ITAM and Security play critical roles in asset lifecycle management and can mutually benefit from sharing perspectives and insights.
- Asset Inventory: A comprehensive and up-to-date asset inventory is essential for both teams. This presents an opportunity to enhance the accuracy and coverage of their data sets.
- Incident Response: ITAM provides detailed asset information that is invaluable for security teams during incident response and investigation.
- Vulnerability Management: ITAM helps identify and track vulnerabilities by maintaining detailed records of all assets, which cybersecurity teams can use to prioritize mitigation efforts.
- Compliance: Both ITAM and Security teams should collaborate to make sure regulatory requirements and internal policies are met, simplifying compliance efforts for both parties.
Looking Ahead to 2025
To meet NIS2 compliance requirements, organizations must establish policies and procedures for Asset Management, data access controls, and the encryption of sensitive data. Sharing your ITAM processes and policies will be a practical first step in this process. The second phase involves sharing asset-related data and insights, along with results from joint risk analyses.
For ITAM teams, the NIS2 Directive emphasizes the need for robust asset management practices, reinforcing the critical role of ITAM in maintaining cybersecurity. It also offers ITAM practitioners an additional opportunity to showcase the value of ITAM in 2025.