NIS2 doesn't ask for a policy. It asks for proof of every asset you're protecting.

NIS2 doesn't name "ITAM" specifically. But Article 21's requirements for risk management, cyber hygiene, incident handling, and supply chain security collectively require a level of asset visibility and control that is, in practice, an ITAM programme. Companies without structured asset inventory find NIS2 evidence gathering very difficult to do at audit speed. The audit doesn't wait for the company to get its asset data in order.

A CMDB is a tool, not a programme. In most companies, CMDBs are partially complete, manually maintained, and populated from unreliable or infrequent discovery runs. NIS2 requires the asset picture to be accurate and current. Not documented in a system that was last reconciled six months ago. Our Catalyst Assessment tells the company exactly how accurate its current CMDB actually is before we recommend anything.

Hardware disposal is a supply chain security obligation under NIS2 Article 21(2)(h). Assets leaving the company's environment without certified data sanitisation represent both a data breach risk and a documented control gap. Our ITAD service with TES provides the full chain of custody evidence NIS2 requires. It's not optional for companies with hardware refresh cycles.

It depends on the current state of the company's asset data and processes. Companies with existing discovery tooling and a partially accurate CMDB typically reach NIS2 readiness within three to six months of a structured programme. Companies starting from scratch should plan six to twelve months. The Catalyst Assessment gives you an honest baseline and a sequenced timeline before you commit to anything.

Yes, directly. CIS Controls 1 and 2 align closely with NIS2 Article 21(2)(a) and (i). Companies that implement CIS Controls 1 and 2 through an ITAM programme are typically 60 to 70 percent of the way to NIS2 Article 21 readiness at the same time, because the asset foundation is already built. We structure ITAM implementations to create dual NIS2 and CIS value from a single programme investment wherever possible.