Asset Management Under the Cybersecurity Act

The Cybersecurity Act ("ZKB"), effective from November 1, 2025, introduces new obligations stemming from the NIS2 Directive. If your organization provides a regulated service, you must report it to the National Cyber and Information Security Agency ("NUKIB") within 60 days. After registration, deadlines begin for fulfilling further requirements – among other things, security measures must be implemented and security documentation prepared within one year.

One of the first steps after registration is to define the so-called designated scope, i.e. to determine which assets the cybersecurity management system will focus on. In other words, you need to clarify what exactly you must protect. If you do not define the scope, the law assumes it covers the entire organization, which is unnecessarily costly in terms of both time and money.

How to Define the Scope of Cybersecurity Management in Practice

The Cybersecurity Act describes three simple steps:

• Identification of primary assets: everything that represents the most important values of your organization, and especially assets whose loss or disruption would impact the operations, functionality, purpose, or security of the organization (e.g. key services, products, information).
• Exclusion of irrelevant assets: Primary assets that are not necessary for providing the regulated service are excluded from the scope.
• Identification of supporting assets: For each remaining primary asset, identify all supporting assets that keep it running (systems, applications, technologies, processes, suppliers, documentation, employees).

The result is a list of assets needed to ensure the given regulated service, which form your designated scope of cybersecurity management. All further obligations under the law then apply to this scope – implementing security measures, reporting incidents, etc.

What Constitutes an Asset?

The law defines an asset very broadly as "a physical or digital resource, person, or activity related to the processing of information and data in electronic form". An asset can therefore be a server, an employee, a process, or even a data center building. For the purposes of cybersecurity management, the law distinguishes several types of assets:

• Primary asset – the main thing for which your organization exists. Typically a provided service or key information. For example, in a law firm, the primary assets include the legal advisory services provided and the associated client documents.
• Supporting assets – everything that ensures the operation of primary assets. For example employees, suppliers, buildings and offices, as well as organizational procedures and processes within the organization. In simple terms, supporting assets represent the infrastructure and resources without which the primary assets could not function.
• Technical assets – a subset of supporting assets that includes technical and software resources. These are IT systems and equipment: servers, network devices, computers, software, etc. Technical assets are often tracked separately because most cybersecurity measures target them specifically.

Asset Evaluation

Once you have compiled the list of assets, you need to evaluate them – that is, assess the importance of each asset from a security perspective. Both practice and the law recommend evaluating the significance of assets according to three fundamental criteria:

• Confidentiality – how sensitive the information it contains is and who should have access to it
• Integrity – how serious it would be if the data were altered or contained errors
• Availability – how critical it is that the asset remains continuously accessible

This helps you determine which assets have the greatest impact on your business and deserve the strongest protection.

It is also important to recognize the interdependence of assets. Primary assets cannot function without supporting ones, and the failure of a single element can jeopardize the entire service. For example, a critical server outage can prevent employees from accessing customer data; or an insufficiently trained employee (a supporting asset in the form of a person's activity) can cause system errors and incidents.

Asset Inventory

The Cybersecurity Act requires obligated entities to maintain a current and complete list of assets. This inventory must reflect reality – meaning it must include all assets that the organization uses to provide the regulated service. Without such an overview, it is impossible to fulfill further obligations; for example, to determine which asset is affected by a security incident or what impact it may have on operations.

Part of the inventory also involves designating a guardian – a person responsible for each significant asset. The guardian is the person who knows the asset best and can be the first to recognize a change, problem, or vulnerability. This could be, for example, the production manager for a manufacturing line control system or the CFO for financial software. In short, it is the person who works with the asset every day and knows how it should properly function. The guardian promptly informs the cybersecurity manager about suspicious events and helps ensure that no critical asset remains without a responsible person.

How cybreg Can Help

For many organizations, the most challenging part of the Cybersecurity Act is mapping all services, assets, processes, and responsible persons and keeping them up to date over time. Manual record-keeping in spreadsheets tends to become unclear and error-prone over time.

Modern compliance and cybersecurity management software solutions (such as cybreg) significantly simplify and automate this agenda. Cybreg enables:

• Centralized inventory of services, assets, processes, risks, suppliers, and employees
• Assignment of guardians and tracking of changes
• Ongoing compliance monitoring against Cybersecurity Act requirements
• Generation of required outputs (e.g. overview of measures or audit documentation)

The result is a clear and always up-to-date picture of what the organization manages and how it is protected. During a NUKIB inspection, you have clear evidence at hand that demonstrates you have your assets under control and are meeting the requirements of the law. In practice, this means less manual work, lower risk of errors, and more efficient fulfillment of all Cybersecurity Act obligations.