Skip to main content
Perspective:
Perspective
07 Jan 2026
10 minute read

From reactive compliance to proactive command: How ITAM enables regulatory compliance

Anant Jain
Georgia Varnavides

The regulatory environment is changing alongside technology expansion, with governments worldwide introducing increasingly stringent regulations to address the growing complexities of cybersecurity and data privacy. For organisations, navigating this complex web of compliance requirements can be daunting.

Across Europe, four major frameworks are reshaping the way organisations manage their technology, risk, and resilience obligations: NIS2, DORA, CRA, and the EU AI Act.

  • Network and Information Security Directive 2 (NIS2) applies to critical sectors, and expands cybersecurity obligations for essential and important entities, with fines of up to €10M or 2% of global turnover for non-compliance.1
  • Digital Operations Resilience Act (DORA), effective January 2025, targets predominantly financial sectors, and mandates robust ICT risk management with new oversight powers provided to European Supervisory Authorities (ESAs) for critical third-party providers.2,3
  • Cyber Resilience Act (CRA) is aimed at Internet of Things (IoT) manufacturers, software developers, importers, distributors, and resellers, and enforces “security by design” and vulnerability reporting for products with digital elements, with full compliance required by December 20274.
  • The EU Artificial Intelligence (AI) Act, expected to apply from August 2026, introduces risk-based governance for businesses that use AI and are located or established within the EU.

As regulatory requirements are becoming increasingly detailed and prescriptive, a lack of visibility of the IT asset estate is impacting the ability for organisations and security teams to comply with these frameworks.

  • Over half of IT teams report persistent challenges maintaining complete visibility of their technology estates, with the main cause identified as being siloed teams and systems impacting the ability to view a consolidated IT asset portfolio. 6
  • Regulators are stepping up enforcement - GDPR fines reached €1.2 billion in 2024 alone, with insufficient technical and organisational measures to ensure information security cited as the primary reason for many breaches. 7
  • AI governance remains immature. Deloitte reports that over 90% of organisations lack robust AI governance frameworks, which are critical to manage the most pressing risks associated with AI usage: security vulnerabilities, surveillance, and privacy issues.8 A quarter of organisations have experienced an increase in incidents (e.g., data breaches) related to AI in the past financial year.
  • According to Deloitte’s 2025 Global ITAM Survey, only 29% of organisations have formally integrated ITAM into cybersecurity planning, despite the central role asset intelligence plays in meeting regulatory demands. 23% also report ITAM operating completely independently of cybersecurity.9
  • Preparedness for open-source software risks remains weak - only 17% of organisations have a dedicated open-source program office, and just 7% align it with recognised standards such as ISO 5230 or 18974.9

What are NIS2, DORA, CRA and the EU AI Act introducing?

NIS2: Cybersecurity and Operational Resilience

The NIS2 Directive significantly strengthens cybersecurity requirements for operators of essential services and critical infrastructure within the EU by introducing stricter governance, enhanced risk management measures, and mandatory incident reporting. NIS2 expands the number of covered sectors from 7 to 15, and had a 2024 deadline for member states to transpose the directive into national law.1  

Requirements of NIS2 include10:

  • Risk assessments and security policies for information systems, and a plan for handling security incidents
  • Security around the procurement of systems, including policies for handling and reporting vulnerabilities.
  • Security procedures for employees with access to sensitive or important data, including an overview of all relevant assets to ensure that they are properly utilised and handled.
  • Supply chain security around the relationship between the company and the supplier.

Key deadlines:

  • January 2023: NIS2 enters into force.
  • October 2024: deadline for EU member states to transpose NIS2 into national law – however note that some member states are yet to transpose this into national law.11
  • April 2025: member states identify and establish a list of essential and important organisations.
  • October 2027: commission review of directive (to be completed every 36 months).12

DORA: Digital Operational Resilience

The Digital Operational Resilience Act (DORA) establishes a uniform framework for managing information and Communication Technology risks across the financial sector. This applies to banks, insurers, payment providers, investment firms, and other regulated entities. DORA focuses on strengthening operational resilience by setting clear requirements for risk management, incident reporting, resilience testing, third party risk management, and ICT critical third-party oversight planning2,3.

Requirements of DORA include2,3:

  • ICT risk management: a framework setting principles and requirements on ICT risk management.
  • Information sharing: information and intelligence sharing in relation to cyber threats and vulnerabilities.
  • ICT-related incidents: management of ICT-related incidents, and notification of major ICT-related incidents and significant cyber threats to competent authorities.
  • ICT third-party risk management: mitigation of ICT third-party risk.

Key deadlines:

  • January 2023: DORA enters into force
  • January 2024: first batch of policy mandates.
  • July 2024: second batch of policy mandates.
  • January 2025: DORA applies.

CRA: Security by Design

CRA establishes mandatory cybersecurity requirements for all hardware and software products placed on the EU market, with full compliance required by December 2027.4 It introduces a “security by design” approach, requiring manufacturers and vendors to ensure that products are secure throughout their lifecycle. The CRA also sets obligations for vulnerability management, incident reporting, and supply chain security, aiming to improve overall digital resilience and protect consumers and businesses from emerging cyber threats.

The CRA applies to IOT device manufacturers, software developers, and importers/distributors/resellers, with mandatory requirements including:13

  • Risk analysis: analysing potential risks based on intended use, foreseeable conditions, and expected lifespan.
  • Vulnerability procedure: having policies and procedures to address vulnerabilities reported from internal or external sources, including coordinated disclosure policies.
  • Identification markings: including identification markings (type, batch, serial number) on the product, packaging, or accompanying documents.
  • Support: providing support for at least 5 years, or the product’s lifespan if shorter.

Key deadlines:

  • December 2024: CRA enters into force.
  • September 2026: vulnerability reporting obligations begin.
  • December 2027: full compliance required.

EU AI Act: Responsible AI Governance

The rapid advancement of AI is leading to the development of regulations aimed at promoting responsible AI development and deployment. The EU AI Act, planned for full implementation by August 2026, categorises AI systems into four risk tiers: prohibited, high-risk, limited-risk, and minimal-risk.

Key deadlines:

  • August 2024: AI Act enters into force. At this stage, no requirements apply.
  • August 2025: rules around notified bodies, GPAI models, governance, confidentiality and penalties start to apply.
  • August 2026: remainder of AI Act starts to apply.
  • August 2027: Article 6(1) and corresponding obligations start to apply.

How ITAM enables cyber resilience and regulatory compliance

IT Asset Management (ITAM) manages and tracks an organisation's IT assets throughout their lifecycle - from introduction through to use and disposal. This includes everything from hardware (e.g. computers, servers, mobile devices) to software licences and cloud services. To meet the growing complexity of regulatory requirements, ITAM is a powerful ally that supports cyber security and regulatory compliance teams through providing visibility and control of IT assets. Indeed, 81% of organisations view compliance with new digital regulations (DORA, NIS2, AI Act) as an opportunity to strengthen ITAM practices.9

ITAM enables cyber-resilience, regulatory alignment, and real-time risk response in several ways:

1. Providing a clear picture of IT assets: ITAM offers a comprehensive view of IT assets throughout their lifecycle, enabling organisations to track and categorise assets, prioritise remediation efforts, and understand the potential impact of disruptions on business functions. ITAM eliminates siloes between IT teams and systems with respect to IT assets by consolidating IT asset information into a single tool and framework.

2. Security over onboarding of new IT assets: ITAM engages with cyber security teams when new assets are onboarded to the organisation, ensuring security reviews are completed before introducing a new asset into the organisation’s environment.

3. Proactive management of vulnerable IT assets: ITAM provides the data necessary to identify and report outdated software to security teams to enable proactive removal of vulnerable assets. Additionally, this data ensures the application of timely updates, reducing the organisation's attack surface and allowing for real-time patching visibility.

4. Incident response acceleration: as ITAM centralises the IT asset inventory, providing data on software and software versions installed on every device used within the organisation, incident response time is accelerated, allowing for quick identification of vulnerable assets during security events. Deloitte’s 2025 Global ITAM Survey indicated that almost half of the organisations who involve ITAM in resilience planning rely on it to provide trustworthy inventories of critical assets during cybersecurity attacks or outages; and 30% use ITAM to map configurations and dependencies for faster recovery.9

5. Third-party dependency mapping: NIS2 and DORA require oversight of suppliers. ITAM enables this by providing clear visibility into vendor-linked assets.

6. Free and open-source software (FOSS) management: open-source risk is a glaring blind spot, despite its rising importance. This is an area where ITAM’s visibility and governance role can expand rapidly under regulatory pressure, through leveraging source-code scanning to assess the licence and vulnerability risks of FOSS components.

7. AI asset lifecycle tracking: while the management of AI assets is still being defined, the fundamental principles of ITAM will apply: monitoring AI assets throughout their lifecycle and managing the necessary data to track AI assets, allowing organisations to understand what assets are in use and identifying potential vulnerabilities.

8. Audit readiness: ITAM provides organisations with information on IT assets to evidence compliance during audits.

Key takeaways

  • .Compliance is accelerating and regulations are being more prescriptive - NIS2, DORA, CRA, and AI Act deadlines converge between 2024 and 2027.
  • A key element in complying with these regulations, with many organisations struggle with, is knowing the IT assets that exist within the organisation.
  • Investment in ITAM tooling, data, governance, people, and process enables visibility of IT assets across their lifecycle, and arms compliance and cybersecurity teams with information on IT assets to comply with these regulations.

With digital regulation expanding rapidly, ITAM leaders must act now to embed compliance into every layer of asset intelligence, or risk becoming the weakest link in the resilience chain.

If you can’t see your IT assets, you can’t govern them.

_____________________________________________________________

References

1. NIS2 Directive Overview

2. Digital Operational Resilience Act (DORA)

3. The Digital Operational Resilience Act (DORA) | Deloitte UK

4. Cyber Resilience Act (CRA)

5. EU AI Act Overview

6. Gartner Research. “Software Asset Management Market Trends” (2024)

7. GDPR Enforcement Tracker 2024

8. Deloitte ITAM Benchmark Study. “AI & Regulatory Governance Gaps” (2024)

9. Deloitte 2025 Global ITAM Survey.

10. NIS2 Requirements | 10 Minimum Measures to Address

11. NIS2 Directive Transposition Tracker - ECSO

12. NIS 2 Directive, Article 40: Review

13. A CRA guide made to ease manufacturers compliance path

Get in touch

Peter Kunorubwe

Peter Kunorubwe

Partner
+44 (0)20 7007 9530
Anant Jain

Anant Jain

Director
+44 (0)20 7007 7236
Tom Lamplough

Tom Lamplough

Senior Manager
+44 (0)20 7303 5388
Georgia Varnavides

Georgia Varnavides

Manager
+44 (0)77 3383 3723
Sophie Bright

Sophie Bright

Senior Manager
+44 (0) 20 7303 4412

Our thinking

Key Themes and Observations on CP17/24 Operational Resilience

In an increasingly interconnected world, operational resilience is no longer a luxury but a necessity, especially for the financial services industry. 
Perspective
5 minute read
Blog

How can risk culture elevate ERM as we navigate the future of risk and compliance?

We operate in an increasingly changing world, where organisations must react and adapt to regulatory expectation as well as the pace of technological change.
Perspective
11 minute read
Blog

Modern Operational Risk Modelling

For many Financial Services firms, the answer to their ICARA or ICAAP Operational Risk capital quantification challenge is using the Scenario-based LDA approach – its accurate, as-simple-as-possible and easy to implement.
Perspective
7 minute read
Blog

Risk and Control Self-Assessment (RCSA) - The Ten Steps to RCSA Redemption

Risk and Control Self-Assessment (RCSA) - The Ten Steps to RCSA Redemption
Perspective
5 minute read
Blog