Asset Registry
Know what you have. Protect what matters.
Comprehensive hardware, software, cloud, and SaaS inventory with business process mapping. Track criticality, ownership, vendor dependencies, and control coverage across your entire digital estate. Map assets to regulatory scope for NIS2 Article 21(2)(a) and DORA Article 8 ICT asset management.
What you get
Auto-Discovery from Integrations
Automatically discover and catalogue assets from connected sources including cloud providers (AWS, Azure, GCP), endpoint management tools, SaaS management platforms, and network scanners. New assets are flagged for classification and assigned to default owners based on configurable rules.
Criticality Scoring
Assign business criticality scores to every asset based on data sensitivity, user count, revenue impact, regulatory scope, and dependency depth. Criticality scores drive prioritisation across vulnerability management, incident response, and compliance workflows.
Vendor Dependency Mapping
Visualise which vendors supply, support, or host each asset and identify concentration risks where multiple critical assets depend on a single vendor. Dependency graphs reveal cascading failure paths that inform business continuity planning and DORA Article 28 ICT third-party risk assessments.
Control Coverage Tracking
Map security controls to individual assets and identify coverage gaps where critical assets lack required protections. Coverage heatmaps show which asset categories have full control coverage and which require remediation, directly supporting NIS2 Article 21(2)(a) risk management measures.
Business Process Mapping
Link assets to the business processes they support, creating a dependency map from strategic objectives down to individual infrastructure components. When an asset is compromised or unavailable, the business process map immediately shows which operations are affected and their criticality to the organisation.
Regulatory Scope Tagging
Tag assets with applicable regulatory frameworks (NIS2, DORA, GDPR, EU AI Act) to determine which compliance requirements apply. Scope tagging automates the NIS2 essential/important entity determination and DORA ICT asset classification required by Article 8, ensuring no asset falls outside regulatory oversight.
How it works
Connect Sources
Integrate with cloud providers, endpoint management tools, SaaS platforms, and network scanners to establish automated asset discovery pipelines. Each source is configured with sync frequency and scope parameters.
Auto-Discover
Discovery engines scan connected sources to identify all hardware, software, cloud resources, and SaaS applications. Newly discovered assets are queued for classification with preliminary metadata pre-populated from source systems.
Classify & Score
Assign each asset a criticality score, business owner, regulatory scope tags, and vendor dependencies. Classification can be automated via rules or completed manually for high-criticality assets requiring human judgement.
Map to Controls
Link assets to applicable security controls and identify coverage gaps. The control mapping ensures every critical asset has required protections in place, with gaps automatically generating remediation tasks assigned to asset owners.
Built for your team
Inventory Management & Shadow IT Detection
The IT Manager uses auto-discovery to maintain a living inventory that catches shadow IT and unapproved SaaS applications before they create security blind spots. Weekly discovery reports highlight newly detected assets that bypass procurement, enabling the IT Manager to bring them under governance or block them. The asset registry replaces fragmented spreadsheets with a single source of truth for capacity planning and licence management.
Exposure Visibility & Risk Prioritisation
The CISO uses criticality scoring and control coverage heatmaps to understand which assets represent the greatest exposure to the organisation. By filtering for high-criticality assets with low control coverage, the CISO identifies where security investment will have the greatest risk reduction impact. Vendor dependency graphs reveal concentration risks that inform strategic diversification decisions.
Asset Verification & Completeness Assessment
External auditors use the asset registry to verify that the organisation maintains a complete and accurate inventory as required by ISO 27001 Annex A.8 and NIS2 Article 21(2)(a). The registry provides timestamped discovery records, classification histories, and ownership chains that demonstrate ongoing asset management governance without requiring manual evidence compilation.
Supports your compliance stack
Common questions
What discovery methods does the asset registry support?
FortisEU supports agent-based discovery via endpoint management integrations (Microsoft Intune, CrowdStrike, SentinelOne), agentless network scanning for infrastructure assets, API-based discovery from cloud providers (AWS, Azure, GCP), and SaaS management platform integrations. Each method captures different asset attributes — agent-based provides deep software inventory, API-based captures cloud resource configurations, and network scanning identifies unmanaged devices. Discovery methods can be combined for comprehensive coverage, with deduplication logic merging assets discovered through multiple channels.
How does FortisEU track cloud assets across multi-cloud environments?
Cloud asset discovery connects to AWS, Azure, and GCP via read-only API credentials and synchronises all resource types including compute instances, storage buckets, databases, serverless functions, and managed services. Assets are normalised into a common taxonomy regardless of cloud provider, enabling cross-cloud visibility and comparison. Resource tags from cloud providers are imported and mapped to FortisEU classification attributes. Sync frequency is configurable from hourly to daily, with change detection highlighting newly created or terminated resources between syncs.
Can the asset registry integrate with existing CMDBs?
Yes. FortisEU provides bidirectional integration with ServiceNow CMDB, Jira Assets, and generic CMDB systems via REST API. Assets can be imported from your CMDB to bootstrap the registry, and enrichment data from FortisEU (criticality scores, regulatory scope, control coverage) can be synchronised back to your CMDB. Conflict resolution rules determine which system is authoritative for each attribute when discrepancies arise. This allows organisations to maintain their existing CMDB investment while gaining the compliance and risk context that FortisEU adds.
How does the asset registry support NIS2 scope determination?
NIS2 Directive 2022/2555 Article 21(2)(a) requires essential and important entities to implement risk management measures including asset management. FortisEU's regulatory scope tagging automatically maps assets to applicable NIS2 requirements based on the services they support and the sectors they operate in. The scope determination engine considers entity classification (essential vs. important per NIS2 Annex I/II), cross-border service delivery, and dependency criticality to generate a complete picture of which assets fall within NIS2 scope and which specific Article 21(2) measures apply to each.
How does vendor dependency analysis work in the asset registry?
Vendor dependency analysis maps every asset to its supplying, hosting, or supporting vendors and builds a dependency graph that reveals concentration risks and cascading failure paths. When multiple critical assets depend on a single vendor, FortisEU calculates a concentration risk score aligned with DORA Article 28(3) ICT third-party risk requirements. The dependency graph supports what-if analysis — showing the blast radius if a specific vendor experiences an outage or breach. This data feeds directly into the DORA ICT register export and vendor risk management workflows.
Related features
See Asset Registry in Action
Create an account and explore the platform, or talk to our team about enterprise deployment.