The platform behind nisd2.eu: a self-hostable Information Security Management System built for the EU NIS 2 Directive, with GDPR, the EU AI Act, and the CRA alongside it.
Most compliance tooling treats evidence as a folder of PDFs you assemble the week before an audit. open-isms inverts that. Every requirement carries an owner, a deadline, and a sign-off, so assignments, approvals, and an append-only audit trail become your evidence as you operate, not something you reconstruct after the fact.
Free and open source. AGPL-3.0. Mission: halve Europe's NIS 2 compliance bill.
apps/
reference/ # minimal docker-compose demo (Postgres + Next.js)
packages/
grc-data-model/ # framework data + entity model (NIS 2, GDPR, EU AI Act, CRA)
incident-notification-schema/ # NIS 2 §23(4) incident notification format
isms-schema/ # operational ISMS schema (audit-log, sign-off, evidence, policies, training)
isms-ui/ # shadcn-based UI primitives
isms-pages/ # pre-translated page components
isms-lib/ # compliance helpers (deadlines, format)
isms-trpc/ # tRPC setup + audit middleware
isms-messages/ # i18n catalogs
app/ # the production SaaS — marketing + portal + supplier + training
components/ lib/ schema/ server/ drizzle/ messages/ i18n/ # SaaS app code
courses/ # NIS 2 CEO course content + tabletop exercises + CRA SBOM
data/ docs/ # public reference data + deployment docs
public/ # static assets
scripts/ # operational + release tooling
.github/workflows/ # CI + release pipeline
grc-data-model
and incident-notification-schema
are published to npm. The other packages are workspace-only (consumed via bun workspaces; not on npm yet).
git clone https://github.com/NISD2/open-isms.git
cd open-isms
bun install
bun run dev # http://localhost:3026
For the minimal docker-composed reference app:
cd apps/reference
cp .env.example .env # set AUTH_SECRET via `openssl rand -base64 32`
docker compose up --build # http://localhost:3000
bun add @nisd2/grc-data-model @nisd2/incident-notification-schema
js
import { nis2Categories, getNis2RequirementsForCategory } from "@nisd2/grc-data-model/frameworks";
import { complianceFramework, requirement } from "@nisd2/grc-data-model/schema";
49 NIS 2 articles, 7 GDPR articles, NIS 2 ↔ GDPR mappings, Drizzle-compatible Postgres schema.
EU Directive: 2022/2555 (NIS 2)** German transposition**: NIS2UmsuCG → revised BSIG (2025)** Implementing Regulation**: Commission Implementing Regulation (EU) 2024/2690** Effective**: 6 December 2025** Registration deadline**: 6 March 2026
| Layer | Tech |
|---|---|
| Framework | Next.js 16 + React 19 (App Router, SSR-first) |
| Language | TypeScript 5.7 strict mode |
| Styling | Tailwind CSS 4 + shadcn |
| Validation | Zod 4 |
| ORM | Drizzle 0.45 (Postgres) |
| API | tRPC 11 |
| Auth | Auth.js v5 (email magic links + Google OAuth) |
| i18n | next-intl (DE/EN/NL) |
| AI | Vercel AI SDK + xAI Grok for form prefill |
| Runtime | Bun 1.3+ |
| Hosting | Coolify (self-hosted) |
See CONTRIBUTING.md. External PRs welcome — particularly:
- New framework articles / mappings (
packages/grc-data-model/src/frameworks/
) - Translation work (
messages/
,packages/isms-messages/
) - Schema improvements (
packages/isms-schema/src/tables/
) - Documentation and examples
For security disclosures, see SECURITY.md.
AGPL-3.0-or-later for the app, scripts, and workspace-only packages.
Published npm packages have their own licenses:
| Package | License |
|---|---|
@nisd2/grc-data-model |
|
| MIT | |
@nisd2/incident-notification-schema |
|
| Dual: AGPL-3.0 + commercial | |
@nisd2/isms-* (workspace-only) |
|
| AGPL-3.0-or-later |