3 Questions Every NIS2 Auditor Will Ask About Your Devices

NIS2 audits are no longer hypothetical. With the directive enforceable since October 2024 and national competent authorities actively scheduling inspections throughout 2026, companies in regulated sectors need to be ready. Not theoretically ready. Practically ready — able to answer questions on the spot with evidence.

After studying the directive, speaking with compliance consultants, and analyzing the audit frameworks emerging across EU member states, three questions consistently surface as the foundation of any NIS2 device audit. If you can answer these three questions confidently and with documentation, you are in strong shape. If you cannot, you have a problem that needs solving before the auditor arrives.

Question 1: What devices does your company have on its network?

This is the starting point. Before an auditor can assess your security posture, incident response capability, or risk management measures, they need to understand the scope of your IT environment. Article 21(2)(i) of NIS2 explicitly requires asset management as a risk management measure.

What a good answer looks like

A good answer is a complete, up-to-date inventory that the auditor can review immediately. It includes:

• Every IT device the company owns or operates: laptops, desktops, servers, routers, switches, firewalls, access points, printers, mobile devices, and IoT devices.
• Key attributes for each device: make, model, serial number, purchase date, current status (active, in storage, decommissioned).
• Location data: which office, which floor, which rack, or which employee’s home.
• Classification by criticality or function.

The inventory should be producible within minutes, not days. It should come from a single authoritative system, not pieced together from multiple spreadsheets and emails.

What a bad answer looks like

“We have a spreadsheet somewhere. Let me check with IT. I think Maria has the latest version, but she’s on holiday.” This is not an exaggeration. This is the reality for a significant percentage of European SMBs. If your inventory requires human memory, email threads, or cross-referencing multiple documents to assemble, it will not satisfy an auditor.

What documentation you need

• A centralized asset register with all devices listed.
• Evidence that the register is maintained (last update date, change log).
• A documented process for adding new devices and removing decommissioned ones.

Question 2: Who has access to which devices?

NIS2 Article 21(2)(i) pairs asset management with access control policies and human resources security. The auditor wants to know not just what you have, but who touches it. This covers both physical custody (who physically possesses the laptop) and logical access (who can log in to the server).

What a good answer looks like

For any device in your inventory, you can immediately show:

• Who is the current custodian (the person physically responsible for the device).
• When that person received the device.
• Who had the device before them, and the full chain of custody going back to procurement.
• Whether there is a signed acknowledgment or digital check-out record for the assignment.

For servers and network equipment, you should also be able to show who has administrative access and how that access is managed (role-based access controls, principle of least privilege).

What a bad answer looks like

“I think that laptop was given to someone in marketing. Or maybe sales? We can check the purchase order — it was ordered for the Madrid office.” When custody information lives in people’s memories or is inferred from purchase orders rather than explicitly tracked, the auditor sees a control gap. It means you cannot guarantee accountability for your assets.

What documentation you need

• Per-device assignment records with dates and responsible persons.
• A history of all custody changes (not just the current state, but the full timeline).
• Check-out and check-in records, ideally with employee acknowledgment.
• Evidence that assignments are updated promptly when employees join, transfer, or leave the company.

Question 3: What incidents have those devices had?

NIS2 places significant emphasis on incident handling (Article 21(2)(b)) and incident reporting (Article 23). An auditor will want to see that you can connect incidents to specific assets. This serves two purposes: it demonstrates that you manage incidents systematically, and it shows that you can identify patterns and recurring problems at the device level.

What a good answer looks like

For any device in your inventory, you can pull up:

• Every incident or support ticket associated with that device.
• The nature and severity of each incident.
• When it was reported, who handled it, and how it was resolved.
• Whether the incident triggered any reporting obligation under Article 23.
• Whether the incident led to any change in the device’s status (repair, replacement, decommission).

This information should be available as a per-device timeline, not scattered across a ticketing system that organizes everything by user or by date.

What a bad answer looks like

“We use a ticketing system, but tickets are filed by the employee, not by device. I’d have to search manually to find all tickets related to a specific laptop.” If your incident management system cannot produce a device-level incident history, you have a gap. The auditor is looking for evidence that you manage assets and incidents as connected concerns, not as separate silos.

What documentation you need

• Per-asset incident history with dates, descriptions, and resolutions.
• Evidence that incidents are linked to specific devices at the time of reporting.
• Records showing how incidents influenced asset management decisions (e.g., a device decommissioned after repeated failures).
• For significant incidents, documentation of any reporting actions taken under Article 23.

How to Prepare Starting Today

The three questions above are not tricks. They are the logical starting point for any audit of your IT asset management and cybersecurity risk posture. Preparing for them is straightforward:

• Centralize your inventory. Get all assets into a single system. Not a spreadsheet — a system with change tracking and access controls.
• Track custody explicitly. Every device should have an assigned person. Every transfer should be recorded. No exceptions.
• Link incidents to devices. When a ticket is opened, it should reference the specific device. Over time, this builds the per-asset history the auditor expects.
• Maintain an audit trail. Every change to your inventory should be logged automatically. The trail should be immutable and exportable.

These are not aspirational goals. They are baseline expectations under NIS2. The companies that implement them now will walk into their audit with confidence. The companies that postpone will scramble — and scrambling under audit pressure is expensive, stressful, and risky.

The audit is coming. The only question is whether you will be ready when it does.