cd /news/ai-policy/open-isms-platform-for-gdpr-and-nis-… · home topics ai-policy article
[ARTICLE · art-50845] src=github.com ↗ pub= topic=ai-policy verified=true sentiment=↑ positive

Open ISMS platform for GDPR and NIS-2

The open-isms platform, a self-hostable Information Security Management System for EU NIS 2 Directive compliance, has been released as free and open-source software under AGPL-3.0. Built with Next.js, TypeScript, and Postgres, it aims to halve Europe's NIS 2 compliance costs by providing an operational evidence trail with owners, deadlines, and sign-offs.

read3 min views1 publishedJul 8, 2026
Open ISMS platform for GDPR and NIS-2
Image: source

The platform behind nisd2.eu: a self-hostable Information Security Management System built for the EU NIS 2 Directive, with GDPR, the EU AI Act, and the CRA alongside it.

Most compliance tooling treats evidence as a folder of PDFs you assemble the week before an audit. open-isms inverts that. Every requirement carries an owner, a deadline, and a sign-off, so assignments, approvals, and an append-only audit trail become your evidence as you operate, not something you reconstruct after the fact.

Free and open source. AGPL-3.0. Mission: halve Europe's NIS 2 compliance bill.

apps/
  reference/                      # minimal docker-compose demo (Postgres + Next.js)

packages/
  grc-data-model/                 # framework data + entity model (NIS 2, GDPR, EU AI Act, CRA)
  incident-notification-schema/   # NIS 2 §23(4) incident notification format
  isms-schema/                    # operational ISMS schema (audit-log, sign-off, evidence, policies, training)
  isms-ui/                        # shadcn-based UI primitives
  isms-pages/                     # pre-translated page components
  isms-lib/                       # compliance helpers (deadlines, format)
  isms-trpc/                      # tRPC setup + audit middleware
  isms-messages/                  # i18n catalogs

app/                              # the production SaaS — marketing + portal + supplier + training
components/  lib/  schema/  server/  drizzle/  messages/  i18n/   # SaaS app code
courses/                          # NIS 2 CEO course content + tabletop exercises + CRA SBOM
data/  docs/                      # public reference data + deployment docs
public/                           # static assets

scripts/                          # operational + release tooling
.github/workflows/                # CI + release pipeline

grc-data-model

and incident-notification-schema

are published to npm. The other packages are workspace-only (consumed via bun workspaces; not on npm yet).

git clone https://github.com/NISD2/open-isms.git
cd open-isms
bun install
bun run dev               # http://localhost:3026

For the minimal docker-composed reference app:

cd apps/reference
cp .env.example .env      # set AUTH_SECRET via `openssl rand -base64 32`
docker compose up --build # http://localhost:3000
bun add @nisd2/grc-data-model @nisd2/incident-notification-schema
js
import { nis2Categories, getNis2RequirementsForCategory } from "@nisd2/grc-data-model/frameworks";
import { complianceFramework, requirement } from "@nisd2/grc-data-model/schema";

49 NIS 2 articles, 7 GDPR articles, NIS 2 ↔ GDPR mappings, Drizzle-compatible Postgres schema.

EU Directive: 2022/2555 (NIS 2)** German transposition**: NIS2UmsuCG → revised BSIG (2025)** Implementing Regulation**: Commission Implementing Regulation (EU) 2024/2690** Effective**: 6 December 2025** Registration deadline**: 6 March 2026

Layer Tech
Framework Next.js 16 + React 19 (App Router, SSR-first)
Language TypeScript 5.7 strict mode
Styling Tailwind CSS 4 + shadcn
Validation Zod 4
ORM Drizzle 0.45 (Postgres)
API tRPC 11
Auth Auth.js v5 (email magic links + Google OAuth)
i18n next-intl (DE/EN/NL)
AI Vercel AI SDK + xAI Grok for form prefill
Runtime Bun 1.3+
Hosting Coolify (self-hosted)

See CONTRIBUTING.md. External PRs welcome — particularly:

  • New framework articles / mappings ( packages/grc-data-model/src/frameworks/

) - Translation work ( messages/

,packages/isms-messages/

) - Schema improvements ( packages/isms-schema/src/tables/

) - Documentation and examples

For security disclosures, see SECURITY.md.

AGPL-3.0-or-later for the app, scripts, and workspace-only packages.

Published npm packages have their own licenses:

Package License
@nisd2/grc-data-model
MIT
@nisd2/incident-notification-schema
Dual: AGPL-3.0 + commercial
@nisd2/isms-* (workspace-only)
AGPL-3.0-or-later
── more in #ai-policy 4 stories · sorted by recency
── more on @open-isms 3 stories trending now
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/open-isms-platform-f…] indexed:0 read:3min 2026-07-08 ·