Skip to content
EN NL
Start your free trial
Back to blog
NIS2 manufacturingNIS2 asset managementmanufacturing complianceasset ownershipOT asset inventory

NIS2 for manufacturers: from OT inventory to ownership that survives an audit

OwndUp Team · June 25, 2026 · 10 min read

The half of NIS2 you cannot buy as a network scan

Most NIS2 advice aimed at the factory floor stops at the network. Map your OT, segment it, watch it. That work is real, and your security vendor is right to push it. But it answers only half of what the directive asks. The other half is quieter and harder to buy as a product: for every asset that keeps the line running, who is accountable for it, and can you reconstruct the chain of custody when an auditor asks?

Manufacturers tend to discover this gap late. The OT-security project is well underway, the PLCs and switches are being mapped, and then the question lands that no network scanner can answer: not "what is on the network," but "who owns this, who approved that renewal, and who signed for this when its last keeper left." That is an ownership question, and it is the part of NIS2 that lives in operations, not in the SOC.

Two inventories, and most plants only build one

It helps to be precise about which inventory NIS2 actually wants, because there are two and they are easy to conflate.

The OT-security inventory. Every device on the network: PLCs, HMIs, sensors, switches, industrial PCs. Discovered by scanning, kept current by monitoring. This is what your cybersecurity tooling is built to produce, and you should keep building it.

The ownership register. Who is accountable for each asset, when ownership changed hands, which maintenance and lease contracts auto-renew, and what was reassigned when an operator or engineer left. This one is not discovered by a scanner. It is a record of decisions and people, and it usually lives nowhere, or in a spreadsheet that drifts out of date the week after someone makes it.

NIS2 asks for both. The first proves you can see your assets. The second proves you can hold someone accountable for them. A factory that has only the network map has done the visible half and left the audit-fragile half undone.

Are you actually in scope?

Not every manufacturer falls under NIS2, so it is worth checking before you act. The directive folds manufacturing into its important entities category for specific subsectors, including:

  • Manufacture of medical devices and in-vitro diagnostic devices
  • Manufacture of computer, electronic and optical products
  • Manufacture of electrical equipment
  • Manufacture of machinery and equipment not elsewhere classified
  • Manufacture of motor vehicles, trailers and semi-trailers
  • Manufacture of other transport equipment

The size threshold is the second gate: organizations with 50 or more employees, or annual turnover above 10 million euros, generally fall within scope. Below that, you are usually out, though customers and prime contractors increasingly push the same expectations down their supply chain regardless of the legal line.

For Dutch manufacturers, the timing is no longer abstract. The national Cyberbeveiligingswet that implements NIS2 is expected to take effect in 2026, which moves the deadline from "eventually" to "this planning cycle."

The directive's proportionality principle matters here too. A 70-person components manufacturer is not expected to run the controls of a national grid operator. But proportionate does not mean optional. You need measures that fit your risk, and you need to be able to show they are actually working.

What Article 21 asks of the ownership layer

Article 21 lists asset management alongside human-resources security and access control as a required area. The directive is deliberately outcomes-based, so it does not hand you a template. In practice, for the ownership half of the work, it comes down to four things you must be able to evidence:

  • A complete inventory of the assets that matter. Not every bolt, but everything that supports production or handles sensitive data: machines under maintenance contracts, the software that runs them, the contracts behind them, and the hardware your people carry.
  • One accountable owner per asset. A named person, not "maintenance" or "IT." Shared ownership reads as an accountability gap to an auditor, because when something goes wrong there is nobody to point to.
  • Access and handover tied to the asset. Who holds it, under what terms, and what happens when that changes.
  • A change and transfer history. When ownership moved, when an asset was decommissioned, when a contract was renewed or cancelled. Auditors reconstruct timelines, and a timeline with holes in it is a finding.

For more on how these requirements read across any sector, our NIS2 Article 21 asset management guide walks through them in full. What follows is the version that actually happens on a shop floor.

What a manufacturer needs to own

Translate the abstract "asset" into the things a plant actually depends on, and three categories cover most of it:

  • Physical. Hand scanners and rugged tablets, calibration and test instruments, industrial PCs and HMI panels, forklifts and pallet movers, safety equipment, the keys and badges that open the cage where any of it lives.
  • Software. The MES or SCADA seats, the CAD and CAM licences, the quality and maintenance-planning subscriptions. These are the assets that most often go orphaned, because nobody sees them leave when a person does.
  • Contracts. Machine leases, preventive-maintenance agreements, sensor and IoT service subscriptions, calibration services. Each one has a renewal date, and most have a notice period buried in the terms.

Each of these needs the same three things: a named owner, a current status, and a record of how it got there. The category is just a lens. The discipline is identical across all three.

Where ownership breaks on the shop floor

The gaps are not exotic. They are the predictable result of a plant moving faster than its paperwork.

An operator leaves and the handover is informal. The scanner gets collected, but the MES seat, the shared maintenance login, and the calibration tool they managed are not systematically reassigned. The asset is now owned by nobody, and it stays that way until something forces the question. Building reassignment into departures is the single highest-impact control here, and it is the subject of our IT offboarding checklist.

A maintenance or lease contract auto-renews unwatched. The renewal date was known, but the notice period closed sixty days earlier, and now the agreement has rolled over for another full term. On a machine lease, that is not a rounding error. The fix is to track the notice deadline, not the renewal date, which our contract renewal management guide lays out in detail.

Software seats outlive the people who needed them. A CAD licence assigned to an engineer who moved teams keeps billing, and nobody decides to keep or drop it because nobody owns the decision. The same weekly discipline that controls SaaS spend applies here, covered in the SaaS renewal management playbook.

Each of these is an ownership failure first and a cost or compliance failure second. Fix the ownership and the rest follows.

Key takeaway: Your OT-security tooling proves you can see your assets. NIS2 also asks you to prove who is accountable for each one and how that has changed over time. A network scanner cannot answer that. An ownership register can.

What audit-ready ownership looks like

If an auditor asked to see your asset ownership tomorrow, here is what "good" looks like, and it maps directly onto the Article 21 requirements:

  • Every asset has exactly one named owner. No shared assignments, no "TBD," no team standing in for a person.
  • Transfers are logged with timestamps and acceptance. When an asset changes hands, there is a record of when, who released it, and confirmation that the new owner accepted responsibility rather than simply being assigned it.
  • Offboarding cannot complete with assets still attached. A departure is not done until every asset the person held has been reassigned or returned.
  • The full history is reconstructable. Not just who owns an asset now, but who owned it at any past date, so an incident six months ago has a name attached to it.
  • Ownership is re-confirmed on a cadence. Owners periodically re-acknowledge what they hold, so the register reflects reality instead of slowly going stale between audits.

A practical path, in order

You do not need to boil the ocean. Work in priority order:

1. List the assets that carry risk. Start with the contracts that auto-renew, the software with access to production or customer data, and the hardware your people carry. Leave the long tail for later.

2. Give each one a named owner. One person per asset. Where ownership is genuinely unclear, that ambiguity is itself a finding worth resolving now rather than at audit.

3. Read the notice period out of every contract once. Write it into the register and let the notice deadline be the date you act on. You never have to dig through the terms under pressure again.

4. Put a gate on offboarding. No departure is complete until the leaving person's assets are reassigned or returned. This closes the most common source of orphaned assets in one move.

5. Log every change automatically. Manual logs in spreadsheets are the first thing to rot. An automatic trail of assignments, transfers, and renewals is what turns "we think we followed the process" into "here is the record."

6. Re-confirm on a schedule. A periodic review, or a periodic re-acknowledgement by owners, catches the drift that every register accumulates between audits.

What this layer is, and what it is not

Be clear with yourself about the boundary, because it is what keeps the project honest. This is not a CMMS, and it does not replace one. It does not schedule preventive maintenance, raise work orders, or run your MES. It does not discover devices on the OT network, so it sits beside your security tooling rather than instead of it. And it does not manage depreciation or your ERP's fixed-asset ledger.

What it does is hold the ownership, contract, and handover layer that those systems leave out: one named owner per asset, a renewal that warns you before the notice period closes, and an offboarding step that will not complete while anything is still attached to a leaving employee. That is the part NIS2 asks for that a network scan and an ERP cannot give you.

A purpose-built tool like OwndUp keeps that layer in one register: a single owner for every asset, acceptance-based transfers that build an audit trail automatically, offboarding gates that prevent orphaned assets, and a full history of who owned what and when. If your current answer to "who owns this" is a spreadsheet that nobody fully trusts, the distance between where you are and where NIS2 expects you to be is mostly a matter of putting that record somewhere it cannot quietly drift.

Other posts

Mar 28, 2026 10 min read

NIS2 Article 21 Asset Management: What It Means For You

NIS2 Article 21 requires documented asset management, ownership records and audit trails. Practical guide to preparing your organization for compliance.

NIS2 asset managementNIS2 Article 21compliance
Jun 11, 2026 7 min read

Contract renewal management: how to stop missing the notice period

A practical contract renewal management system for ops leads. Track the notice period, not just the renewal date, so no contract auto-renews without a decision.

contract renewal managementcontract renewalsnotice period
Jun 3, 2026 7 min read

From office keys to software licences: everything you can track in OwndUp

Track office keys, software licences, laptops, vehicle leases and contracts in one register, with one named owner each and pre-renewal warnings before anything auto-renews.

asset trackingsoftware licence managementoffice key tracking

Ready to take ownership seriously?

Start your 30-day free trial. No credit card required.

Start your free trial