{"slug": "open-isms-platform-for-gdpr-and-nis-2", "title": "Open ISMS platform for GDPR and NIS-2", "summary": "The open-isms platform, a self-hostable Information Security Management System for EU NIS 2 Directive compliance, has been released as free and open-source software under AGPL-3.0. Built with Next.js, TypeScript, and Postgres, it aims to halve Europe's NIS 2 compliance costs by providing an operational evidence trail with owners, deadlines, and sign-offs.", "body_md": "The platform behind [nisd2.eu](https://www.nisd2.eu): a self-hostable Information Security Management System built for the EU NIS 2 Directive, with GDPR, the EU AI Act, and the CRA alongside it.\n\nMost compliance tooling treats evidence as a folder of PDFs you assemble the week before an audit. open-isms inverts that. Every requirement carries an owner, a deadline, and a sign-off, so assignments, approvals, and an append-only audit trail become your evidence as you operate, not something you reconstruct after the fact.\n\nFree and open source. AGPL-3.0. Mission: halve Europe's NIS 2 compliance bill.\n\n```\napps/\n  reference/                      # minimal docker-compose demo (Postgres + Next.js)\n                                  # boot stack, gates routes behind email magic links\n\npackages/\n  grc-data-model/                 # framework data + entity model (NIS 2, GDPR, EU AI Act, CRA)\n  incident-notification-schema/   # NIS 2 §23(4) incident notification format\n  isms-schema/                    # operational ISMS schema (audit-log, sign-off, evidence, policies, training)\n  isms-ui/                        # shadcn-based UI primitives\n  isms-pages/                     # pre-translated page components\n  isms-lib/                       # compliance helpers (deadlines, format)\n  isms-trpc/                      # tRPC setup + audit middleware\n  isms-messages/                  # i18n catalogs\n\napp/                              # the production SaaS — marketing + portal + supplier + training\ncomponents/  lib/  schema/  server/  drizzle/  messages/  i18n/   # SaaS app code\ncourses/                          # NIS 2 CEO course content + tabletop exercises + CRA SBOM\ndata/  docs/                      # public reference data + deployment docs\npublic/                           # static assets\n\nscripts/                          # operational + release tooling\n.github/workflows/                # CI + release pipeline\n```\n\n`grc-data-model`\n\nand `incident-notification-schema`\n\nare published to npm. The other packages are workspace-only (consumed via bun workspaces; not on npm yet).\n\n```\ngit clone https://github.com/NISD2/open-isms.git\ncd open-isms\nbun install\nbun run dev               # http://localhost:3026\n```\n\nFor the minimal docker-composed reference app:\n\n```\ncd apps/reference\ncp .env.example .env      # set AUTH_SECRET via `openssl rand -base64 32`\ndocker compose up --build # http://localhost:3000\nbun add @nisd2/grc-data-model @nisd2/incident-notification-schema\njs\nimport { nis2Categories, getNis2RequirementsForCategory } from \"@nisd2/grc-data-model/frameworks\";\nimport { complianceFramework, requirement } from \"@nisd2/grc-data-model/schema\";\n```\n\n49 NIS 2 articles, 7 GDPR articles, NIS 2 ↔ GDPR mappings, Drizzle-compatible Postgres schema.\n\n**EU Directive**: 2022/2555 (NIS 2)** German transposition**: NIS2UmsuCG → revised BSIG (2025)** Implementing Regulation**: Commission Implementing Regulation (EU) 2024/2690** Effective**: 6 December 2025** Registration deadline**: 6 March 2026\n\n| Layer | Tech |\n|---|---|\n| Framework | Next.js 16 + React 19 (App Router, SSR-first) |\n| Language | TypeScript 5.7 strict mode |\n| Styling | Tailwind CSS 4 + shadcn |\n| Validation | Zod 4 |\n| ORM | Drizzle 0.45 (Postgres) |\n| API | tRPC 11 |\n| Auth | Auth.js v5 (email magic links + Google OAuth) |\n| i18n | next-intl (DE/EN/NL) |\n| AI | Vercel AI SDK + xAI Grok for form prefill |\n| Runtime | Bun 1.3+ |\n| Hosting | Coolify (self-hosted) |\n\nSee [CONTRIBUTING.md](/NISD2/open-isms/blob/main/.github/CONTRIBUTING.md). External PRs welcome — particularly:\n\n- New framework articles / mappings (\n`packages/grc-data-model/src/frameworks/`\n\n) - Translation work (\n`messages/`\n\n,`packages/isms-messages/`\n\n) - Schema improvements (\n`packages/isms-schema/src/tables/`\n\n) - Documentation and examples\n\nFor security disclosures, see [SECURITY.md](/NISD2/open-isms/blob/main/.github/SECURITY.md).\n\n[AGPL-3.0-or-later](/NISD2/open-isms/blob/main/LICENSE) for the app, scripts, and workspace-only packages.\n\nPublished npm packages have their own licenses:\n\n| Package | License |\n|---|---|\n`@nisd2/grc-data-model` |\nMIT |\n`@nisd2/incident-notification-schema` |\nDual: AGPL-3.0 + commercial |\n`@nisd2/isms-*` (workspace-only) |\nAGPL-3.0-or-later |", "url": "https://wpnews.pro/news/open-isms-platform-for-gdpr-and-nis-2", "canonical_source": "https://github.com/NISD2/open-isms", "published_at": "2026-07-08 09:18:25+00:00", "updated_at": "2026-07-08 09:30:08.775094+00:00", "lang": "en", "topics": ["ai-policy", "developer-tools"], "entities": ["open-isms", "NIS 2 Directive", "GDPR", "EU AI Act", "CRA", "Next.js", "TypeScript", "Postgres"], "alternates": {"html": "https://wpnews.pro/news/open-isms-platform-for-gdpr-and-nis-2", "markdown": "https://wpnews.pro/news/open-isms-platform-for-gdpr-and-nis-2.md", "text": "https://wpnews.pro/news/open-isms-platform-for-gdpr-and-nis-2.txt", "jsonld": "https://wpnews.pro/news/open-isms-platform-for-gdpr-and-nis-2.jsonld"}}