How will NIS2 Impact ITAM Teams?

ITAM News & Analysis

How will NIS2 Impact ITAM Teams?

In January 2023, in response to the large number of widely publicised cyberattacks, the European Union enacted a revised version of the 2016 Network and Information systems Directive (NIS). The revision – the NIS2 Directive – is a legislative framework aimed at bolstering cybersecurity across EU infrastructure. The directive requires EU member states to transpose these enhanced cybersecurity measures into law. The new rules came into effect 18 October 2024.  

The NIS2 Directive introduces additional security requirements, extends reporting obligations, and comes with stricter enforcement.

The directive has two main pillars: Duty of Care and Duty to Report.

Duty of Care

• Risk Management 
• Business Continuity 
• Incident Management 
• System Recovery 
• Emergency Procedures 
• Crisis Team 

Duty to Report

• Reporting Obligations 
• Notification Deadlines 
• Corporate Accountability 

Who’s Affected?

Any organisation with 50 or more full-time employees that operates or provides services within the EU may be affected by this change. Organisations operating outside of the EU may be required to comply if they work with EU based businesses. This is largely comparable to GDPR regulations, which have an impact that spans far beyond EU borders.   

Penalities

The penalties are high for non-compliance but vary depending on whether the business is considered “Essential” or “Important”.

• “Important” industries (such as chemical, manufacturing and research organisations): the fine for non-compliance amounts to €7 million, or at least 1.4% of the total annual worldwide turnover (whichever is higher).
• “Essential” organisations (such as Banking, Finance or Health): the fine is €10 million or at least 2% of the total worldwide annual turnover. 

The ITAM Impact

ITAM practices can enhance an organisation’s cybersecurity capability. Most notably, ITAM’s involvement in comprehensive asset inventory plays a key role in identifying potential software vulnerabilities exploited by cybercriminals.  

With the introduction of NIS2, it is vital that ITAM teams are collaborating closely with cybersecurity teams to ensure effective implementation of new processes. Understanding how these disciplines intersect will be vital for the success of implementing NIS2.  

ITAM crossover:

• Lifecycle Management: Both ITAM and cybersecurity play a role in managing the lifecycle of assets. 
• Asset Inventory: Both ITAM and cybersecurity need a comprehensive and up-to-date inventory of all assets.  
• Incident response: ITAM provides detailed asset information that helps cybersecurity teams during incident response and investigation.  
• Compliance: Both disciplines work together to ensure compliance with regulatory requirements and internal policies.  
• Vulnerability Management: ITAM helps identify and manage vulnerabilities by ensuring all assets are tracked and updated. Cybersecurity focuses on mitigating these vulnerabilities.  

For ITAM teams, the NIS2 directive highlights the importance of robust asset management practices. By ensuring a comprehensive inventory, effective vulnerability management, and close collaboration with cybersecurity teams, ITAM can play a vital role in meeting the NIS2 requirements. Ultimately, this integration will strengthen an organisation’s cybersecurity practice.  

Can’t find what you’re looking for?