Why Spreadsheets Don't Pass a NIS2 Audit

Across the European Union, an estimated 67% of small and medium-sized businesses still manage their IT asset inventory using spreadsheets. For years, this was acceptable — even normal. A well-maintained Excel file with columns for device type, serial number, assigned employee, and status was considered adequate by most internal teams.

That era is over. With NIS2 enforceable since October 2024 and audits actively underway in 2026, the spreadsheet approach has a fundamental problem: it cannot satisfy the evidentiary requirements that auditors are trained to look for. This is not about the format being old-fashioned. It is about structural limitations that no amount of careful data entry can overcome.

The Five Reasons Spreadsheets Fail

1. No Audit Trail

This is the single most critical failure. NIS2 Article 21(2)(i) requires asset management measures, and auditors expect to see evidence of how those measures are maintained over time. An audit trail means a record of every change: who modified a record, when they modified it, what the previous value was, and what the new value is.

Spreadsheets do not provide this. When someone updates a cell in Excel, the previous value is gone. Google Sheets offers version history, but it is designed for document collaboration, not compliance auditing. You cannot easily extract a per-record change history, and there is no guarantee that version history will be retained for the required period.

When an auditor asks “Can you show me all changes made to this asset record over the last 12 months?”, a spreadsheet gives you nothing. An ITAM tool gives you a timestamped, user-attributed log of every modification.

2. No Version Control

Related to the audit trail problem, but distinct: spreadsheets that live on shared drives or are emailed between team members create versioning chaos. Which copy is the authoritative one? The one on Maria’s laptop, the one in the shared folder, or the one that was emailed to the IT manager last week?

NIS2 requires a single source of truth for your asset inventory. A spreadsheet, by its nature, tends to fragment. Even with cloud-based solutions, the risk of someone downloading a copy, making changes offline, and uploading it later is real. There is no merge conflict resolution. There is no concept of authoritative records.

An auditor will ask whether your inventory is maintained in a single, authoritative system. If the answer involves explaining how your team coordinates updates to a shared spreadsheet, you are already losing credibility.

3. No Access Control

Who can modify your asset inventory? In a spreadsheet environment, the answer is typically “anyone with access to the file.” You might restrict sharing to certain people, but once someone has edit access, they can modify any record, delete rows, or restructure the entire sheet.

NIS2 Article 21(2)(i) explicitly pairs asset management with “access control policies.” The regulation expects that modifications to critical records — and your IT asset inventory is a critical record — are governed by appropriate access controls. Auditors expect to see role-based permissions: who can view, who can edit, who can delete, who can export.

Spreadsheets offer binary access: you can view, or you can edit everything. There is no concept of field-level permissions, record-level restrictions, or separation of duties. A junior team member has the same modification rights as the IT director.

4. No Incident Linking

One of the most powerful aspects of a proper IT asset management system is the ability to link incidents to specific devices. When a laptop fails, the support ticket is tied to that asset. Over time, you build a per-device incident history that shows patterns, justifies decommissioning decisions, and demonstrates to auditors that you manage incidents in connection with assets (as required by Article 21(2)(b)).

In a spreadsheet, incidents and assets exist in separate worlds. The helpdesk system tracks tickets. The spreadsheet tracks devices. There is no connection between them. To find all incidents related to a specific laptop, someone would need to manually search through the ticketing system, match serial numbers or device names, and compile the results. This is time-consuming, error-prone, and does not produce the kind of auditable record that NIS2 demands.

5. No Automation

Proper asset management requires that certain actions happen consistently and reliably: notifications when warranties expire, alerts when devices are unassigned for too long, automated status transitions when equipment is checked out or returned, scheduled reports for management review.

Spreadsheets are passive. They do not send alerts. They do not enforce workflows. They do not automatically update statuses based on events. Everything depends on someone remembering to update the file, and humans forget. The result is stale data, missed warranty expirations, orphaned devices, and an inventory that drifts further from reality with every passing week.

What Auditors Actually Look For

NIS2 auditors are not checking whether you have a list of devices. They are assessing whether your asset management measures are effective, documented, and maintainable. Specifically, they look for:

• Completeness: Does the inventory cover all asset types across all locations?
• Currency: Is the data up to date? When was the last modification? Are there recently purchased devices that are not yet recorded?
• Traceability: Can you trace the full lifecycle of a device from procurement to decommission? Can you show the chain of custody?
• Evidence of process: Is there a defined process for maintaining the inventory? Is it followed consistently?
• Auditability: Can you produce evidence on demand? Can you export records for review? Can you show the change history for any record?

A spreadsheet might pass the completeness test if it is well-maintained. It will fail on traceability, evidence of process, and auditability. These are not optional — they are core to what NIS2 expects.

The Transition from Excel to ITAM Software

Moving from spreadsheets to a purpose-built IT asset management system does not need to be a massive project. For most SMBs, the transition follows a predictable path:

• Week 1: Import your existing spreadsheet data into the ITAM system. Most tools support CSV import, so your current data becomes the starting point.
• Week 2: Verify and clean the imported data. Assign custodians to every device. Set up status categories and locations.
• Week 3: Start using the system for all new changes. New purchases go directly into the ITAM tool. Equipment assignments are recorded there, not in the spreadsheet.
• Week 4: Retire the spreadsheet. Make the ITAM tool the single source of truth. Train the team on the new process.

From this point forward, the audit trail builds automatically. Every change is logged. Every assignment is recorded. Every incident can be linked. When the auditor arrives, you produce a report from the system — not a spreadsheet from a shared folder.

The Real Risk

The risk of continuing with spreadsheets is not just failing an audit. NIS2 Article 34 empowers national competent authorities to impose administrative fines of up to 10 million euros or 2% of annual worldwide turnover for essential entities, and 7 million euros or 1.4% of turnover for important entities.

Beyond fines, there is the operational risk. When you do not have reliable asset data, you cannot respond effectively to security incidents. You cannot identify the scope of a breach. You cannot determine which devices are affected by a vulnerability. You cannot demonstrate to customers, partners, or regulators that you have your house in order.

Spreadsheets served their purpose for a generation of IT management. Under NIS2, they are a liability. The transition to proper tooling is neither expensive nor complex — but it is necessary. The audit will not wait for you to be ready.