Skip to main content

Why map assets for NIS2?

  • Decree-Law No. 138 of 2024 is currently in force. Italian implementation of NIS2 (G.U. n. 262 dated November 7, 2024). Essential and important subjects must register on the ACN platform and adopt security measures by operational deadlines for 2025-2026.
  • Penalties up to 2 percent of global revenue. Art. 36 NIS2: essential subjects up to EUR 10 million or 2% annual global turnover. Important entities until EUR 7 million or 1.4% of the invoice (the higher between the two).
  • Industrial Control Systems (ICS) and Internet of Things (IoT) at high risk. Industrial control systems (ICS) and SCADA, as well as Internet of Things devices receive a high-risk premium because they are often less protected but critical to operational continuity.

All-client side: no data is sent to external servers, the inventory is saved in the local storage of the browser.

Add assets

No assets in inventory. Add the first asset using the form above.

NIS2 Sectors (Directive 2022/2555 - Annexes I and II)

Check if your organization operates within one of the NIS2 sectors. Entities classified as essential are listed under Annex I, while those in Annex II are considered important (dimensional thresholds for medium-sized enterprises: +50 employees or >€10 million turnover).

All. IEnergia (elettricità, petrolio, gas, idrogeno, teleriscaldamento)
All. ITrasporti (aereo, ferroviario, marittimo, stradale)
All. ISettore bancario
All. IInfrastrutture mercati finanziari
All. ISettore sanitario (ospedali, laboratori, R&S, farmaceutica)
All. IAcqua potabile
All. IAcque reflue
All. IInfrastrutture digitali (IXP, DNS, TLD, cloud, CDN, TSP)
All. IGestione servizi ICT (B2B)
All. IPubblica Amministrazione (centrale e regionale)
All. ISettore spaziale (operatori infrastrutture terrestri)
All. IIServizi postali e di corriere
All. IIGestione dei rifiuti
All. IIFabbricazione, produzione e distribuzione di sostanze chimiche
All. IIProduzione, trasformazione e distribuzione di alimenti
All. IIFabbricazione (dispositivi medici, elettronica, macchinari, automotive, aerospazio)
All. IIFornitori di servizi digitali (marketplace, motori di ricerca, social network)
All. IIOrganizzazioni di ricerca

NIS 2 Updates for Italian IT Managers

Sign up to receive updates on upcoming deadlines for the ACNs (Certified Network Security), new obligations under EU's Cybersecurity Act and its implementing act (NIS Directive & Regulation) NIS2/NIS2-bis, practical guides on Risk Assessment and Supply Chain Security by Federico Calò.

Come utilizzare NIS2 Asset Inventory Mapper

Add all ICT assets of the organization

For each asset (web app, database, cloud IaaS/PaaS, network device, endpoint, IoT, SCADA/OT), enter name, type, severity, data classification, number of impacted users and exposure (internal, DMZ, external).

Read your automatically calculated risk score

Every asset receives a score of 0-100 (capped), summing up to 4 components: criticality points (5-45), exposure points (5-25), data classification points (0-25) and type bonus (0-20, max for SCADA/OT). The score determines the risk level: low, medium, high, very high.

Verify estimated subject classification for NIS2

Based on the distribution of risk scores across the entire inventory, the tool estimates whether the organization falls within the "essential" or "important" categories (Annex I and Annex II) of Directive NIS2, or outside its scope.

Export Compliance Report

Export inventory in CSV, JSON or Markdown. The report includes an executive summary, a sorted table of assets by risk score and the NIS2 compliance checklist (Article 21 of D.Lgs. 138/2024).

Suggerimenti

  • Monitor your exposed SCADA/OT and IoT assets on the internet first: they receive the highest bonus type (20 and 10 points) and tend to quickly generate a high score.
  • Check the section "NIS2 Sectors" at the bottom of the page to see if your organization operates in a Category I (Essential Subjects) or Category II (Important Subjects) under Directive 2022/2555.
  • Use export Markdown as the starting point for the asset register required by security measures under Article 21, then integrate with professional evaluation.

Domande frequenti

How is the risk score of each asset calculated?

Risk score is the sum of four rule-based components: criticality points (low 5, medium 15, high 30, very high 45), exposure points (internal 5, DMZ 15, external 25), data classification points (public 0, internal 5, confidential 15, sensitive 25) and asset type bonuses (from 0 for web-app/endpoint to 20 for SCADA/OT). The total is capped at 100.

How are the 4 levels of risk defined?

Based on the calculated score: Low (0-24), Medium (25-49), High (50-74), Very High (75-100). Thresholds are fixed and deterministic, applied equally to every inventory item.

How is essential classification rated?

This is a simplified logic for educational purposes: if more than 50% of assets have a score >= 75, the organization is classified as "essential subject" (estimate), if more than 30% have a score >= 50 as "important subject" (estimate), otherwise as outside scope. The actual classification also depends on the sector of activity, organizational size and revenue thresholds defined by Article 3 of Directive NIS2 and D.Lgs. 138/2024: this estimate does not replace a certified conformity assessment.

Do you send inventory asset data to a server?

No, all inventory is saved exclusively to the browser's localStorage via StorageService. No assets, name or classification are sent to an external server: you can clear the entire inventory at any time with the reset button.

What is in the exported Markdown report?

Report includes an executive summary (total assets, estimated classification, risk level count), a complete asset table sorted by decreasing risk score, NIS2 compliance checklist from article 21 of D.Lgs. 138/2024 (security policies, incident management, operational continuity, supply chain, etc.), and recommended next steps, with a disclaimer indicating the report's educational nature.