EU Directive 2022/2555 (NIS2) is now transposed across member states. In Slovakia, Act 366/2024 Coll. has been in force since 1 January 2025, with full compliance due by 31 December 2026. That is less than six months away. If your organisation already runs GLPI, you have a tool that can cover several NIS2 requirements out of the box — provided it is configured with compliance in mind.
What NIS2 requires and where GLPI fits
NIS2 does not mandate a specific tool. It mandates demonstrable processes: asset inventory, incident handling, change control, access management, and supply-chain oversight. GLPI 11 addresses several of these areas natively.
Asset inventory: the foundation
Every NIS2 audit starts with a current inventory of IT assets. GLPI Agent automatically discovers servers, workstations, network devices, and software including version numbers. What turns a raw device list into audit-ready evidence is context:
- Business and technical owner for each asset
- Criticality classification
- Operational status and physical location
- Links to contracts, SLAs, and supported services
Without these fields populated, the inventory is a list of hostnames. With them, it becomes the asset register that auditors expect under NIS2 implementing measures.
Incident management within NIS2 timelines
NIS2 mandates incident notification within 24 hours (early warning), 72 hours (initial assessment), and 30 days (final report). GLPI can enforce these timelines through SLA rules:
- Create a dedicated Cybersecurity incident category with mandatory fields: detection time, affected asset, severity, suspected cause
- Configure SLAs with 24-hour, 72-hour, and 30-day milestones
- Set automatic assignment and escalation based on severity
- Link each incident to affected assets via the CMDB
The ticket timeline doubles as an evidence chain for auditors — every action, follow-up, and status change is timestamped and attributed to a user.
Change management: proof of control
NIS2 expects security-relevant changes to follow a controlled process. GLPI Change Management supports this with:
- Distinction between standard, normal, and emergency changes
- Security driver and business justification fields
- Approval workflows with recorded decisions
- Links to impacted assets and related incidents
When an auditor asks how a firewall rule change was authorised, the answer should be a GLPI change ticket with an approval trail — not an email thread.
Supplier oversight
The directive requires supply-chain risk management. In GLPI, link supplier contracts, support tiers, and maintenance responsibilities directly to assets. When asked which third parties have access to critical systems, the report is one click away.
What GLPI does not cover
GLPI is not a SIEM, a risk-analysis tool, or a penetration-testing platform. It does not replace governance frameworks or data-flow modelling. NIS2 compliance requires multiple layers — GLPI provides the operational foundation, not the complete solution.
A practical checklist for the next six months
- Audit your inventory — every asset needs an owner and criticality rating
- Create a cybersecurity incident category with SLAs matching NIS2 timelines
- Enable approval workflows for security-relevant changes
- Link supplier contracts to the assets they support
- Generate sample reports an auditor would request and verify they contain the required data
These steps do not cover the full scope of NIS2 obligations, but they ensure your ITSM platform is audit-ready. Essential entities must complete their first cybersecurity audit within two years of registration — for most, that means early 2027. The time to prepare is now.